[SERVER-17513] Ability to define a global role that can be used in database context Created: 09/Mar/15  Updated: 06/Dec/22

Status: Open
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: features we're not sure of

Type: Improvement Priority: Major - P3
Reporter: Anil Kumar Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Assigned Teams:
Server Security
Participants:
Case:

 Description   

The user should be able to define / create a global role that can be used in context of the users database. This would provide ability to create a globally shared role similar to built-in roles like readWrite, userAdmin etc.

  • createRole "myReadWrite" (say under admin database) that specifies fine grained resource privileges without the database name (db = "").
  • Ability to grant "myReadWrite" to a user under "testA" database, such that the myReadWrite privileges apply to the user in the context of the "testA" database only.

This would be analogous to how role management is done in most of the systems that provide this kind of control.



 Comments   
Comment by Tashuna Rodriguez [ 19/Oct/18 ]

is this option still being considered? We have a lot of MongoDB environments and continue to grow. The User Access management functionality is not very scale-able. Please consider a user defined global role solution.

Comment by CF Hsu [ 23/Aug/18 ]

@Matt Lord, yes. I'm relying on multi-tenant oriented design. However, I have to create the same role in each database.

This role can perform read/write in the database only for existing collections.
That is, this role can't create or drop an existing collection, but createIndex/dropIndex/find/insert/update/delete/aggregate operations on existing collections in this database are allowed.

In conclusion, I want to define a global role like readWrite without create/dropCollection

Do you know any workaround for this? Thanks for your reply!

Q: I'm new to JIRA, how can I use @mention correctly?

Comment by Matt Lord (Inactive) [ 23/Aug/18 ]

fonger, do you rely on the multi-tenant oriented design we have today where each database namespace is treated as an isolated context? Or would you be OK with a single shared global authentication context, where every role is global?

Thank you for the input and feedback! 

Comment by CF Hsu [ 19/Aug/18 ]

definitely need this feature.

It's frustrating to create the same role in each database.

 

I want to define custom global role like 'readWrite' works.

Comment by Andreas Nilsson [ 23/Mar/15 ]

aleksej.tr I understand the request better now. We are currently gathering input for possible revisions to the access control system so this feedback is useful.

Thank you,
Andreas

Comment by Aleksej Trofimov [ 13/Mar/15 ]

Hi Andreas,
em.. no it would not be a role template, but rather Role which could be assigned to any database in future without role modification. Since right now if you want to have user defined role "SomeRole", you have 2 ways:
1) Define role in admin, with "hardcoded" definition of databases where privilege goes;
2) Define role in particular database;
And there is no way hot to define role "SomeRole" and then somewhere in the future you could assign it to "newDatabase" without role or database schema modification.

Comment by Andreas Nilsson [ 12/Mar/15 ]

If I understand this correctly it would be more of a role template that could be used to create other roles. It's an interesting suggestion, we will keep it in the planning loop going forward.

Comment by Aleksej Trofimov [ 10/Mar/15 ]

The feature described as we wanted it to be =) Thanks!

Generated at Thu Feb 08 03:44:44 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.