[SERVER-56444] Grant read/write access on time-series buckets collections to admin roles Created: 28/Apr/21 Updated: 29/Oct/23 Resolved: 11/Jun/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 5.0.0-rc2, 5.1.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Louis Williams | Assignee: | Mark Benvenuto |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | post-rc0 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Backport Requested: |
v5.0
|
||||||||||||||||
| Sprint: | Security 2021-05-31, Security 2021-06-14 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
We do not currently support deleting data on time-series collections, but we need to provide a way for database administrators to delete data on time-series buckets collections manually, if necessary. We should grant read/write permissions on "system.buckets" for the roles "dbAdmin" and "dbAdminAnyDatabase". We can do something similar to how to we grant permissions on the system.profile today. |
| Comments |
| Comment by Vivian Ge (Inactive) [ 06/Oct/21 ] |
|
Updating the fixversion since branching activities occurred yesterday. This ticket will be in rc0 when it’s been triggered. For more active release information, please keep an eye on #server-release. Thank you! |
| Comment by Githook User [ 11/Jun/21 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: (cherry picked from commit f2643946a9253a2accc8f3b0b8a95ee2fd84f22c) |
| Comment by Githook User [ 10/Jun/21 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: |
| Comment by Andy Schwerin [ 07/May/21 ] |
|
The dbAdmin and dbAdminAnyDatabase roles lack the privilege to read and write regular collections, so it seems like we should not be allowing them to read and write collections that are effectively also user collections. |