Summary

A user with the backup role cannot run `find` commands with `rawData: true` on the admin.system.users, admin.system.roles, or admin.system.version collections. These commands fail with an Unauthorized error even though the role has `find` on these collections.

Description

The db tools are being updated to use `rawData: true`, and some auth tests fail when a user with the backup role tries to run a `find` on:

• `admin.system.users`
• `admin.system.roles`
• `admin.system.version`

with `rawData: true` set on the command. The error is:

(Unauthorized) not authorized on admin to execute command { find: "system.users", filter: {}, rawData: true, $db: "admin", [other stuff omitted] }

From SERVER-103168, built-in roles that are allowed to operate on time-series buckets were granted the `performRawDataOperations` action so they could use `rawData`. However, the backup role appears to be missing `performRawDataOperations` on these specific admin auth collections.

In `builtin_roles.yml`, the backup role includes the _queryableBackup role, and _queryableBackup generally grants both `find` and `performRawDataOperations`. But for the `admin.system.users`, `admin.system.roles`, and `admin.system.version` exact-namespace entries, only `find` is granted, not `performRawDataOperations`. This makes the behavior on the admin auth collections inconsistent with other collections and with the expectation set by SERVER-103168.

We would like to fix this on the server side rather than special-casing the tools to avoid using `rawData` on the admin database.

Steps to Reproduce

1. Start a `mongod` with authentication enabled.
2. Create a user on the `admin` database with at least the backup role.
3. Authenticate as that user.
4. Run a command equivalent to:

   db.getSiblingDB("admin").runCommand({ find: "system.users", filter: {}, rawData: true })
   

   or a similar `find` with `rawData: true` on `system.roles` or `system.version`.

5. Observe that the command fails with an Unauthorized error on the `admin` database.

Expected Result

A user with the backup role can successfully run `find` commands with `rawData: true` on:

• `admin.system.users`
• `admin.system.roles`
• `admin.system.version`

Actual Result

`find` commands with `rawData: true` on these collections fail with:

(Unauthorized) not authorized on admin to execute command { find: "system.users", filter: {}, rawData: true, $db: "admin", [other stuff omitted] }

Proposed Fix

Update the built-in role definitions in `builtin_roles.yml` so that the privileges associated with __queryableBackup / backup on the following admin collections also include `performRawDataOperations` wherever `find` is granted:

• `admin.system.users`
• `admin.system.roles`
• `admin.system.version`

This would align the admin auth collections with the behavior introduced in SERVER-103168 for other namespaces where `rawData` is supported, and avoid the need for db tools to special-case the admin database.

References

• SERVER-103168: Grant performRawDataOperations action for roles that are allowed to interact with time-series buckets
• `builtin_roles.yml` in the MongoDB server repo