Description
A frequently requested improvement in our RBAC control is for a user who can perform administrative tasks but not view any of the data.
The use case is for an organization to give its production administrators the ability to add/remove/failover nodes, add/edit/delete bucket configurations but not to be able to see any of the data. Because of our "Document", "Views" and "Query" UI, all administrators are currently able to view sensitive data which is a big security hole for production deployments.
My suggestion would be to remove access to the "data" API's for the "Read-only" and "Cluster Admin" roles. If the end-user wishes to grant data access as well, they can simply add the "data reader" or "query select" roles as well to that user.
With a relatively simple change, this then achieves the need for full separation of duties between administrator and data/developer.
Attachments
Issue Links
- relates to
-
MB-11314 AuthZ : RBAC for Admins
- Closed
-
MB-28417 cluster admin role downgraded to not have permission to view data
- Resolved
-
MB-28418 bucket admin role downgraded to not have permission to view bucket data
- Resolved
-
MB-29270 RBAC Role: Statistics Only User
- Open
-
MB-28419 Add new "Security Admin" role
- Resolved