[SERVER-70822] Consider restricting built-in roles permissions on system.buckets collections Created: 24/Oct/22 Updated: 25/Sep/23 Resolved: 25/Sep/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Gregory Noma | Assignee: | [DO NOT USE] Backlog - Storage Execution NAMER |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | time-series | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Assigned Teams: |
Storage Execution NAMER
|
||||||||
| Participants: | |||||||||
| Description |
|
Some built-in roles like readWriteAnyDatabase allow creating and performing other operations directly on a system.buckets collection. Since these collections should be manipulated as a time-series collection rather than directly, we should consider removing some of these permissions. Note that it won't fully disallow these operations since custom roles can always be created which explicitly grant these permissions, but it would have to be more deliberate. |