[SERVER-30519] All custom roles to deny specific privileges Created: 04/Aug/17  Updated: 06/Sep/17  Resolved: 07/Aug/17

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Albert Zhong Assignee: Mark Agarunov
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-13696 Allow revoke/deny role permissions Open
Backwards Compatibility: Fully Compatible
Participants:

 Description   

It would be nice to allow custom roles to deny some specific privileges.

For example, I need a custom role which have full readWrite privileges except for dropCollection.

At present, the admin have to use the following command to archive this:

db.createRole({
    role: "upsert",
    privileges: [
        { resource: { db: "mydb", collection: "" }, actions: [ "convertToCapped", "createCollection", "createIndex", "dropIndex", "insert", "renameCollectionSameDB", "update", "remove" ] }
    ],
    roles: [ "read" ]
})

With deny privileges, we can do it in a simple way:

db.createRole({
    role: "upsert",
    privileges: [
        { resource: { db: "mydb", collection: "" }, actions: [ "-dropCollection" ] }
    ],
    roles: [ "readWrite" ]
})



 Comments   
Comment by Mark Agarunov [ 07/Aug/17 ]

Hello zhch186,

Thank you for the report. The behavior you've described appears to be the same as the desired behavior in SERVER-13696 so I've closed this ticket as a duplicate. Please watch SERVER-13696 for further updates on this issue.

Thanks,
Mark

Generated at Thu Feb 08 04:24:06 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.