[SERVER-24177] db.printSlaveReplicationInfo requires much higher privileges than necessary Created: 17/May/16 Updated: 06/Dec/22 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | Security, Shell |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Minor - P4 |
| Reporter: | Andrew Ryder (Inactive) | Assignee: | Backlog - Replication Team |
| Resolution: | Unresolved | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Assigned Teams: |
Replication
|
||||
| Participants: | |||||
| Description |
|
db.printSlaveReplicationInfo bases all output on the information obtained via replSetGetStatus (so this is the only privilege it should need) but requires local.system.* access privileges to actually complete. RE: https://github.com/mongodb/mongo/blob/r3.2.6/src/mongo/shell/db.js#L1024 It appears a simple flight check verifies if the member it is run against is in a replica-set. It could just issue the replSetGetStatus command instead and determine action on the result rather than attempting to query a "system" namespace. |