Details
-
Bug
-
Resolution: Won't Do
-
Major - P3
-
3.6.6
-
MongoDB 3.6.3 version.
https://docs.mongodb.com/v3.6/reference/built-in-roles/#cluster-administration-roles
Description
Description
User with the following role :-
db.createUser({user:"user15",pwd:"password", roles:[
{role:"userAdminAnyDatabase", db:"admin"}, {role:"clusterMonitor", db:"admin"}, {role:"readAnyDatabase", db:"admin"}, {role:"read", db:"config"} ]})
Not able to fetch System.sessions.stats() of config db . Error ->
db.system.sessions.stats()
db.system.sessions.stats(){ "ok" : 0, "errmsg" : "not authorized on config to execute command { collStats: \"system.sessions\", scale: undefined, lsid:
{ id: UUID(\"48024901-b14a-4fa9-b645-ab0b24545c66\") }, $db: \"config\" }", "code" : 13, "codeName" : "Unauthorized"}
From which role of user , I am able to get these stats. In document , This is stated that all db's collection stats is able t fetch through ClusterMonitor role . Here I have given all the necessary roles but not able to fetch the stats of config db.
Scope of changes
- Need to clarify whether roles that have demarc between "All collections in <X> database" and "only the following system collections" should actually be "All non-system collections..."
- Generally seems like we need better guidance around how built-in roles work against system collections.