BugZero found this defect 2535 days ago.
All data on this page is proprietary to BugZero or gathered from public sources
No affected releases provided.
No fixed releases provided.
A normal user who has write access to the "local" database is currently not disallowed from writing arbitrary data to the oplog. We should discuss more stringent rules about when (if ever) to allow these kinds of arbitrary oplog writes.
greg.mckeon commented on Fri, 26 Oct 2018 15:25:09 +0000: spencer.jackson jonathan.reams should this be closed won't fix? email@example.com commented on Fri, 26 Oct 2018 15:00:59 +0000: We talked about this in sprint planning and decided that we don't actually want to do this. In the past being able to write to the oplog has been useful for support, and we don't want to completely remove that ability. Restricting access to the oplog collection with a builtin role doesn't require any major changes to the auth subsystem, and we can think about doing that, but if a user has been given write access to the oplog collection then we've decided they should be able to write to it. greg.mckeon commented on Tue, 24 Jul 2018 17:13:50 +0000: spencer.jackson if you're picking this up, would it be significant extra work to pick up SERVER-29826 as well? firstname.lastname@example.org commented on Thu, 4 May 2017 20:18:41 +0000: I thought about this and asked around. This seems like a reasonable request.
Understand the cost to your business and how BugZero can help you reduce those costs.
Login to read and write comments.