[SERVER-9060] Introduce a built-in role for taking backups of nodes Created: 21/Mar/13  Updated: 11/Jul/16  Resolved: 30/Oct/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.2.2, 2.3.0, 2.4.0
Fix Version/s: 2.5.4

Type: Improvement Priority: Minor - P4
Reporter: David Anderson Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-8580 User defined roles Closed
Duplicate
is duplicated by SERVER-11590 MMS and Backup default permissions Closed
Related
is related to SERVER-9514 System-defined roles Closed
Participants:

 Description   

Due to SERVER-4692, it is no longer possible to do a full mongodump using a read-only user. SERVER-9012 has been proposed as a solution to this. However, but that means it is still impossible to dump all data using a read-only account.

I believe it should be possible to do such a mongodump, including dumping all users, so that they can be restored correctly. Here are a couple of ways it might be possible:

  • Allow read-only admin users access to system.users collections.
  • Add a another user permissions beyond read-only, that would allow access to system.users collections.
  • Do some sort of encryption of system.users when read by read-only users that can only be decrypted by a user with full access. That allows the encrypted version to be backed up, and then when restored, a user with write access has to do the restore, so they could do the decrypting before restore. This is obviously much more involved than the previous 2, but I'm just trying to throw out possible alternatives.


 Comments   
Comment by Spencer Brody (Inactive) [ 30/Oct/13 ]

Addressed in https://github.com/mongodb/mongo/commit/c63749eda51417e26bee88654845c689701bd919

Comment by David Anderson [ 22/Mar/13 ]

I think waiting for SERVER-8580 is sufficient, and is the right way to proceed.

Comment by Andy Schwerin [ 21/Mar/13 ]

If this isn't trivial after SERVER-8580, we won't have resolved that ticket correctly.

Comment by Andy Schwerin [ 21/Mar/13 ]

A "usersReadAnyDatabase" system role could be introduced by patch to 2.4, which could be added to the roles of a backup user, but in future versions that should be obviated by SERVER-8580, user-defined roles.

Comment by David Anderson [ 21/Mar/13 ]

actually, the encryption idea probably won't work because the key would have to be included somewhere in the full dump, or else the dump wouldn't be a full dump, which is the whole issue.

Generated at Thu Feb 08 03:19:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.