Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-83610

Consider reducing privileges required for $documents

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 7.0.6, 6.0.14, 8.0.0-rc0, 7.3.0-rc2
    • Affects Version/s: None
    • Component/s: None
    • Labels:
    • Query Optimization
    • Fully Compatible
    • v7.3, v7.2, v7.0, v6.0, v5.0, v4.4
    • QO 2024-02-05

      Queries starting with $documents require DB-level permissions (or possibly just permissions on the namespace db.$cmd.aggregate used for collection-less queries – though I don't know if it's possible to create a privilege for this namespace). 

      For example, the simple query

      [{$documents: [{a: 1}, {a: 2}, {a: 3}]}].

      triggers auth errors for a user that does not have DB-level permissions; see HELP-52691.

      I believe this query and others containing $documents should not require these permissions. The issue seems to be that $documents is not marked as an "initial source", so we require privileges for its namespace to execute the query. I'm not sure why we decided this; it seems like an oversight to me especially because $documents requires no privileges itself

            hana.pearlman@mongodb.com Hana Pearlman
            hana.pearlman@mongodb.com Hana Pearlman
            0 Vote for this issue
            11 Start watching this issue