<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 07:41:06 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DOCS-1469] Clarify that although userAdmin is &quot;effectively&quot; a super-user, it can still be unauthorized</title>
                <link>https://jira.mongodb.org/browse/DOCS-1469</link>
                <project id="10380" key="DOCS">Documentation</project>
                    <description>&lt;p&gt;userAdmin/userAdminAnyDatabase are like super-users because they can be used to grant yourself any privilege.  But if you only have userAdmin, but haven&apos;t granted yourself readWrite (for example), you still won&apos;t be able to read or write data.&lt;/p&gt;</description>
                <environment></environment>
        <key id="73775">DOCS-1469</key>
            <summary>Clarify that although userAdmin is &quot;effectively&quot; a super-user, it can still be unauthorized</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="sam.kleinman">Sam Kleinman</assignee>
                                    <reporter username="spencer@mongodb.com">Spencer Brody</reporter>
                        <labels>
                    </labels>
                <created>Wed, 1 May 2013 14:58:15 +0000</created>
                <updated>Mon, 30 Oct 2023 21:54:10 +0000</updated>
                            <resolved>Fri, 10 May 2013 20:21:20 +0000</resolved>
                                    <version>mongodb-2.4</version>
                                    <fixVersion>Server_Docs_20231030</fixVersion>
                                    <component>manual</component>
                        <due></due>
                            <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="333108" author="spencer" created="Fri, 10 May 2013 20:45:14 +0000"  >&lt;p&gt;That looks &lt;b&gt;much&lt;/b&gt; better - thanks &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=samk&quot; class=&quot;user-hover&quot; rel=&quot;samk&quot;&gt;samk&lt;/a&gt;!  I do however still think we use userAdmin and userAdminAnyDatabase quite interchangeably and we should be clearer about the distinction.  &quot;userAdmin&quot; on the admin database is &lt;b&gt;effectively&lt;/b&gt; the same as userAdminAnyDatabase, b/c that user could grant themselves userAdminAnyDatabase.  &quot;userAdmin&quot; on a non-admin db, however, is different as it can only be used to grant db-level privileges.&lt;/p&gt;</comment>
                            <comment id="333092" author="auto" created="Fri, 10 May 2013 20:28:33 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;date&apos;: u&apos;2013-05-10T20:28:19Z&apos;, u&apos;name&apos;: u&apos;Sam Kleinman&apos;, u&apos;email&apos;: u&apos;samk@10gen.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-1469&quot; title=&quot;Clarify that although userAdmin is &amp;quot;effectively&amp;quot; a super-user, it can still be unauthorized&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-1469&quot;&gt;&lt;del&gt;DOCS-1469&lt;/del&gt;&lt;/a&gt;: clean up superuser language on auth tutuorial&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/docs/commit/8cc63d2445004ab7ab3d650cc9c0bce6209c2ec7&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/docs/commit/8cc63d2445004ab7ab3d650cc9c0bce6209c2ec7&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="332386" author="auto" created="Thu, 9 May 2013 22:38:07 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;date&apos;: u&apos;2013-05-09T22:37:56Z&apos;, u&apos;name&apos;: u&apos;Sam Kleinman&apos;, u&apos;email&apos;: u&apos;samk@10gen.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-1469&quot; title=&quot;Clarify that although userAdmin is &amp;quot;effectively&amp;quot; a super-user, it can still be unauthorized&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-1469&quot;&gt;&lt;del&gt;DOCS-1469&lt;/del&gt;&lt;/a&gt;: clarification about userAdmin role&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/docs/commit/6bef4e33790212cb9fec2b366bbb06e5c57ae192&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/docs/commit/6bef4e33790212cb9fec2b366bbb06e5c57ae192&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="332077" author="auto" created="Thu, 9 May 2013 16:52:49 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;date&apos;: u&apos;2013-05-09T16:52:38Z&apos;, u&apos;name&apos;: u&apos;Sam Kleinman&apos;, u&apos;email&apos;: u&apos;samk@10gen.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-1469&quot; title=&quot;Clarify that although userAdmin is &amp;quot;effectively&amp;quot; a super-user, it can still be unauthorized&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-1469&quot;&gt;&lt;del&gt;DOCS-1469&lt;/del&gt;&lt;/a&gt;: adding note about authentication to mongostat&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/docs/commit/80311292b3cc96dd4e9a2096441aa647fe5fd988&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/docs/commit/80311292b3cc96dd4e9a2096441aa647fe5fd988&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="329562" author="spencer" created="Mon, 6 May 2013 16:48:46 +0000"  >&lt;p&gt;Just to be clear, those roles can only be granted to user documents in the admin database, but that doesn&apos;t mean you have to be authenticating to the admin database.  You could have a user named &quot;user&quot; defined in database &quot;test&quot; be granted one of those roles via a user document in the &quot;admin&quot; database with username &quot;user&quot; and userSource &quot;test&quot;.  To authenticate as that user, you&apos;d need to authenticate to the &quot;test&quot; database.&lt;/p&gt;</comment>
                            <comment id="329141" author="david.hows" created="Mon, 6 May 2013 05:31:47 +0000"  >&lt;p&gt;We should also clarify which databases which privileges will work with which DB&apos;s and how those mechanisms work.&lt;/p&gt;

&lt;p&gt;As it stands in 2.4 the readAnyDatabase/readWriteAnyDatabase/userAdminAnyDatabase/dbAdminAnyDatabase/clusterAdmin roles are only accessible when you authenticate to admin.&lt;/p&gt;

&lt;p&gt;There is a matrix of permissions of sorts within the code &lt;a href=&quot;https://github.com/mongodb/mongo/blob/master/src/mongo/db/auth/authorization_manager.cpp#L577&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt; to help show which users can authenticate to admin only.&lt;/p&gt;</comment>
                            <comment id="327770" author="spencer" created="Fri, 3 May 2013 18:39:34 +0000"  >&lt;p&gt;I just saw the &lt;a href=&quot;http://docs.mongodb.org/manual/tutorial/add-user-administrator/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://docs.mongodb.org/manual/tutorial/add-user-administrator/&lt;/a&gt; page for the first time.  I think this whole page needs to be reworked to stop referring to userAdmin as a superuser.  Even with a note saying that that doesn&apos;t mean the userAdmin can actually run anything, the language on this page is very misleading as the word &quot;superuser&quot; is used all over and even clarifying what we mean when we say superuser won&apos;t change the pre-conceived idea of what &quot;superuser&quot; means to most people.  We should use language like &quot;user manager, user manipulator, role grantor, etc&quot; rather than saying &quot;superuser&quot; at all.  We could then that this makes this role &quot;effectively&quot; a super user because it can be used to grant any permission to yourself, but that it cannot actually do anything other than manage users without having the other roles as well.&lt;/p&gt;


&lt;p&gt;Also, we should be careful whenever talking about &quot;userAdmin&quot; (as opposed to &quot;userAdminAnyDatabase&quot;) to be clear that it is only the user manager for the database it is declared on.  &quot;userAdmin&quot; on the &quot;test&quot; database is in no way a superuser for the whole system.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                                        </outwardlinks>
                                                                <inwardlinks description="is related to">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>7.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 6 May 2013 05:31:47 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        10 years, 40 weeks, 5 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>emet.ozar@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            10 years, 40 weeks, 5 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>auto</customfieldvalue>
            <customfieldvalue>david.hows</customfieldvalue>
            <customfieldvalue>sam.kleinman</customfieldvalue>
            <customfieldvalue>spencer@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrrwqn:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrnld3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>51422</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hryenb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>