Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-54194

"not authorized" message should include the required permissions

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Minor - P4
    • Resolution: Works as Designed
    • None
    • None
    • None
    • None

    Description

      When I send a command and the server declines to execute the command due to lack of authorization, the message returned does not indicate which permission would be needed to successfully execute the command:

      MongoDB Enterprise atlas-3nacfp-shard-0:PRIMARY> db.runCommand({killAllSessions:[]})
      {
      	"operationTime" : Timestamp(1612230806, 1),
      	"ok" : 0,
      	"errmsg" : "not authorized on admin to execute command { killAllSessions: [], lsid: { id: UUID(\"7e3c8ab4-5efc-4cea-87e9-e8fb2bc8ca7a\") }, $clusterTime: { clusterTime: Timestamp(1612230396, 7), signature: { hash: BinData(0, 6A2403788B038B67B098C0E46580262E85ACACE3), keyId: 6924358218915250179 } }, $db: \"admin\" }",
      	"code" : 13,
      	"codeName" : "Unauthorized",
      	"$clusterTime" : {
      		"clusterTime" : Timestamp(1612230806, 1),
      		"signature" : {
      			"hash" : BinData(0,"/Dx7mWGPRwwAmQvNdP2BG4jG8y0="),
      			"keyId" : NumberLong("6924358218915250179")
      		}
      	}
      }
      

      To fix this, I need to read the documentation for the command in question, which hopefully states the required permission. Some commands state the permissions, and some don't. For example:

      As a user of the server, if a command fails due to lack of authorization, I would like the server to tell me which permissions are required (list all that would be acceptable, if more than one is acceptable), so that I can immediately start rectifying the permission problem rather than spending sometimes a long time figuring out what permissions are needed to begin with.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            oleg.pudeyev@mongodb.com Oleg Pudeyev (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: