Restrict specific users or client IPs to only Analytics node(s)
There are use-cases where certain users or client IPs need to be given access restricted to only the Analytics node(s) . While it is possible to grant such users read-only permissions at the database/collection level, and have them use the ANALYTICS replica set tag in their connection string URI, it might still be possible for those users to connect to a Primary or a Secondary node (when not using the Analytics replica set tag) and run their query there.
Therefore, a feature that will either restrict specific users access to only the Analytics node(s) or a functionality that will restrict access from certain client IPs to only the Analytics node(s), will help in such use-cases.
Harshad
shared this idea
-
Justin
commented
Yeah would love to see this. There is nothing stopping someone from connecting to the cluster vs the tagged Analytics node if they mess with the connection string.
-
Pavel
commented
I also think it is imperative to restrict access at the network level to a read-only replica! So that certain users from certain addresses do not have access to the entire cluster, but only to a read-only replica.
-
Hi Harshad,
Great idea: it's unfortunately more complex to implement than it sounds, requiring some core changes to the authorization model on the database engine. I will share with the right people though.
-Andrew
