Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-7481

Investigate changes in SERVER-82929: $listSearchIndexes requires find privilege action rather than listSearchIndexes privilege action as it intended

XMLWordPrintableJSON

    • Type: Icon: Investigation Investigation
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • No version
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • Not Needed
    • Hide

      No action required in the DevTools products.

      Show
      No action required in the DevTools products.

      Original Downstream Change Summary

      There was a bug with the permissions required to run listSearchIndexes. As intended, after this change, users need to either have a 'read' role, be an admin, or the listSearchIndexes privilege to run the listSearchIndexes stage.

      Description of Linked Ticket

      The $listSearchIndexes aggregation stage is registered by calling the DocumentSourceListSearchIndexes::LiteParsed::parse() static function. And the DocumentSourceListSearchIndexes::LiteParsed::parse() symbol resolves to the LiteParsedSearchStage::parse() base class static function. This leads to an instance of LiteParsedSearchStage being constructed rather than an instead of DocumentSourceListSearchIndexes::LiteParsed and therefore LiteParsedSearchStage::requiredPrivileges() being used for the authorization check rather than DocumentSourceListSearchIndexes::LiteParsed::requiredPrivileges() as intended.

      MongoDB Enterprise mongos> db.mycoll.aggregate([{$listSearchIndexes: {}}])
uncaught exception: Error: command failed: {
	"ok" : 0,
	"errmsg" : "not authorized on test to execute command { aggregate: \"mycoll\", pipeline: [ { $listSearchIndexes: {} } ], cursor: {}, lsid: { id: UUID(\"705553ff-a177-460e-8c38-5af98d738314\") }, $clusterTime: { clusterTime: Timestamp(1699423295, 1), signature: { hash: BinData(0, 3153BC58060F75DBC1FF2D90036481E9714DBFAA), keyId: 7298965743213740055 } }, $db: \"test\" }",
	"code" : 13,
	"codeName" : "Unauthorized",
...
MongoDB Enterprise mongos> db.adminCommand({connectionStatus: 1, showPrivileges: true})
{
	"authInfo" : {
		"authenticatedUsers" : [
			{
				"user" : "myuser",
				"db" : "admin"
			}
		],
		"authenticatedUserRoles" : [
			{
				"role" : "myrole",
				"db" : "admin"
			}
		],
		"authenticatedUserPrivileges" : [
			{
				"resource" : {
					"db" : "test",
					"collection" : ""
				},
				"actions" : [
					"listSearchIndexes"
				]
			}
		]
	},
	"ok" : 1,

            Assignee:
            Unassigned Unassigned
            Reporter:
            backlog-server-pm Backlog - Core Eng Program Management Team
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: