Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-45888

$lookup unnecessarily requires 'find' privilege even if sub-pipeline does not read from 'from' collection

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Won't Fix
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 3.6.17, 4.2.3, 4.0.15
    • Component/s: None
    • Labels:
    • Query
    • ALL
    • Hide

      As an example, consider a user with only the 'collStats' privilege on the 'test.foo' namespace and 'find' privilege on 'test.bar'. An aggregation such as 

      db.bar.aggregate([{$lookup: {from: "foo", pipeline: [{$collStats: {latencyStats: {}}}], as: "result"}}]

      Should not fail with an authorization failure.

      Show
      As an example, consider a user with only the 'collStats' privilege on the 'test.foo' namespace and 'find' privilege on 'test.bar'. An aggregation such as db.bar.aggregate([{$lookup: {from: "foo", pipeline: [{$collStats: {latencyStats: {}}}], as: "result"}}] Should not fail with an authorization failure.

      There is no restriction on having an "initial source" stage (e.g. $collStats, $planCacheStats, ...) within a $lookup sub-pipeline, which means the operation may not perform a read against the 'from' collection. In such a case, the aggregation should not require the 'find' privilege on the 'from' collection.

            Assignee:
            backlog-server-query Backlog - Query Team (Inactive)
            Reporter:
            nicholas.zolnierz@mongodb.com Nicholas Zolnierz
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: