[SERVER-9514] System-defined roles Created: 30/Apr/13  Updated: 02/Aug/18  Resolved: 30/Oct/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.5.4

Type: Task Priority: Major - P3
Reporter: Andy Schwerin Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-11027 not authorized to execute repairDatab... Closed
Related
related to SERVER-11424 collStats and dbStats should work for... Closed
related to SERVER-10493 Update tools to support backing up an... Closed
related to SERVER-9060 Introduce a built-in role for taking ... Closed
is related to SERVER-9815 Introduce a role for monitoring clust... Closed
is related to SERVER-10750 Minimum roles required to run mongore... Closed
Participants:

 Description   

In the context of supporting user-defined roles (SERVER-8580), we should review and as needed extend the existing system-defined roles to ensure that they support the most common access control use cases.

System defined roles will automatically be created for each database, and it will not be possible to rename, replace, update, modify or delete them. They should be useful for basic single- and multi-tenant scenarios.



 Comments   
Comment by Githook User [ 14/Nov/13 ]

Author:

{u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}

Message: SERVER-9514 Account for new privileges in clusterManager built-in role in tests.
Branch: master
https://github.com/mongodb/mongo/commit/58ed9775c96676a8c6dab2a83ea4ee55f1dcaa38

Comment by Githook User [ 14/Nov/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9514 Small usability fixes for clusterManager role
Branch: master
https://github.com/mongodb/mongo/commit/d0c460291f467ac144dbe39102b6d13d51ea38c3

Comment by auto [ 30/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9514 Add backup and restore roles
Branch: master
https://github.com/mongodb/mongo/commit/c63749eda51417e26bee88654845c689701bd919

Comment by auto [ 28/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9514 Split up clusterAdmin role actions into three new more-specific roles
Branch: master
https://github.com/mongodb/mongo/commit/878f2da2f8e87dac0f6b34a97a393576e4d8ff99

Comment by Andreas Nilsson [ 27/Sep/13 ]

Yes, right now it's a mess to do a proper dump/restore. You need to give all sorts of permissions to the user. A specialized role for this makes a lot of sense. Then that role might be disabled to other things than just running a dump/restore command if there is such a thing.

Comment by Andy Schwerin [ 13/Jun/13 ]

I agree. This change should be server-only.

Comment by Andreas Nilsson [ 13/Jun/13 ]

I do not believe this will require any driver changes, schwerin?

Comment by Ian Daniel [ 23/May/13 ]

A user has suggested that we add an mms-agent or statistics-aggregator role.

Generated at Thu Feb 08 03:20:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.