Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-7481

Investigate changes in SERVER-82929: $listSearchIndexes requires find privilege action rather than listSearchIndexes privilege action as it intended

    • Type: Icon: Investigation Investigation
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • No version
    • Affects Version/s: None
    • Component/s: None
    • None
    • Not Needed
    • Hide

      No action required in the DevTools products.

      Show
      No action required in the DevTools products.

      Original Downstream Change Summary

      There was a bug with the permissions required to run listSearchIndexes. As intended, after this change, users need to either have a 'read' role, be an admin, or the listSearchIndexes privilege to run the listSearchIndexes stage.

      Description of Linked Ticket

      The $listSearchIndexes aggregation stage is registered by calling the DocumentSourceListSearchIndexes::LiteParsed::parse() static function. And the DocumentSourceListSearchIndexes::LiteParsed::parse() symbol resolves to the LiteParsedSearchStage::parse() base class static function. This leads to an instance of LiteParsedSearchStage being constructed rather than an instead of DocumentSourceListSearchIndexes::LiteParsed and therefore LiteParsedSearchStage::requiredPrivileges() being used for the authorization check rather than DocumentSourceListSearchIndexes::LiteParsed::requiredPrivileges() as intended.

      MongoDB Enterprise mongos> db.mycoll.aggregate([{$listSearchIndexes: {}}])
      uncaught exception: Error: command failed: {
      	"ok" : 0,
      	"errmsg" : "not authorized on test to execute command { aggregate: \"mycoll\", pipeline: [ { $listSearchIndexes: {} } ], cursor: {}, lsid: { id: UUID(\"705553ff-a177-460e-8c38-5af98d738314\") }, $clusterTime: { clusterTime: Timestamp(1699423295, 1), signature: { hash: BinData(0, 3153BC58060F75DBC1FF2D90036481E9714DBFAA), keyId: 7298965743213740055 } }, $db: \"test\" }",
      	"code" : 13,
      	"codeName" : "Unauthorized",
      ...
      MongoDB Enterprise mongos> db.adminCommand({connectionStatus: 1, showPrivileges: true})
      {
      	"authInfo" : {
      		"authenticatedUsers" : [
      			{
      				"user" : "myuser",
      				"db" : "admin"
      			}
      		],
      		"authenticatedUserRoles" : [
      			{
      				"role" : "myrole",
      				"db" : "admin"
      			}
      		],
      		"authenticatedUserPrivileges" : [
      			{
      				"resource" : {
      					"db" : "test",
      					"collection" : ""
      				},
      				"actions" : [
      					"listSearchIndexes"
      				]
      			}
      		]
      	},
      	"ok" : 1,
      

            Assignee:
            Unassigned Unassigned
            Reporter:
            backlog-server-pm Backlog - Core Eng Program Management Team
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: