[SERVER-25804] The listCollections command does not take the user's permissions into account Created: 24/Aug/16 Updated: 23/Apr/18 Resolved: 14/Mar/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Minor - P4 |
| Reporter: | Charles Sarrazin (Inactive) | Assignee: | Sara Golemon |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Description |
|
Some use cases have a need for "views" per user, and need to be able to grant access only to certain collections in a single database. This can be achieved easily using user-defined roles, with the correct permissions. However, when configuring roles this way, users can still use the listCollections command, and list collections that they cannot read from. |
| Comments |
| Comment by Sara Golemon [ 14/Mar/18 ] |
|
This functionality is currently being implemented in Users with the listCollections privilege on the database will continue to be able to list collections on that database, whether they have find permissions or not. However, all users will be able to run {listCollections:1}on any database, and if they don't have the listCollections permission, then they will receive a list of all collections for which they have the find privilege. So for the use-case described in this ticket, I would suggest revoking the listCollection privilege from these users in 4.0 and allowing the implicit discoverability via find to make the relevant collections appear. |
| Comment by Andy Schwerin [ 29/Aug/16 ] |
|
I don't love commands whose behavior changes based on your assigned privileges. We will always need a listCollections that operates like the current one, for administrators who lack read privilege on collections they otherwise manage. If we are going to try something like this, we should do it like wr did for curOp, where you pass a flag indicating the specific behavior. Even then, I don't know that it's fundamentally appropriate to be able to list collections just because you are authorized to find on them. |
| Comment by Spencer Brody (Inactive) [ 29/Aug/16 ] |
|
I wonder if what we should do is have listDatabases and listCollections always show dbs/collections a user has explicit privileges on. ie any collections/dbs that the user could discover by running usersInfo with showPrivileges:true on themselves. So if a user has explicitly been granted 'find' on foo.bar, but doesn't have the listCollections privilege, they would see foo.bar when they ran listCollections. But if the user had 'find' on the 'foo' database (and thus every implicitly on every collection under it) but didn't have listCollections, they wouldn't be able to see any collections in listCollections output. |