Mongodb oplog tailing and security


#1

IIUC accessing the local mongodb database in order to tail the oplog reveals data for ALL mongo databases.
This may be a security issue when hosting multiple applications (baked by different untrusted teams) with the same mongodb instance. Is this correct?


#2

If you mean that the Meteor server access to mongodb oplog allows access to the oplog (via the authenticated oplog user) then yes. But then, usually, won’t the same Meteor server have access to the base db collections anyway? Don’t really understand what the concern is in the described scenario…


#3

Hi hluz, thanks for the reply, suppose I have *one* mongodb instance with inside:

  • database A and B
  • mongodb usera with readWrite role for A
  • mongodb userb with readWrite role for B
  • two meteor application managed by two different user groups, team1 and team2
    In order to get oplog tailing working I need to grant read access for the local mongodb database to usera and userb (or other two dedicated mongodb users).
    In this scenario usera will be able to see db changes of B and viceversa and this is not desiderable.

#4

Right, got it (I think) : You have separate databases under the same mongod daemon, and would like each database to have separate user access. In this case, yes, the oplog (local database) will contain data from any database under the mongod daemon. So, to avoid that you will need to use separate mongod processes.

Also, note that if you have multiple meteor apps pointing to different databases on the same mongod and each monitoring the oplog, then each one will need to parse the full oplog. Not ideal for performance, of course…