backup user privileges need to be different
Description
Environment
Smart Checklist
Activity
Akira Kurogane September 20, 2019 at 5:38 AMEdited
Let's close this one.
In the future we can consider reducing the granted roles the installing person has to give by having pbm-agent give its own user the extra role that allow applyOps through it's privileges as "restore" at the time of a restore. Let's not put that it the task list now though.
Tomislav Plavcic September 19, 2019 at 1:24 PM
Just to make sure it's clear, I have conducted my last test with that custom role on top of others, so the user looked like this:
Akira Kurogane September 19, 2019 at 12:28 PM
Per the meeting now, we'll document that the anyResource+anyAction role be a requirement for the pbm backup user from the start.
Akira Kurogane September 19, 2019 at 12:00 PM
If I do the backup, create and assign that role then the restore fails and the user privileges are restored to not having this role.
This suggests to me that the backed-up grants for the pbm backup user are in effect from some point within the restore.
As I remember you keep all the privileges you were granted at login, even if they are dropped by parallel session after. E.g. Login from A at 19:13 get roles P and Q; Login from B as drop Q role grant at 19:14; The first login from A keeps both P and Q so long as that connection stays alive. Only logins that follow will have just P. User sessions would have to be killed explicitly to make sure Q isn't being granted to any connection any more.
But maybe I'm wrong now, may it was improved and the Q drop happens for all connections instantaneously.
But either way if grant is done from the start when the users first make the pbm backup user, it will work.
It seems to me it would be good to add some kind of parameter to restore operation do we want to restore privileges or not - it might be handy in situations like these.
Actually the "restore" role has the access privileges to create any user So long as the pbm backup user has "restore" we could get the program to create the anyResource+anyAction custom role dynamically as a first step.
Tomislav Plavcic September 19, 2019 at 8:44 AM
If I create and assign that role before taking backup then the restore succeeds.
If I do the backup, create and assign that role then the restore fails and the user privileges are restored to not having this role.
It seems to me it would be good to add some kind of parameter to restore operation do we want to restore privileges or not - it might be handy in situations like these.
It needs to be clear what the backup user privileges need to be.
What we had before:
But with this I'm getting this while trying to set storage:
and this while (if I specify different user just for storage setup) trying to do backup (info from pbm-agent stderr):
to continue testing I have now added backupUser root privileges on admin database, but probably some other more appropriate privileges need to be setup or we should maybe tell users to create all needed collections before using this (this way maybe initial privileges would work - not 100% sure).