Per the $indexStats documentation (https://docs.mongodb.com/manual/reference/operator/aggregation/indexStats/) : "If running with access control, the user must have privileges that include indexStats action."
A database user with "dbOwner" database privileges is able to grant themselves privileges which include the "indexStats" action in their respective database. These privileges do not allow the user to use the $indexStats aggregation operator.
// connected with "test_user" to "roles" db db.getUser("test_user") // User is a dbOwner in the "roles" database: // { // "_id" : "roles.test_user", // "user" : "test_user", // "db" : "roles", // "roles" : [ // { // "role" : "dbOwner", // "db" : "roles" // } // ] // } // Create role granting indexStats action db.runCommand({ createRole: "index_stats_role", privileges: [ { resource: { "db": "roles", "collection" : "" }, actions: [ "indexStats" ] }, ], "roles" : [] }) // Grant role to user db.grantRolesToUser( "test_user", [ { "role" : "index_stats_role", "db" : "roles" } ]) db.getUser("test_user") // User now has the role with the "indexStats" action: // { // "_id" : "roles.test_user", // "user" : "test_user", // "db" : "roles", // "roles" : [ // { // "role" : "index_stats_role", // "db" : "roles" // }, // { // "role" : "dbOwner", // "db" : "roles" // } // ] // } // Exiting and re-connect // Try to execute $indexStats operator db.names.aggregate([ { "$indexStats" : { } } ] ) // Error: // // assert: command failed: { // "ok" : 0, // "errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }", // "code" : 13 // } : aggregate failed // Error: command failed: { // "ok" : 0, // "errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }", // "code" : 13 // } : aggregate failed // at Error (<anonymous>) // at doassert (src/mongo/shell/assert.js:11:14) // at Function.assert.commandWorked (src/mongo/shell/assert.js:254:5) // at DBCollection.aggregate (src/mongo/shell/collection.js:1278:12) // at (shell):1:10 // 2016-10-18T16:33:56.028-0700 E QUERY Error: command failed: { // "ok" : 0, // "errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }", // "code" : 13 // } : aggregate failed // at Error (<anonymous>) // at doassert (src/mongo/shell/assert.js:11:14) // at Function.assert.commandWorked (src/mongo/shell/assert.js:254:5) // at DBCollection.aggregate (src/mongo/shell/collection.js:1278:12) // at (shell):1:10 at src/mongo/shell/assert.js:13
However, a database user with the built-in "clusterMonitor" role is able to use the operator, as it has the "indexStats" action (https://docs.mongodb.com/v3.2/reference/built-in-roles/#clusterMonitor).
Can the "indexStats" action be assigned by itself, or must it be coupled with other actions? Ideally, I would like to be able to assign this privilege without offering all the permissions provided in the clusterMonitor role.
- is documented by
-
DOCS-9463 Docs for SERVER-26734: indexStats action is not sufficient privileges for $indexStats operator
-
- Closed
-