-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Labels:None
Description
Description:
This change introduces a new optional boolean argument to the
{listDatabases:1}command called "authorizedDatabases".
The value of the argument must be either true or false if present.
If present and true, then only those databases which the user has the `find` privilege on will be returned, even if they have the `listDatabases` privilege which would otherwise grant permissions to enumate all databases.
If present and false, the all databases will be included, but ONLY if the user also has the listDatabases privilege. If they do not possess this privilege, but ask for all databases anyway (by passing false), then an Unauthorized error will be returned.
If the new param is not present, the command behaves as it currently does, returning all databases for users with the `listDatabases` privilege, and only those databases which the user has `find` privileges on for all others.
Scope of changes
- listDatabases command
- built-in roles + auth actions privileges
- Although we have some scripts that use listDatabases, for now, will not call out since we use the default. Although, may, want to blurb to check privileges in those spots.
Impact to Other Docs
MVP (Work and Date)
Resources (Scope or Design Docs, Invision, etc.)
- documents
-
SERVER-37551 Add {authorizedDatabases:bool} param to {listDatabases} command.
- Closed
- is related to
-
DOCS-12244 Docs for SERVER-38293: Make listDatabases understand collection privileges
- Closed