[SERVER-25804] The listCollections command does not take the user's permissions into account Created: 24/Aug/16  Updated: 23/Apr/18  Resolved: 14/Mar/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor - P4
Reporter: Charles Sarrazin (Inactive) Assignee: Sara Golemon
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-32942 mongo shell: for users authorized to ... Closed
is duplicated by SERVER-25655 mongodb permission issues Closed
Related
is related to SERVER-33148 add db.collection.getInfo() collectio... Backlog
Participants:

 Description   

Some use cases have a need for "views" per user, and need to be able to grant access only to certain collections in a single database. This can be achieved easily using user-defined roles, with the correct permissions.

However, when configuring roles this way, users can still use the listCollections command, and list collections that they cannot read from.



 Comments   
Comment by Sara Golemon [ 14/Mar/18 ]

This functionality is currently being implemented in SERVER-32942 with the following caveats:

Users with the listCollections privilege on the database will continue to be able to list collections on that database, whether they have find permissions or not. However, all users will be able to run

{listCollections:1}

on any database, and if they don't have the listCollections permission, then they will receive a list of all collections for which they have the find privilege.

So for the use-case described in this ticket, I would suggest revoking the listCollection privilege from these users in 4.0 and allowing the implicit discoverability via find to make the relevant collections appear.

Comment by Andy Schwerin [ 29/Aug/16 ]

I don't love commands whose behavior changes based on your assigned privileges. We will always need a listCollections that operates like the current one, for administrators who lack read privilege on collections they otherwise manage.

If we are going to try something like this, we should do it like wr did for curOp, where you pass a flag indicating the specific behavior. Even then, I don't know that it's fundamentally appropriate to be able to list collections just because you are authorized to find on them.

Comment by Spencer Brody (Inactive) [ 29/Aug/16 ]

I wonder if what we should do is have listDatabases and listCollections always show dbs/collections a user has explicit privileges on. ie any collections/dbs that the user could discover by running usersInfo with showPrivileges:true on themselves. So if a user has explicitly been granted 'find' on foo.bar, but doesn't have the listCollections privilege, they would see foo.bar when they ran listCollections. But if the user had 'find' on the 'foo' database (and thus every implicitly on every collection under it) but didn't have listCollections, they wouldn't be able to see any collections in listCollections output.

Generated at Thu Feb 08 04:10:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.