[SERVER-5579] allow non-admin users to view db.currentOp() Created: 11/Apr/12 Updated: 19/May/14 Resolved: 12/Apr/12 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.0.4 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Minor - P4 |
| Reporter: | Ben Becker | Assignee: | Unassigned |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | authentication, currentOp, inprog | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Participants: |
| Description |
|
From We could filter out unauthenticated databases in inProgCmd(). Might also want to audit existing operations to ensure we exclude all sensitive ops (e.g. query/update system.users), especially for read-only users. |
| Comments |
| Comment by Joe Davis [ 20/Sep/12 ] |
|
We have transaction quota rules which automatically kill long running transactions, along with allowing users to kill their own long running/unresponsive queries. This means we can only run mongodb as an admin user currently, since db.currentOp() is our only way of finding the opId for our current statement. MySQL has the capability of only showing in progress commands for the db the user is authenticated for (eg the current database), so we can kill statements their without being admin. |
| Comment by auto [ 08/Jun/12 ] |
|
Author: {u'login': u'tychoish', u'name': u'Sam Kleinman', u'email': u'samk@10gen.com'}Message: |