[SERVER-25354] users on mongos should always be able to run currentOp and killOp on their own operations Created: 29/Jul/16  Updated: 06/Dec/22  Resolved: 13/Apr/18

Status: Closed
Project: Core Server
Component/s: Security, Sharding
Affects Version/s: 3.3.10
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Spencer Jackson Assignee: [DO NOT USE] Backlog - Sharding Team
Resolution: Done Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
is documented by DOCS-9442 Docs for SERVER-25354: users on mongo... Closed
Duplicate
duplicates SERVER-18094 currentOp on a mongoS should also sho... Closed
duplicates SERVER-33462 Allow killop on a mongos op id Closed
Related
is related to SERVER-17856 users on mongods should always be abl... Closed
Assigned Teams:
Sharding
Participants:

 Description   

SERVER-17856 added support for users on mongod running currentOp and killOp against operations they themselves had started.
From that ticket:

Both the inprog (currentOp) and killop (killOp) roles are granted at the cluster resource level, which makes them an all-or-none condition (I believe).

Use case:

Give developers access to a database with restricted access (basically read-only, non-administrative authority). However because they are given the ability to execute queries, it would be nice if they had the ability to kill any process that were executed by them. Some tools, such as Aqua Data Studio, utilize the killOp command to terminate any queries executed from their query window, however this functionality only works for individuals with administrative roles.
One solution would be to permit killOp command to be permissioned to allow a user to kill his own processes but no other.

Perhaps even just a single new role (userKillOp?) could suffice.

Though harder to achieve, this functionality should work on mongos as well.



 Comments   
Comment by Andy Schwerin [ 13/Apr/18 ]

This should have been resolved by SERVER-33462, SERVER-18094 and some related tickets on the 3.7/4.0 branch.

Generated at Thu Feb 08 04:08:58 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.