[SERVER-82929] $listSearchIndexes requires find privilege action rather than listSearchIndexes privilege action as it intended Created: 08/Nov/23  Updated: 11/Jan/24  Resolved: 28/Nov/23

Status: Closed
Project: Core Server
Component/s: Aggregation Framework
Affects Version/s: 7.0.0, 6.0.7, 7.2.0-rc0, 7.1.0
Fix Version/s: 7.2.1, 7.3.0-rc0, 7.0.6, 6.0.14

Type: Bug Priority: Major - P3
Reporter: Max Hirschhorn Assignee: Gil Alon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
is depended on by COMPASS-7481 Investigate changes in SERVER-82929: ... Closed
Related
is related to SERVER-74863 Implement $listSearchIndexes aggregat... Closed
Assigned Teams:
Query Integration
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v7.2, v7.0, v6.0
Sprint: QI 2023-11-27, QI 2023-12-11
Participants:

 Description   

The $listSearchIndexes aggregation stage is registered by calling the DocumentSourceListSearchIndexes::LiteParsed::parse() static function. And the DocumentSourceListSearchIndexes::LiteParsed::parse() symbol resolves to the LiteParsedSearchStage::parse() base class static function. This leads to an instance of LiteParsedSearchStage being constructed rather than an instead of DocumentSourceListSearchIndexes::LiteParsed and therefore LiteParsedSearchStage::requiredPrivileges() being used for the authorization check rather than DocumentSourceListSearchIndexes::LiteParsed::requiredPrivileges() as intended.

MongoDB Enterprise mongos> db.mycoll.aggregate([{$listSearchIndexes: {}}])
uncaught exception: Error: command failed: {
	"ok" : 0,
	"errmsg" : "not authorized on test to execute command { aggregate: \"mycoll\", pipeline: [ { $listSearchIndexes: {} } ], cursor: {}, lsid: { id: UUID(\"705553ff-a177-460e-8c38-5af98d738314\") }, $clusterTime: { clusterTime: Timestamp(1699423295, 1), signature: { hash: BinData(0, 3153BC58060F75DBC1FF2D90036481E9714DBFAA), keyId: 7298965743213740055 } }, $db: \"test\" }",
	"code" : 13,
	"codeName" : "Unauthorized",
...
MongoDB Enterprise mongos> db.adminCommand({connectionStatus: 1, showPrivileges: true})
{
	"authInfo" : {
		"authenticatedUsers" : [
			{
				"user" : "myuser",
				"db" : "admin"
			}
		],
		"authenticatedUserRoles" : [
			{
				"role" : "myrole",
				"db" : "admin"
			}
		],
		"authenticatedUserPrivileges" : [
			{
				"resource" : {
					"db" : "test",
					"collection" : ""
				},
				"actions" : [
					"listSearchIndexes"
				]
			}
		]
	},
	"ok" : 1,



 Comments   
Comment by Githook User [ 10/Jan/24 ]

Author:

{'name': 'Gil Alon', 'email': 'gil.alon@mongodb.com', 'username': 'galon1'}

Message: SERVER-82929 Add parse function and testing infrastructure for listSearchIndexes privilege action

GitOrigin-RevId: 5684f1496f97dfdd25b9b15faddedf64da4ac2ab
Branch: v6.0
https://github.com/mongodb/mongo/commit/413c9ef203e4aa9ddccf17fe36e45857afc23cc0

Comment by Githook User [ 05/Jan/24 ]

Author:

{'name': 'Gil Alon', 'email': 'gil.alon@mongodb.com', 'username': 'galon1'}

Message: SERVER-82929 Add parse function and testing infrastructure for listSearchIndexes privilege action

(cherry picked from commit 240d84a4693e0fddb33e115d715e235e97657f80)
(cherry picked from commit a5a233d288a4430dbaf41411254d428f9b63bbb7)

GitOrigin-RevId: 5d33778dfdb043a6e24aa7a9250a17d0b24729c5
Branch: v7.0
https://github.com/mongodb/mongo/commit/f86bfba013181cc1e925a67b4fd61c8c73dd3729

Comment by Githook User [ 04/Jan/24 ]

Author:

{'name': 'Gil Alon', 'email': 'gil.alon@mongodb.com', 'username': 'galon1'}

Message: SERVER-82929 Add parse function and testing infrastructure for listSearchIndexes privilege action

(cherry picked from commit 240d84a4693e0fddb33e115d715e235e97657f80)
Branch: v7.2
https://github.com/mongodb/mongo/commit/a5a233d288a4430dbaf41411254d428f9b63bbb7

Comment by Githook User [ 27/Nov/23 ]

Author:

{'name': 'Gil Alon', 'email': 'gil.alon@mongodb.com', 'username': 'galon1'}

Message: SERVER-82929 Add parse function and testing infrastructure for listSearchIndexes privilege action
Branch: master
https://github.com/mongodb/mongo/commit/240d84a4693e0fddb33e115d715e235e97657f80

Comment by Max Hirschhorn [ 08/Nov/23 ]

This bug was found by inspection while I was reading through DocumentSourceListSearchIndexes and attempting to understand how it could be possible for mongos to not be incrementing its aggStageCounters for the $listSearchIndexes aggregation stage (SERVER-82928).

Generated at Thu Feb 08 06:50:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.