[SERVER-17856] users on mongods should always be able to run currentOp and killOp on their own operations Created: 02/Apr/15  Updated: 22/Mar/17  Resolved: 29/Jul/16

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 3.2.9, 3.3.11

Type: New Feature Priority: Major - P3
Reporter: Andrew Ryder (Inactive) Assignee: Spencer Jackson
Resolution: Done Votes: 2
Labels: code-and-test
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Documented
is documented by DOCS-8476 3.2.9 -- user can run killop/currentO... Closed
Related
related to SERVER-25354 users on mongos should always be able... Closed
is related to SERVER-28260 Create a killAnyCursor privilege Closed
is related to SERVER-9609 Ensure users can only call getMore on... Closed
Backwards Compatibility: Minor Change
Backport Completed:
Sprint: Security 17 (07/15/16), Security (08/08/16)
Participants:

 Description   

Both the inprog (currentOp) and killop (killOp) roles are granted at the cluster resource level, which makes them an all-or-none condition (I believe).

Use case:

Give developers access to a database with restricted access (basically read-only, non-administrative authority). However because they are given the ability to execute queries, it would be nice if they had the ability to kill any process that were executed by them. Some tools, such as Aqua Data Studio, utilize the killOp command to terminate any queries executed from their query window, however this functionality only works for individuals with administrative roles.
One solution would be to permit killOp command to be permissioned to allow a user to kill his own processes but no other.

Perhaps even just a single new role (userKillOp?) could suffice.



 Comments   
Comment by Githook User [ 29/Jul/16 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-17856: Allow mongod users to currentOp and killOp own operations

(cherry picked from commit 9380a1c12a19a061eaafabb5f6b9e87f16a28179)
Branch: v3.2
https://github.com/mongodb/mongo/commit/62d931bf4ba6a4d881e53e10dd176a80d8f3b8b3

Comment by Spencer Jackson [ 29/Jul/16 ]

I have merged a patch which allows users on mongods to experience this behavior. This will hopefully help most people, but doesn't extend to sharded clusters. I've opened SERVER-25354, for this extension.

Comment by Githook User [ 29/Jul/16 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-17856: Allow mongod users to currentOp and killOp own operations
Branch: master
https://github.com/mongodb/mongo/commit/9380a1c12a19a061eaafabb5f6b9e87f16a28179

Generated at Thu Feb 08 03:45:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.