[SERVER-17856] users on mongods should always be able to run currentOp and killOp on their own operations Created: 02/Apr/15 Updated: 22/Mar/17 Resolved: 29/Jul/16 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 3.2.9, 3.3.11 |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Andrew Ryder (Inactive) | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 2 |
| Labels: | code-and-test | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||||||||||||||||||
| Backport Completed: | |||||||||||||||||||||||||||||
| Sprint: | Security 17 (07/15/16), Security (08/08/16) | ||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||
| Description |
|
Both the inprog (currentOp) and killop (killOp) roles are granted at the cluster resource level, which makes them an all-or-none condition (I believe). Use case: Give developers access to a database with restricted access (basically read-only, non-administrative authority). However because they are given the ability to execute queries, it would be nice if they had the ability to kill any process that were executed by them. Some tools, such as Aqua Data Studio, utilize the killOp command to terminate any queries executed from their query window, however this functionality only works for individuals with administrative roles. Perhaps even just a single new role (userKillOp?) could suffice. |
| Comments |
| Comment by Githook User [ 29/Jul/16 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: (cherry picked from commit 9380a1c12a19a061eaafabb5f6b9e87f16a28179) |
| Comment by Spencer Jackson [ 29/Jul/16 ] |
|
I have merged a patch which allows users on mongods to experience this behavior. This will hopefully help most people, but doesn't extend to sharded clusters. I've opened |
| Comment by Githook User [ 29/Jul/16 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: |