[DOCS-9815] users with permission to run find on a db can't run listCollections on that db Created: 24/Jan/17  Updated: 30/Oct/23

Status: Closed
Project: Documentation
Component/s: Server
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Improvement Priority: Major - P3
Reporter: Samantha Ritter (Inactive) Assignee: Ravind Kumar (Inactive)
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 1 year, 14 weeks, 2 days ago
Story Points: 0.2

 Description   

In our documentation, we say that the find actionType grants you permission to run listCollections.

Say we create a custom role that grants the find actionType on some database:

> db.runCommand({
     createRole: "findRole",
     privileges: [ { resource: { db: "test", collection: "" }, actions: [ "find" ] } ],
     roles: []
})

A user with the "findRole" role will not be able to run listCollections. This is subtle. It's because specifying empty string as the collection for a resource excludes system collections, and we require permissions on system.namespaces to run listCollections.

While nothing in our documentation is strictly wrong, it is certainly misleading.



 Comments   
Comment by Education Bot [ 31/Oct/22 ]

Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you!

Comment by Ravind Kumar (Inactive) [ 24/Jan/17 ]

ToDo:

Add note that, if the user sets the database as the resource document for find, user must also specify find on db: admin, collection: system.namespaces to use listCollections

Generated at Thu Feb 08 07:59:13 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.