Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-9815

users with permission to run find on a db can't run listCollections on that db

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Won't Do
    • Icon: Major - P3 Major - P3
    • Server_Docs_20231030
    • None
    • Server
    • None
    • 0.2

    Description

      In our documentation, we say that the find actionType grants you permission to run listCollections.

      Say we create a custom role that grants the find actionType on some database:

      > db.runCommand({
           createRole: "findRole",
           privileges: [ { resource: { db: "test", collection: "" }, actions: [ "find" ] } ],
           roles: []
      })
      

      A user with the "findRole" role will not be able to run listCollections. This is subtle. It's because specifying empty string as the collection for a resource excludes system collections, and we require permissions on system.namespaces to run listCollections.

      While nothing in our documentation is strictly wrong, it is certainly misleading.

      Attachments

        Activity

          People

            ravind.kumar Ravind Kumar (Inactive)
            samantha.ritter@mongodb.com Samantha Ritter (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              1 year, 14 weeks, 2 days ago