diff options
-rw-r--r-- | src/mongo/db/pipeline/aggregate_command.idl | 16 | ||||
-rw-r--r-- | src/mongo/db/pipeline/document_source_list_catalog.cpp | 10 |
2 files changed, 23 insertions, 3 deletions
diff --git a/src/mongo/db/pipeline/aggregate_command.idl b/src/mongo/db/pipeline/aggregate_command.idl index a30ce427578..4e309457f9d 100644 --- a/src/mongo/db/pipeline/aggregate_command.idl +++ b/src/mongo/db/pipeline/aggregate_command.idl @@ -123,6 +123,22 @@ commands: - privilege: # $listCachedAndActiveUsers resource_pattern: any_normal action_type: listCachedAndActiveUsers + - privilege: # $listCatalog + agg_stage: listCatalog + resource_pattern: cluster + action_type: listDatabases + - privilege: # $listCatalog + agg_stage: listCatalog + resource_pattern: any_normal + action_type: [listCollections, listIndexes] + - privilege: # $listCatalog + agg_stage: listCatalog + resource_pattern: collection + action_type: [listCollections, listIndexes] + - privilege: # $listCatalog + agg_stage: listCatalog + resource_pattern: any_system_buckets + action_type: [listCollections, listIndexes] - privilege: # $listSessions resource_pattern: cluster action_type: listSessions diff --git a/src/mongo/db/pipeline/document_source_list_catalog.cpp b/src/mongo/db/pipeline/document_source_list_catalog.cpp index cb89adb5167..a1163c8b2b3 100644 --- a/src/mongo/db/pipeline/document_source_list_catalog.cpp +++ b/src/mongo/db/pipeline/document_source_list_catalog.cpp @@ -58,9 +58,13 @@ PrivilegeVector DocumentSourceListCatalog::LiteParsed::requiredPrivileges( // Refer to privileges for the readAnyDatabase role in addReadOnlyAnyDbPrivileges(). // See builtin_roles.cpp. - // TODO(SERVER-64203): Change privileges to a combination of listDatabases, listCollections, - // and listIndexes. - return {Privilege(ResourcePattern::forDatabaseName("admin"), ActionType::find)}; + ActionSet listCollectionsAndIndexesActions{ActionType::listCollections, + ActionType::listIndexes}; + return {Privilege(ResourcePattern::forClusterResource(), ActionType::listDatabases), + Privilege(ResourcePattern::forAnyNormalResource(), listCollectionsAndIndexesActions), + Privilege(ResourcePattern::forCollectionName("system.js"), + listCollectionsAndIndexesActions), + Privilege(ResourcePattern::forAnySystemBuckets(), listCollectionsAndIndexesActions)}; } DocumentSource::GetNextResult DocumentSourceListCatalog::doGetNext() { |