Restrict specific users or client IPs to only Analytics node(s)
There are use-cases where certain users or client IPs need to be given access restricted to only the Analytics node(s) . While it is possible to grant such users read-only permissions at the database/collection level, and have them use the ANALYTICS replica set tag in their connection string URI, it might still be possible for those users to connect to a Primary or a Secondary node (when not using the Analytics replica set tag) and run their query there.
Therefore, a feature that will either restrict specific users access to only the Analytics node(s) or a functionality that will restrict access from certain client IPs to only the Analytics node(s), will help in such use-cases.
-
Justin Smead commented
Yeah would love to see this. There is nothing stopping someone from connecting to the cluster vs the tagged Analytics node if they mess with the connection string.
-
Pavel commented
I also think it is imperative to restrict access at the network level to a read-only replica! So that certain users from certain addresses do not have access to the entire cluster, but only to a read-only replica.
-
Hi Harshad,
Great idea: it's unfortunately more complex to implement than it sounds, requiring some core changes to the authorization model on the database engine. I will share with the right people though.
-Andrew