Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-11718

Docs for SERVER-32942: mongo shell: for users authorized to certain namespace, make discovery easy

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.0.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None

      Description:

      • New option "authorizedCollections" to listCollections command.
        • If it is set to true, and "nameOnly" is true, the command will return all collections the user is authorized for, if and only if they exist in the database. A user is "authorized for" a collection if they possess a privilege which applies to the collection. IE, if the user has been assigned a custom role which grants them the 'find' actiontype on the collection, OR if they have been granted a privilege on the database itself. System collections are never returned in this mode.
        • users with database-level privileges may now infer the existence of collection names.
      • Make 'show collections' in the shell pass 'authorizedCollections: true'. For new MongoDB servers, this will cause the shell to be able to obtain the new behavior if they are not authenticated as a user with the listCollections privilege.
      • If the 4.0 shell obtains an Unauthorized error, which it would if it ran the listCollections command against an older version of the server which didn't respect authorizedCollections, it will attempt to parse out the set of collections it has been granted privileges on from the output of connectionStatus.

      Scope of changes:

      • listCollection command
      • db.getCollectionInfos() and db.getCollectionNames() method
      • listCollection action
      • mongo shell
      • privilege actions
      • 4.0
      • 4.0-compatibility

      note: in various places where we get people started with show collections, we don't mention any privileges, as these are more in the getting started mode – e.e.g use show collections to see the collections in the db.

      Impact to other docs outside of this product:

      MVP:

      Resources:

      Engineering Ticket Description:

      For users that connect to an authentication-enabled database that are authorized to only certain namespaces, the mongo shell should look up the namespaces the user is authorized to (for example by using the connectionStatus command command)

      and then, if they exist, show those namespaces to the user in shell helpers like "show dbs" or "show collections".

      I suspect the fact that this is not baked into the shell's DNA today is a holdover from the fact that the shell was originally built when mongodb did not use auth by default...

      We should first investigate implementing showCollections properly in the server and backporting it all the way to 3.2. If this doesn't work, we should modify the shell helpers to appear to have the correct behavior.

            Assignee:
            kay.kim@mongodb.com Kay Kim (Inactive)
            Reporter:
            kay.kim@mongodb.com Kay Kim (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:
              5 years, 47 weeks, 3 days ago