<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:13:03 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-6898] Allow all authenticated users to run listDatabases </title>
                <link>https://jira.mongodb.org/browse/SERVER-6898</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;EDITED Mar 5 2015&lt;br/&gt;
Updating ticket according to discussion in the comments.&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;Make listDatabases command available to all authenticated users&lt;/li&gt;
	&lt;li&gt;return the databases a user has read/write access to&lt;/li&gt;
	&lt;li&gt;A user in possession of the listDatabases action type should as today be able to list all databases&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;======================&lt;br/&gt;
When running in authentication mode, show dbs will only work for a user authenticated on the admin database. However, it makes sense to list all of the available databases to anyone and request the authentication upon db selection. &lt;/p&gt;

&lt;p&gt;This is currently not possible. The user needs to either know the DB name to connect to upfront, or connect as admin for show dbs to work. 3drepo.org has a use case for this.&lt;/p&gt;

&lt;p&gt;This is related to:&lt;br/&gt;
&lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-4823&quot; title=&quot;show dbs should return a list of databases that any user can access&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-4823&quot;&gt;&lt;del&gt;SERVER-4823&lt;/del&gt;&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-3181&quot; title=&quot;Add option to listDatabases to only get db names, not size info&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-3181&quot;&gt;&lt;del&gt;SERVER-3181&lt;/del&gt;&lt;/a&gt;&lt;br/&gt;
(a list of names without info will be sufficient, as requested previously, although, in such a case the drivers would need to support querying for that)&lt;/p&gt;

&lt;p&gt;MySQL and others will happily list dbs to any user. &lt;/p&gt;</description>
                <environment></environment>
        <key id="48636">SERVER-6898</key>
            <summary>Allow all authenticated users to run listDatabases </summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="sara.golemon@mongodb.com">Sara Golemon</assignee>
                                    <reporter username="jozefdobos">Jozef Dobos</reporter>
                        <labels>
                    </labels>
                <created>Thu, 30 Aug 2012 11:20:24 +0000</created>
                <updated>Wed, 6 Jun 2018 16:38:33 +0000</updated>
                            <resolved>Wed, 6 Dec 2017 00:12:51 +0000</resolved>
                                                    <fixVersion>3.7.1</fixVersion>
                                    <component>Security</component>
                                        <votes>2</votes>
                                    <watches>15</watches>
                                                                                                                <comments>
                            <comment id="1743725" author="xgen-internal-githook" created="Wed, 6 Dec 2017 00:09:50 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;username&apos;: &apos;sgolemon&apos;, &apos;email&apos;: &apos;sara.golemon@mongodb.com&apos;, &apos;name&apos;: &apos;Sara Golemon&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-6898&quot; title=&quot;Allow all authenticated users to run listDatabases &quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-6898&quot;&gt;&lt;del&gt;SERVER-6898&lt;/del&gt;&lt;/a&gt; Enable listDatabases for all users&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/a34fa65325dafc01857a4525d0d8b2f26b485965&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/a34fa65325dafc01857a4525d0d8b2f26b485965&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="840636" author="david.erickson" created="Mon, 2 Mar 2015 20:32:42 +0000"  >&lt;p&gt;I agree with Doug.  A user should be able to discover the databases they have read roles for.  As sometimes database names are programmatically created based on time buckets, subjects, etc and can&apos;t be known ahead of time.&lt;/p&gt;

&lt;p&gt;Clearly a full listing could be a security issue in a multi-tenanted environment, so redacting the info you don&apos;t have access to seems important.&lt;/p&gt;</comment>
                            <comment id="491116" author="dmoran" created="Thu, 30 Jan 2014 21:32:54 +0000"  >&lt;p&gt;+1 - I just voted for this one although I want the user to have to authenticate and get a list of only the databases that they have access to.  A separate API call would be fine so as not to hurt backward compatibility.  A server flag to turn on this new behavior would also be acceptable.&lt;/p&gt;

&lt;p&gt;At Pentaho, we like allow our users to select from a list of databases and collections that they have permission to.  We do this in both our reporting tool and ETL tool. &lt;/p&gt;

&lt;p&gt;Reporting users, especially self service reporting users, are used to being able to select databases, tables etc from a graphical UI.  We find pick lists a much more satisfying experience than typing into a text box.  As app developers add more and more data to MongoDB and lock it down by user and role, they don&apos;t want the burden of notifying every report developer or analyst in those roles with every database or permission update.  In reality, those users will likely ignore the email when they get it and weeks later when they need access, they will call the admin to find out the names.&lt;/p&gt;

&lt;p&gt;From the ETL side, selecting the database from a list guarantees that a typo will not create a new DB or collection when they do an insert.&lt;/p&gt;

&lt;p&gt;Thanks,&lt;br/&gt;
Doug&lt;/p&gt;</comment>
                            <comment id="158637" author="jozefdobos" created="Thu, 30 Aug 2012 18:30:22 +0000"  >&lt;p&gt;My use case is an Android app connected to the DB directly: &lt;a href=&quot;http://3drepo.org/portfolio/3d-android-client/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://3drepo.org/portfolio/3d-android-client/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Releasing this on the Android market will not allow me to send emails with usernames/passwords. Instead, I&apos;d want to provide anon user credentials with publicly known password that anyone can use and connect to those dbs for which such credentials have been predefined. The number of dbs will grow over time.&lt;/p&gt;
</comment>
                            <comment id="158597" author="scotthernandez" created="Thu, 30 Aug 2012 17:15:57 +0000"  >&lt;p&gt;In general admins tell the user/system which database they have created their account/user on, like via email or the user login page (for hosted apps). For example, most hosting providers like mongolabs/hq will send an email with this information so the user know what host+db&lt;br/&gt;
+user+password they should use.&lt;/p&gt;

&lt;p&gt;As I said, many users depend on the current behavior that database names cannot be seen by non-admin users; not sure how easy this will be to change, but if we find lots of users need this functionality and have a convincing use-case that could change.&lt;/p&gt;</comment>
                            <comment id="158545" author="jozefdobos" created="Thu, 30 Aug 2012 15:30:01 +0000"  >&lt;p&gt;I&apos;m fully aware of the current situation, what I would like is to change that. In MySQL for example you would be able to list all the databases you have some kind of privilege on(what makes perfect sense).&lt;/p&gt;

&lt;p&gt;I don&apos;t mind the user authenticating for every database individually (even if using different username and password). However, I don&apos;t see how to let the user know what the databases are. &lt;/p&gt;

&lt;p&gt;In my setting, each db corresponds to a single project that are being added dynamically. Admin can create user accounts in them, no problem, but how to notify the users that there are new projects in the storage without giving them the admin rights?&lt;/p&gt;</comment>
                            <comment id="158540" author="scotthernandez" created="Thu, 30 Aug 2012 15:16:55 +0000"  >&lt;p&gt;Each db stores a sep. list of users+credentials and the &quot;use db&quot;/getDB call doesn&apos;t do anything on the server but simply sets the context to the correct db when doing authentication from the client. You cannot authenticate without the context of a database. The user must know the database before they authenticate, and you must have created a user in a specific database.&lt;/p&gt;

&lt;p&gt;In order to get a list of databases you must be an admin, which requires you authenticate against the admin database.&lt;/p&gt;</comment>
                            <comment id="158462" author="jozefdobos" created="Thu, 30 Aug 2012 12:27:12 +0000"  >&lt;p&gt;dbname is not part of the login information as far as I&apos;m concerned. I have to open a TCP connection to a mongo instance and only afterwards get a handle of the db I want. Once having the handle, I have to authenticate, see my examples:&lt;/p&gt;

&lt;p&gt;In javascript shell it would be:&lt;br/&gt;
&lt;a href=&quot;http://www.mongodb.org/display/DOCS/Security+and+Authentication#SecurityandAuthentication-Configuring&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://www.mongodb.org/display/DOCS/Security+and+Authentication#SecurityandAuthentication-Configuring&lt;/a&gt;&lt;br/&gt;
&amp;amp; mongo&lt;br/&gt;
&amp;gt; use dbname&lt;br/&gt;
&amp;gt; db.auth(&quot;username&quot;, &quot;password&quot;)&lt;/p&gt;

&lt;p&gt;In Java:&lt;br/&gt;
&lt;a href=&quot;http://www.mongodb.org/display/DOCS/Java+Tutorial#JavaTutorial-MakingAConnection&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://www.mongodb.org/display/DOCS/Java+Tutorial#JavaTutorial-MakingAConnection&lt;/a&gt;&lt;br/&gt;
Mongo m = new Mongo( &quot;localhost&quot; , 27017 );&lt;br/&gt;
DB db = m.getDB( &quot;dbname&quot; );&lt;br/&gt;
db.authenticate(username, password);&lt;/p&gt;



&lt;p&gt;But how do I know the dbname if mongo won&apos;t tell me all of the available ones, unless logged in as admin? To get to the list of db names I have to do the following:&lt;/p&gt;

&lt;p&gt;DB db = m.getDB( &quot;admin&quot; );&lt;br/&gt;
db.authenticate(username, password);&lt;/p&gt;


&lt;p&gt;and only afterwards can I run m.getDatabaseNames().&lt;/p&gt;

&lt;p&gt;I honestly believe I should be able to get the names without the need to authenticate as an admin. To enable my users to get to individual databases, I either have to give them admin credentials or hardcode all the dbnames I allow them to see, both of which are not not appropriate. &lt;/p&gt;

&lt;p&gt;My client application connects directly to the DB, there is no middle-tier stuff, hence the need.&lt;br/&gt;
Thanks!&lt;/p&gt;</comment>
                            <comment id="158447" author="scotthernandez" created="Thu, 30 Aug 2012 11:49:05 +0000"  >&lt;p&gt;The system is designed to secure database names and not leak that information to unauthenticated users (non-admins). You do not need to see the list of dbs in order to authenticate; if you don&apos;t know which db you need to authenticate to then you do not have credentials since the db is part of the login information.&lt;/p&gt;

&lt;p&gt;There is no plan to change this design as many users require their system secure this information from unauthorized users.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10320">
                    <name>Documented</name>
                                                                <inwardlinks description="is documented by">
                                        <issuelink>
            <issuekey id="469625">DOCS-11103</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="17784">SERVER-3181</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="29495">SERVER-4823</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10038"><![CDATA[Fully Compatible]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 30 Aug 2012 11:49:05 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        6 years, 10 weeks, 1 day ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10857" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>PM-545</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>kay.kim@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            6 years, 10 weeks, 1 day ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>david.erickson</customfieldvalue>
            <customfieldvalue>dmoran</customfieldvalue>
            <customfieldvalue>xgen-internal-githook</customfieldvalue>
            <customfieldvalue>jozefdobos</customfieldvalue>
            <customfieldvalue>sara.golemon@mongodb.com</customfieldvalue>
            <customfieldvalue>scotthernandez</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrnqcv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr9ktj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>6643</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|ht0o9z:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>