[SERVER-83610] Consider reducing privileges required for $documents Created: 27/Nov/23  Updated: 07/Feb/24  Resolved: 24/Jan/24

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.0.6, 6.0.14, 8.0.0-rc0, 7.3.0-rc2

Type: Task Priority: Major - P3
Reporter: Hana Pearlman Assignee: Hana Pearlman
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
Assigned Teams:
Query Optimization
Backwards Compatibility: Fully Compatible
Backport Requested:
v7.3, v7.2, v7.0, v6.0, v5.0, v4.4
Sprint: QO 2024-02-05
Participants:

 Description   

Queries starting with $documents require DB-level permissions (or possibly just permissions on the namespace db.$cmd.aggregate used for collection-less queries – though I don't know if it's possible to create a privilege for this namespace). 

For example, the simple query

[{$documents: [{a: 1}, {a: 2}, {a: 3}]}].

triggers auth errors for a user that does not have DB-level permissions; see HELP-52691.

I believe this query and others containing $documents should not require these permissions. The issue seems to be that $documents is not marked as an "initial source", so we require privileges for its namespace to execute the query. I'm not sure why we decided this; it seems like an oversight to me especially because $documents requires no privileges itself



 Comments   
Comment by Githook User [ 07/Feb/24 ]

Author:

{'name': 'HanaPearlman', 'email': 'hana.pearlman@mongodb.com', 'username': 'HanaPearlman'}

Message: SERVER-83610: Reduce required privileges for $documents by marking it… (#18701)

SERVER-83610(https://jira.mongodb.org/browse/SERVER-83610): Reduce
required privileges for $documents by marking it as an initial source

Aggregations starting with $documents do not read from a collection;
they produce the data specified in the $documents stage. So, these
queries should not require any particular namespace privileges aside
from those required by other document sources in the pipeline. This
change makes it so that $documents is marked as an "initial source" to
indicate that it does not require any particular namespace privileges.

GitOrigin-RevId: 926b63e24d0306b6a5089b6938e673dd55267d79
Branch: v7.0
https://github.com/mongodb/mongo/commit/59af5a499a78d5c6ffbda09dede40099e7bc05de

Comment by Githook User [ 06/Feb/24 ]

Author:

{'name': 'HanaPearlman', 'email': 'hana.pearlman@mongodb.com', 'username': 'HanaPearlman'}

Message: SERVER-83610: Reduce required privileges for $documents by marking it… (#18700)

SERVER-83610(https://jira.mongodb.org/browse/SERVER-83610): Reduce
required privileges for $documents by marking it as an initial source

Aggregations starting with $documents do not read from a collection;
they produce the data specified in the $documents stage. So, these
queries should not require any particular namespace privileges aside
from those required by other document sources in the pipeline. This
change makes it so that $documents is marked as an "initial source" to
indicate that it does not require any particular namespace privileges.

GitOrigin-RevId: 2ac64606f04171af6af13d09512ee3c68083dfc6
Branch: v6.0
https://github.com/mongodb/mongo/commit/0a9a5c0b730eb63673828a87e70e867ef07867f9

Comment by Githook User [ 05/Feb/24 ]

Author:

{'name': 'HanaPearlman', 'email': 'hana.pearlman@mongodb.com', 'username': 'HanaPearlman'}

Message: SERVER-83610: Reduce required privileges for $documents by marking it… (#18702)

SERVER-83610(https://jira.mongodb.org/browse/SERVER-83610): Reduce
required privileges for $documents by marking it as an initial source

Aggregations starting with $documents do not read from a collection;
they produce the data specified in the $documents stage. So, these
queries should not require any particular namespace privileges aside
from those required by other document sources in the pipeline. This
change makes it so that $documents is marked as an "initial source" to
indicate that it does not require any particular namespace privileges.

GitOrigin-RevId: fa0030e240db99549a3d57fc03e60065a6b31252
Branch: v7.3
https://github.com/mongodb/mongo/commit/fdc13a4114c5763745e3af86c15b5d575d0d2499

Comment by Hana Pearlman [ 24/Jan/24 ]

Requesting backports to all versions that have the $documents stage. It's unclear to me if this is something we want to backport, but the HELP ticket came from a customer on v6.0.

Comment by Githook User [ 24/Jan/24 ]

Author:

{'name': 'HanaPearlman', 'email': 'hana.pearlman@mongodb.com', 'username': 'HanaPearlman'}

Message: SERVER-83610: Reduce required privileges for $documents by marking it… (#18201)

SERVER-83610: Reduce required privileges for $documents by marking it as
an initial source

Aggregations starting with $documents do not read from a collection;
they produce the data specified in the $documents stage. So, these
queries should not require any particular namespace privileges aside
from those required by other document sources in the pipeline. This
change makes it so that $documents is marked as an "initial source" to
indicate that it does not require any particular namespace privileges.

GitOrigin-RevId: 3b2d1e8701a3c5a565f9f6488da980c386282866
Branch: master
https://github.com/mongodb/mongo/commit/ec69f8f3747a741c169632b85e36cbf5f2e4e5e1

Generated at Thu Feb 08 06:52:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.