[DOCS-11718] Docs for SERVER-32942: mongo shell: for users authorized to certain namespace, make discovery easy Created: 17/May/18  Updated: 29/Oct/23  Resolved: 16/Jun/18

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: 4.0.0-rc0

Type: Task Priority: Major - P3
Reporter: Kay Kim (Inactive) Assignee: Kay Kim (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-32942 mongo shell: for users authorized to ... Closed
Related
is related to DOCS-11593 Docs for SERVER-34244: listCollection... Closed
Participants:
Days since reply: 5 years, 34 weeks, 2 days ago
Epic Link: DOCS: 4.0 Server

 Description   

Description:

  • New option "authorizedCollections" to listCollections command.
    • If it is set to true, and "nameOnly" is true, the command will return all collections the user is authorized for, if and only if they exist in the database. A user is "authorized for" a collection if they possess a privilege which applies to the collection. IE, if the user has been assigned a custom role which grants them the 'find' actiontype on the collection, OR if they have been granted a privilege on the database itself. System collections are never returned in this mode.
    • users with database-level privileges may now infer the existence of collection names.
  • Make 'show collections' in the shell pass 'authorizedCollections: true'. For new MongoDB servers, this will cause the shell to be able to obtain the new behavior if they are not authenticated as a user with the listCollections privilege.
  • If the 4.0 shell obtains an Unauthorized error, which it would if it ran the listCollections command against an older version of the server which didn't respect authorizedCollections, it will attempt to parse out the set of collections it has been granted privileges on from the output of connectionStatus.

Scope of changes:

  • listCollection command
  • db.getCollectionInfos() and db.getCollectionNames() method
  • listCollection action
  • mongo shell
  • privilege actions
  • 4.0
  • 4.0-compatibility

note: in various places where we get people started with show collections, we don't mention any privileges, as these are more in the getting started mode – e.e.g use show collections to see the collections in the db.

Impact to other docs outside of this product:

MVP:

Resources:

Engineering Ticket Description:

For users that connect to an authentication-enabled database that are authorized to only certain namespaces, the mongo shell should look up the namespaces the user is authorized to (for example by using the connectionStatus command command)

and then, if they exist, show those namespaces to the user in shell helpers like "show dbs" or "show collections".

I suspect the fact that this is not baked into the shell's DNA today is a holdover from the fact that the shell was originally built when mongodb did not use auth by default...

We should first investigate implementing showCollections properly in the server and backporting it all the way to 3.2. If this doesn't work, we should modify the shell helpers to appear to have the correct behavior.



 Comments   
Comment by Githook User [ 18/Jun/18 ]

Author:

{'username': 'kay-kim', 'name': 'kay', 'email': 'kay.kim@10gen.com'}

Message: DOCS-11718: tweak example sentence for authorizedCollections
Branch: master
https://github.com/mongodb/docs/commit/d823efb11b1615ca488fa9310f604ddf66393e6c

Comment by Githook User [ 16/Jun/18 ]

Author:

{'username': 'kay-kim', 'name': 'kay', 'email': 'kay.kim@10gen.com'}

Message: DOCS-11718: listCollections and authorizedCollections option
Branch: master
https://github.com/mongodb/docs/commit/730009b341bd9c57ca6637509399cef319c3beb5

Generated at Thu Feb 08 08:03:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.