Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-38867

"show collections" no longer lists system.* collections

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: In Code Review
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: 4.0.5
    • Fix Version/s: 4.1 Required
    • Component/s: Security, Shell
    • Labels:
    • Operating System:
      ALL
    • Backport Requested:
      v4.0
    • Sprint:
      Sharding 2019-01-14, Sharding 2019-01-28, Sharding 2019-02-11, Sharding 2019-02-25, Sharding 2019-03-11, Sharding 2019-03-25

      Description

      On SERVER-32942 the authorizedCollections optional parameter was added to the listCollections command, and the show collections shell helper was modified to pass true for this parameter.

      However, this has the unintended consequence of preventing system.* collections from being listed in the output of show collections, even when auth is off or specific privileges to system collections have been granted. This is a backward breaking change in behaviour, which might lead users to make incorrect deductions about the state of the db (based on the apparent non-presence of system collections of interest).

      The reason for this is that the blacklisting of system collections on SERVER-32942 is too heavy handed, and should instead be relaxed to return system collections that the logged-in user has privileges to. The example behaviours below are all on a freshly initialised standalone/sharded cluster.

      Auth disabled

      Setup:

      use admin
      

      Standalone/Replset: Current behaviour Standalone/Replset: Desired behaviour

      > show collections
      >
      
      

      > show collections
      system.version
      >
      

      Sharded: Current behaviour Sharded: Desired behaviour

      mongos> show collections
      mongos>
       
      
      

      mongos> show collections
      system.keys
      system.version
      mongos>
      

      Auth enabled

      Setup:

      use admin
      db.auth("root", "root")
       
      db.createRole( { role: "syscoll", privileges: [ { resource: { db: "admin", collection: "system.version" }, actions: [ "find" ] } ], roles: [] } )
      db.createRole( { role: "admindb", privileges: [ { resource: { db: "admin", collection: "" },               actions: [ "find" ] } ], roles: [] } )
       
      db.createUser( { user: "test-syscoll", pwd: "test", roles: [ "syscoll" ] } )
      db.createUser( { user: "test-admindb", pwd: "test", roles: [ "admindb" ] } )
      db.createUser( { user: "test-both",    pwd: "test", roles: [ "admindb", "syscoll" ] } )
       
      db.createCollection("testcoll")
      

      Standalone/Replset: Current behaviour Standalone/Replset: Desired behaviour

      > db.auth("test-syscoll", "test")
      1
      > show collections
      >
       
       
      > db.auth("test-admindb", "test")
      1
      > show collections
      testcoll
      >
       
      > db.auth("test-both", "test")
      1
      > show collections
      testcoll
      >
      
      

      > db.auth("test-syscoll", "test")
      1
      > show collections
      system.version
      >
       
      > db.auth("test-admindb", "test")
      1
      > show collections
      testcoll
      >
       
      > db.auth("test-both", "test")
      1
      > show collections
      system.version
      testcoll
      >
      

      Sharded: Current behaviour Sharded: Desired behaviour

      mongos> db.auth("test-syscoll", "test")
      1
      mongos> show collections
      mongos>
       
       
      mongos> db.auth("test-admindb", "test")
      1
      mongos> show collections
      testcoll
      mongos>
       
      mongos> db.auth("test-both", "test")
      1
      mongos> show collections
      testcoll
      mongos>
      
      

      mongos> db.auth("test-syscoll", "test")
      1
      mongos> show collections
      system.version
      mongos>
       
      mongos> db.auth("test-admindb", "test")
      1
      mongos> show collections
      testcoll
      mongos>
       
      mongos> db.auth("test-both", "test")
      1
      mongos> show collections
      system.version
      testcoll
      mongos>
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                kevin.pulo Kevin Pulo
                Reporter:
                kevin.pulo Kevin Pulo
                Participants:
              • Votes:
                1 Vote for this issue
                Watchers:
                13 Start watching this issue

                Dates

                • Created:
                  Updated: