[SERVER-54194] "not authorized" message should include the required permissions Created: 02/Feb/21  Updated: 27/Oct/23  Resolved: 10/Feb/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor - P4
Reporter: Oleg Pudeyev (Inactive) Assignee: Backlog - Security Team
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Assigned Teams:
Server Security
Participants:

 Description   

When I send a command and the server declines to execute the command due to lack of authorization, the message returned does not indicate which permission would be needed to successfully execute the command:

MongoDB Enterprise atlas-3nacfp-shard-0:PRIMARY> db.runCommand({killAllSessions:[]})
{
	"operationTime" : Timestamp(1612230806, 1),
	"ok" : 0,
	"errmsg" : "not authorized on admin to execute command { killAllSessions: [], lsid: { id: UUID(\"7e3c8ab4-5efc-4cea-87e9-e8fb2bc8ca7a\") }, $clusterTime: { clusterTime: Timestamp(1612230396, 7), signature: { hash: BinData(0, 6A2403788B038B67B098C0E46580262E85ACACE3), keyId: 6924358218915250179 } }, $db: \"admin\" }",
	"code" : 13,
	"codeName" : "Unauthorized",
	"$clusterTime" : {
		"clusterTime" : Timestamp(1612230806, 1),
		"signature" : {
			"hash" : BinData(0,"/Dx7mWGPRwwAmQvNdP2BG4jG8y0="),
			"keyId" : NumberLong("6924358218915250179")
		}
	}
}

To fix this, I need to read the documentation for the command in question, which hopefully states the required permission. Some commands state the permissions, and some don't. For example:

As a user of the server, if a command fails due to lack of authorization, I would like the server to tell me which permissions are required (list all that would be acceptable, if more than one is acceptable), so that I can immediately start rectifying the permission problem rather than spending sometimes a long time figuring out what permissions are needed to begin with.


Generated at Thu Feb 08 05:32:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.