[DOCS-9463] Docs for SERVER-26734: indexStats action is not sufficient privileges for $indexStats operator Created: 02/Dec/16  Updated: 16/Oct/21  Resolved: 24/Jan/17

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: 3.2.13, 3.4.2, 3.5.2

Type: Task Priority: Major - P3
Reporter: Emily Hall Assignee: Allison Reinheimer Moore
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-26734 indexStats action is not sufficient p... Closed
Participants:
Days since reply: 7 years, 10 weeks, 5 days ago

 Description   

Engineering Ticket Description:

Per the $indexStats documentation (https://docs.mongodb.com/manual/reference/operator/aggregation/indexStats/) : "If running with access control, the user must have privileges that include indexStats action."

A database user with "dbOwner" database privileges is able to grant themselves privileges which include the "indexStats" action in their respective database. These privileges do not allow the user to use the $indexStats aggregation operator.

// connected with "test_user" to "roles" db
db.getUser("test_user")
 
// User is a dbOwner in the "roles" database:
// {
// 	"_id" : "roles.test_user",
// 	"user" : "test_user",
// 	"db" : "roles",
// 	"roles" : [
// 		{
// 			"role" : "dbOwner",
// 			"db" : "roles"
// 		}
// 	]
// }
 
// Create role granting indexStats action
db.runCommand({ createRole: "index_stats_role",
  privileges: [
    { resource: { "db": "roles", "collection" : "" }, actions: [  "indexStats" ] },
  ],
  "roles" : []
})
 
// Grant role to user 
db.grantRolesToUser( "test_user", [ { "role" : "index_stats_role", "db" : "roles" } ])
 
db.getUser("test_user")
// User now has the role with the "indexStats" action:
// {
// 	"_id" : "roles.test_user",
// 	"user" : "test_user",
// 	"db" : "roles",
// 	"roles" : [
// 		{
// 			"role" : "index_stats_role",
// 			"db" : "roles"
// 		},
// 		{
// 			"role" : "dbOwner",
// 			"db" : "roles"
// 		}
// 	]
// }
 
// Exiting and re-connect 
 
// Try to execute $indexStats operator 
db.names.aggregate([ { "$indexStats" : { } } ] )
 
// Error: 
// 
// assert: command failed: {
// 	"ok" : 0,
// 	"errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }",
// 	"code" : 13
// } : aggregate failed
// Error: command failed: {
// 	"ok" : 0,
// 	"errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }",
// 	"code" : 13
// } : aggregate failed
//     at Error (<anonymous>)
//     at doassert (src/mongo/shell/assert.js:11:14)
//     at Function.assert.commandWorked (src/mongo/shell/assert.js:254:5)
//     at DBCollection.aggregate (src/mongo/shell/collection.js:1278:12)
//     at (shell):1:10
// 2016-10-18T16:33:56.028-0700 E QUERY    Error: command failed: {
// 	"ok" : 0,
// 	"errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }",
// 	"code" : 13
// } : aggregate failed
//     at Error (<anonymous>)
//     at doassert (src/mongo/shell/assert.js:11:14)
//     at Function.assert.commandWorked (src/mongo/shell/assert.js:254:5)
//     at DBCollection.aggregate (src/mongo/shell/collection.js:1278:12)
//     at (shell):1:10 at src/mongo/shell/assert.js:13

However, a database user with the built-in "clusterMonitor" role is able to use the operator, as it has the "indexStats" action (https://docs.mongodb.com/v3.2/reference/built-in-roles/#clusterMonitor).

Can the "indexStats" action be assigned by itself, or must it be coupled with other actions? Ideally, I would like to be able to assign this privilege without offering all the permissions provided in the clusterMonitor role.


Generated at Thu Feb 08 07:58:25 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.