Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 7.2.1, 7.3.0-rc0, 7.0.6, 6.0.14
Affects Version/s: 7.0.0, 6.0.7, 7.2.0-rc0, 7.1.0
Component/s: Aggregation Framework
Labels:
None

Assigned Teams:

Query Integration
Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v7.2, v7.0, v6.0
Sprint:
QI 2023-11-27, QI 2023-12-11
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

The $listSearchIndexes aggregation stage is registered by calling the DocumentSourceListSearchIndexes::LiteParsed::parse() static function. And the DocumentSourceListSearchIndexes::LiteParsed::parse() symbol resolves to the LiteParsedSearchStage::parse() base class static function. This leads to an instance of LiteParsedSearchStage being constructed rather than an instead of DocumentSourceListSearchIndexes::LiteParsed and therefore LiteParsedSearchStage::requiredPrivileges() being used for the authorization check rather than DocumentSourceListSearchIndexes::LiteParsed::requiredPrivileges() as intended.

MongoDB Enterprise mongos> db.mycoll.aggregate([{$listSearchIndexes: {}}])
uncaught exception: Error: command failed: {
	"ok" : 0,
	"errmsg" : "not authorized on test to execute command { aggregate: \"mycoll\", pipeline: [ { $listSearchIndexes: {} } ], cursor: {}, lsid: { id: UUID(\"705553ff-a177-460e-8c38-5af98d738314\") }, $clusterTime: { clusterTime: Timestamp(1699423295, 1), signature: { hash: BinData(0, 3153BC58060F75DBC1FF2D90036481E9714DBFAA), keyId: 7298965743213740055 } }, $db: \"test\" }",
	"code" : 13,
	"codeName" : "Unauthorized",
...
MongoDB Enterprise mongos> db.adminCommand({connectionStatus: 1, showPrivileges: true})
{
	"authInfo" : {
		"authenticatedUsers" : [
			{
				"user" : "myuser",
				"db" : "admin"
			}
		],
		"authenticatedUserRoles" : [
			{
				"role" : "myrole",
				"db" : "admin"
			}
		],
		"authenticatedUserPrivileges" : [
			{
				"resource" : {
					"db" : "test",
					"collection" : ""
				},
				"actions" : [
					"listSearchIndexes"
				]
			}
		]
	},
	"ok" : 1,

is depended on by

COMPASS-7481 Investigate changes in SERVER-82929: $listSearchIndexes requires find privilege action rather than listSearchIndexes privilege action as it intended

Closed

is related to

SERVER-74863 Implement $listSearchIndexes aggregation stage

Closed

Assignee:: Gil Alon
Reporter:: Max Hirschhorn
Participants:: Gil Alon, Githook User, Max Hirschhorn
Votes:: 0 Vote for this issue
Watchers:: 6 Start watching this issue

Created:: Nov 08 2023 06:30:14 AM UTC
Updated:: Jan 11 2024 11:01:34 PM UTC
Resolved:: Nov 28 2023 02:38:51 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates