On SERVER-32942 the authorizedCollections optional parameter was added to the listCollections command, and the show collections shell helper was modified to pass true for this parameter.
However, this has the unintended consequence of preventing system.* collections from being listed in the output of show collections, even when auth is off or specific privileges to system collections have been granted. This is a backward breaking change in behaviour, which might lead users to make incorrect deductions about the state of the db (based on the apparent non-presence of system collections of interest).
The reason for this is that the blacklisting of system collections on SERVER-32942 is too heavy handed, and should instead be relaxed to return system collections that the logged-in user has privileges to. The example behaviours below are all on a freshly initialised standalone/sharded cluster.
Auth disabled
Setup:
use admin
Standalone/Replset: Current behaviour | Standalone/Replset: Desired behaviour |
---|---|
> show collections > |
> show collections system.version > |
Sharded: Current behaviour | Sharded: Desired behaviour |
---|---|
mongos> show collections mongos> |
mongos> show collections system.keys system.version mongos> |
Auth enabled
Setup:
use admin db.auth("root", "root") db.createRole( { role: "syscoll", privileges: [ { resource: { db: "admin", collection: "system.version" }, actions: [ "find" ] } ], roles: [] } ) db.createRole( { role: "admindb", privileges: [ { resource: { db: "admin", collection: "" }, actions: [ "find" ] } ], roles: [] } ) db.createUser( { user: "test-syscoll", pwd: "test", roles: [ "syscoll" ] } ) db.createUser( { user: "test-admindb", pwd: "test", roles: [ "admindb" ] } ) db.createUser( { user: "test-both", pwd: "test", roles: [ "admindb", "syscoll" ] } ) db.createCollection("testcoll")
Standalone/Replset: Current behaviour | Standalone/Replset: Desired behaviour |
---|---|
> db.auth("test-syscoll", "test") 1 > show collections > > db.auth("test-admindb", "test") 1 > show collections testcoll > > db.auth("test-both", "test") 1 > show collections testcoll > |
> db.auth("test-syscoll", "test") 1 > show collections system.version > > db.auth("test-admindb", "test") 1 > show collections testcoll > > db.auth("test-both", "test") 1 > show collections system.version testcoll > |
Sharded: Current behaviour | Sharded: Desired behaviour |
---|---|
mongos> db.auth("test-syscoll", "test") 1 mongos> show collections mongos> mongos> db.auth("test-admindb", "test") 1 mongos> show collections testcoll mongos> mongos> db.auth("test-both", "test") 1 mongos> show collections testcoll mongos> |
mongos> db.auth("test-syscoll", "test") 1 mongos> show collections system.version mongos> mongos> db.auth("test-admindb", "test") 1 mongos> show collections testcoll mongos> mongos> db.auth("test-both", "test") 1 mongos> show collections system.version testcoll mongos> |
- related to
-
SERVER-32942 mongo shell: for users authorized to certain namespace, make discovery easy
- Closed
-
SERVER-38353 show collections does not list system.* collections from admin db on 4.0
- Closed