[COMPASS-7481] Investigate changes in SERVER-82929: $listSearchIndexes requires find privilege action rather than listSearchIndexes privilege action as it intended Created: 28/Nov/23  Updated: 11/Jan/24  Resolved: 29/Nov/23

Status: Closed
Project: Compass
Component/s: None
Affects Version/s: None
Fix Version/s: No version

Type: Investigation Priority: Major - P3
Reporter: Backlog - Core Eng Program Management Team Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-82929 $listSearchIndexes requires find priv... Closed
Epic Link: COMPASS-7048
Documentation Changes: Not Needed
Documentation Changes Summary:

No action required in the DevTools products.


 Description   
Original Downstream Change Summary

There was a bug with the permissions required to run listSearchIndexes. As intended, after this change, users need to either have a 'read' role, be an admin, or the listSearchIndexes privilege to run the listSearchIndexes stage.

Description of Linked Ticket

The $listSearchIndexes aggregation stage is registered by calling the DocumentSourceListSearchIndexes::LiteParsed::parse() static function. And the DocumentSourceListSearchIndexes::LiteParsed::parse() symbol resolves to the LiteParsedSearchStage::parse() base class static function. This leads to an instance of LiteParsedSearchStage being constructed rather than an instead of DocumentSourceListSearchIndexes::LiteParsed and therefore LiteParsedSearchStage::requiredPrivileges() being used for the authorization check rather than DocumentSourceListSearchIndexes::LiteParsed::requiredPrivileges() as intended.

MongoDB Enterprise mongos> db.mycoll.aggregate([{$listSearchIndexes: {}}])
uncaught exception: Error: command failed: {
	"ok" : 0,
	"errmsg" : "not authorized on test to execute command { aggregate: \"mycoll\", pipeline: [ { $listSearchIndexes: {} } ], cursor: {}, lsid: { id: UUID(\"705553ff-a177-460e-8c38-5af98d738314\") }, $clusterTime: { clusterTime: Timestamp(1699423295, 1), signature: { hash: BinData(0, 3153BC58060F75DBC1FF2D90036481E9714DBFAA), keyId: 7298965743213740055 } }, $db: \"test\" }",
	"code" : 13,
	"codeName" : "Unauthorized",
...
MongoDB Enterprise mongos> db.adminCommand({connectionStatus: 1, showPrivileges: true})
{
	"authInfo" : {
		"authenticatedUsers" : [
			{
				"user" : "myuser",
				"db" : "admin"
			}
		],
		"authenticatedUserRoles" : [
			{
				"role" : "myrole",
				"db" : "admin"
			}
		],
		"authenticatedUserPrivileges" : [
			{
				"resource" : {
					"db" : "test",
					"collection" : ""
				},
				"actions" : [
					"listSearchIndexes"
				]
			}
		]
	},
	"ok" : 1,



 Comments   
Comment by PM Bot [ 11/Jan/24 ]

Fix Version updated for upstream SERVER-82929:
7.2.1, 7.3.0-rc0, 7.0.6, 6.0.14

Comment by PM Bot [ 10/Jan/24 ]

Fix Version updated for upstream SERVER-82929:
7.2.1, 7.3.0-rc0, 6.0.13, 7.0.6

Comment by PM Bot [ 05/Jan/24 ]

Fix Version updated for upstream SERVER-82929:
7.2.1, 7.3.0-rc0, 7.0.6

Comment by PM Bot [ 04/Jan/24 ]

Fix Version updated for upstream SERVER-82929:
7.2.1, 7.3.0-rc0

Generated at Wed Feb 07 22:46:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.