[SERVER-56444] Grant read/write access on time-series buckets collections to admin roles Created: 28/Apr/21  Updated: 29/Oct/23  Resolved: 11/Jun/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 5.0.0-rc2, 5.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: Louis Williams Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: post-rc0
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Duplicate
is duplicated by SERVER-56663 Architecture Guide updates for Using ... Closed
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v5.0
Sprint: Security 2021-05-31, Security 2021-06-14
Participants:

 Description   

We do not currently support deleting data on time-series collections, but we need to provide a way for database administrators to delete data on time-series buckets collections manually, if necessary.

We should grant read/write permissions on "system.buckets" for the roles "dbAdmin" and "dbAdminAnyDatabase".

We can do something similar to how to we grant permissions on the system.profile today.



 Comments   
Comment by Vivian Ge (Inactive) [ 06/Oct/21 ]

Updating the fixversion since branching activities occurred yesterday. This ticket will be in rc0 when it’s been triggered. For more active release information, please keep an eye on #server-release. Thank you!

Comment by Githook User [ 11/Jun/21 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-56444 Grant read/write access on time-series buckets collections to admin roles

(cherry picked from commit f2643946a9253a2accc8f3b0b8a95ee2fd84f22c)
Branch: v5.0
https://github.com/mongodb/mongo/commit/34020241f3aed93c8f53699d2d54b7bbee163332

Comment by Githook User [ 10/Jun/21 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-56444 Grant read/write access on time-series buckets collections to admin roles
Branch: master
https://github.com/mongodb/mongo/commit/f2643946a9253a2accc8f3b0b8a95ee2fd84f22c

Comment by Andy Schwerin [ 07/May/21 ]

The dbAdmin and dbAdminAnyDatabase roles lack the privilege to read and write regular collections, so it seems like we should not be allowing them to read and write collections that are effectively also user collections.

Generated at Thu Feb 08 05:39:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.