Details
-
Bug
-
Resolution: Works as Designed
-
Minor - P4
-
None
-
3.4.1
-
Query
-
ALL
-
-
(copied to CRM)
Description
When access control is not enabled, I am able to execute a db.system.views.find() command and get back the metadata about any view(s) that has been created for that database.
db.system.views.findOne()
|
{
|
"_id" : "deviceInfo.userDevices", |
"viewOn" : "users", |
"pipeline" : [ |
{
|
"$lookup" : { |
"from" : "devices", |
"localField" : "userID", |
"foreignField" : "userID", |
"as" : "devices" |
}
|
},
|
{
|
"$project" : { |
"_id" : 0, |
"userID" : 1, |
"userName" : 1, |
"devices.deviceID" : 1, |
"devices.deviceName" : 1 |
}
|
}
|
]
|
}
|
When access control has been enabled using SCRAM-SHA1 username/password and a role of root, I get an auth error when issuing the same db.system.views.find() command.
db.system.views.find()
|
Error: error: {
|
"ok" : 0, |
"errmsg" : "not authorized on deviceInfo to execute command { find: \"system.views\", filter: {} }", |
"code" : 13, |
"codeName" : "Unauthorized" |
}
|
My understanding is that the root role provides full privileges on all resources, so I would assume that I should be able to execute a find() against the system.views collection in the same way I did when security was not enabled.
Attachments
Issue Links
- related to
-
SERVER-27600 Queryable Backups need capabilities to read everything and read only
-
- Closed
-