On SERVER-32942 the authorizedCollections optional parameter was added to the listCollections command, and the show collections shell helper was modified to pass true for this parameter.
However, this has the unintended consequence of preventing system.* collections from being listed in the output of show collections, even when auth is off or specific privileges to system collections have been granted. This is a backward breaking change in behaviour, which might lead users to make incorrect deductions about the state of the db (based on the apparent non-presence of system collections of interest).
The reason for this is that the blacklisting of system collections on SERVER-32942 is too heavy handed, and should instead be relaxed to return system collections that the logged-in user has privileges to. The example behaviours below are all on a freshly initialised standalone/sharded cluster.
Auth disabled
Setup:
| Standalone/Replset: Current behaviour |
Standalone/Replset: Desired behaviour |
|
|
> show collections
|
system.version
|
>
|
|
| Sharded: Current behaviour |
Sharded: Desired behaviour |
mongos> show collections
|
mongos>
|
|
|
|
mongos> show collections
|
system.keys
|
system.version
|
mongos>
|
|
Auth enabled
Setup:
use admin
|
db.auth("root", "root")
|
|
db.createRole( { role: "syscoll", privileges: [ { resource: { db: "admin", collection: "system.version" }, actions: [ "find" ] } ], roles: [] } )
|
db.createRole( { role: "admindb", privileges: [ { resource: { db: "admin", collection: "" }, actions: [ "find" ] } ], roles: [] } )
|
|
db.createUser( { user: "test-syscoll", pwd: "test", roles: [ "syscoll" ] } )
|
db.createUser( { user: "test-admindb", pwd: "test", roles: [ "admindb" ] } )
|
db.createUser( { user: "test-both", pwd: "test", roles: [ "admindb", "syscoll" ] } )
|
|
db.createCollection("testcoll")
|
| Standalone/Replset: Current behaviour |
Standalone/Replset: Desired behaviour |
> db.auth("test-syscoll", "test")
|
1
|
> show collections
|
>
|
|
|
> db.auth("test-admindb", "test")
|
1
|
> show collections
|
testcoll
|
>
|
|
> db.auth("test-both", "test")
|
1
|
> show collections
|
testcoll
|
>
|
|
|
> db.auth("test-syscoll", "test")
|
1
|
> show collections
|
system.version
|
>
|
|
> db.auth("test-admindb", "test")
|
1
|
> show collections
|
testcoll
|
>
|
|
> db.auth("test-both", "test")
|
1
|
> show collections
|
system.version
|
testcoll
|
>
|
|
| Sharded: Current behaviour |
Sharded: Desired behaviour |
mongos> db.auth("test-syscoll", "test")
|
1
|
mongos> show collections
|
mongos>
|
|
|
mongos> db.auth("test-admindb", "test")
|
1
|
mongos> show collections
|
testcoll
|
mongos>
|
|
mongos> db.auth("test-both", "test")
|
1
|
mongos> show collections
|
testcoll
|
mongos>
|
|
|
mongos> db.auth("test-syscoll", "test")
|
1
|
mongos> show collections
|
system.version
|
mongos>
|
|
mongos> db.auth("test-admindb", "test")
|
1
|
mongos> show collections
|
testcoll
|
mongos>
|
|
mongos> db.auth("test-both", "test")
|
1
|
mongos> show collections
|
system.version
|
testcoll
|
mongos>
|
|
SERVER-32942 mongo shell: for users authorized to certain namespace, make discovery easy
SERVER-38353 show collections does not list system.* collections from admin db on 4.0