On SERVER-32942 the authorizedCollections optional parameter was added to the listCollections command, and the show collections shell helper was modified to pass true for this parameter.
However, this has the unintended consequence of preventing system.* collections from being listed in the output of show collections, even when auth is off or specific privileges to system collections have been granted. This is a backward breaking change in behaviour, which might lead users to make incorrect deductions about the state of the db (based on the apparent non-presence of system collections of interest).
The reason for this is that the blacklisting of system collections on SERVER-32942 is too heavy handed, and should instead be relaxed to return system collections that the logged-in user has privileges to. The example behaviours below are all on a freshly initialised standalone/sharded cluster.
Auth disabled
Setup:
Standalone/Replset: Current behaviour |
Standalone/Replset: Desired behaviour |
|
> show collections
|
system.version
|
>
|
|
Sharded: Current behaviour |
Sharded: Desired behaviour |
mongos> show collections
|
mongos>
|
|
|
|
mongos> show collections
|
system.keys
|
system.version
|
mongos>
|
|
Auth enabled
Setup:
use admin
|
db.auth("root", "root")
|
|
db.createRole( { role: "syscoll", privileges: [ { resource: { db: "admin", collection: "system.version" }, actions: [ "find" ] } ], roles: [] } )
|
db.createRole( { role: "admindb", privileges: [ { resource: { db: "admin", collection: "" }, actions: [ "find" ] } ], roles: [] } )
|
|
db.createUser( { user: "test-syscoll", pwd: "test", roles: [ "syscoll" ] } )
|
db.createUser( { user: "test-admindb", pwd: "test", roles: [ "admindb" ] } )
|
db.createUser( { user: "test-both", pwd: "test", roles: [ "admindb", "syscoll" ] } )
|
|
db.createCollection("testcoll")
|
Standalone/Replset: Current behaviour |
Standalone/Replset: Desired behaviour |
> db.auth("test-syscoll", "test")
|
1
|
> show collections
|
>
|
|
|
> db.auth("test-admindb", "test")
|
1
|
> show collections
|
testcoll
|
>
|
|
> db.auth("test-both", "test")
|
1
|
> show collections
|
testcoll
|
>
|
|
|
> db.auth("test-syscoll", "test")
|
1
|
> show collections
|
system.version
|
>
|
|
> db.auth("test-admindb", "test")
|
1
|
> show collections
|
testcoll
|
>
|
|
> db.auth("test-both", "test")
|
1
|
> show collections
|
system.version
|
testcoll
|
>
|
|
Sharded: Current behaviour |
Sharded: Desired behaviour |
mongos> db.auth("test-syscoll", "test")
|
1
|
mongos> show collections
|
mongos>
|
|
|
mongos> db.auth("test-admindb", "test")
|
1
|
mongos> show collections
|
testcoll
|
mongos>
|
|
mongos> db.auth("test-both", "test")
|
1
|
mongos> show collections
|
testcoll
|
mongos>
|
|
|
mongos> db.auth("test-syscoll", "test")
|
1
|
mongos> show collections
|
system.version
|
mongos>
|
|
mongos> db.auth("test-admindb", "test")
|
1
|
mongos> show collections
|
testcoll
|
mongos>
|
|
mongos> db.auth("test-both", "test")
|
1
|
mongos> show collections
|
system.version
|
testcoll
|
mongos>
|
|