DOCSP-5331: Access Control for creating Views

ravindk89 · ravindk89 · commit 3a683665ca38 · 2019-05-03T17:54:47.000-04:00
diff --git a/source/core/capped-collections.txt b/source/core/capped-collections.txt
@@ -1,3 +1,5 @@
+.. _manual-capped-collection:
+
 ==================
 Capped Collections
 ==================
diff --git a/source/includes/extracts-create-cmd.yaml b/source/includes/extracts-create-cmd.yaml
@@ -0,0 +1,107 @@
+ref: access-control-create-cmd
+content: |
+
+  If the deployment enforces 
+  :ref:`authentication/authorization <authentication>`,
+  {{operation}} requires that the authenticated user have the 
+  following privileges:
+
+  .. list-table::
+     :header-rows: 1
+
+     * - 
+
+       - Required Privileges
+     
+     * - Create a non-capped collection
+
+       - :authaction:`createCollection` on the database, **or**
+
+         :authaction:`insert` on the collection to create
+
+     * - Create a :ref:`capped collection <manual-capped-collection>`
+
+       - :authaction:`convertToCapped` for the collection
+
+
+         :authaction:`createCollection` on the database
+
+     * - Create a :ref:`view <3.4-reference-views>`
+
+       - - :authaction:`createCollection` on the database 
+
+           *or*
+
+         - :authaction:`createCollection` on the database
+           *and* :authaction:`find` on the source collection/view
+
+           *or*
+
+         - :authaction:`createCollection` on the database,
+           :authaction:`find` on the view to create, 
+           *and* :authaction:`find` on the source collection/view
+
+         A user with :authaction:`createCollection` on the database and
+         :authaction:`find` on the view to create does not have
+         sufficient privileges.
+
+post : |
+
+  The :authrole:`readWrite` built in role provides the appropriate
+  privileges for executing {{operation}}. Create a user and assign it
+  the :authrole:`readWrite` role for the database in which you want to
+  run {{operation}}:
+
+  .. code-block:: javascript
+
+     db.getSiblingDB("replaceThisDatabaseName").createUser(
+       {
+         "user" : "replaceThisUserName",
+         "pwd" : "replaceThisWithASecurePassword",
+         "roles" : [ "readWrite" ]
+       }
+     )
+
+  For more examples of user creation, see 
+  :doc:`/tutorial/create-users`. For a tutorial on adding privileges to 
+  an existing database user, see :ref:`modify-existing-user-access`.
+replacement:
+  operation : ":dbcommand:`create`"
+---
+ref: access-control-createCollection
+source:
+  file: extracts-create-cmd.yaml
+  ref: access-control-create-cmd
+replacement:
+  operation : ":method:`db.createCollection()`"
+---
+ref: access-control-createView
+content : |
+
+  If the deployment enforces 
+  :ref:`authentication/authorization <authentication>`,
+  the :method:`db.createView()` method requires the authenticated user 
+  have the following privileges:
+
+  - :authaction:`createCollection` on the database
+
+    *or*
+
+  - :authaction:`createCollection` on the database
+    *and* :authaction:`find` on the source collection/view
+
+    *or*
+
+  - :authaction:`createCollection` on the database,
+    :authaction:`find` on the view to create, 
+    *and* :authaction:`find` on the source collection/view
+
+  A user with :authaction:`createCollection` on the database
+  and :authaction:`find` on the view to create does not have sufficient
+  privileges.
+
+source:
+  file: extracts-create-cmd.yaml
+  ref: access-control-create-cmd
+replacement:
+  operation : ":method:`db.createView()`"
diff --git a/source/reference/command/create.txt b/source/reference/command/create.txt
@@ -62,39 +62,7 @@ longer.
 Access Control
 --------------
 
-If the deployment enforces authentication/authorization, you must have
-the following privilege to run the :dbcommand:`create` command:
-
-.. list-table::
-   :header-rows: 1
-
-   * - 
-
-     - Required Privileges
-   
-   * - Create a non-capped collection
-
-     - :authaction:`createCollection` in the database, **or**
-
-       :authaction:`insert` in the collection to create
-
-   * - Create a capped collection
-
-     - :authaction:`convertToCapped` for the colleciton
-
-
-       :authaction:`createCollection` in the database
-
-   * - Create a view
-
-     - :authaction:`createCollection` in the database and either:
-
-       - no :authaction:`find` on the view to create, **or**
-
-       - both :authaction:`find` on the view to create and
-         :authaction:`find` on the source collection/view.
-
-The built-in role :authrole:`readWrite` provides the required privileges.
+.. include:: /includes/extracts/access-control-create-cmd.rst
 
 Examples
 --------
diff --git a/source/reference/method/db.createCollection.txt b/source/reference/method/db.createCollection.txt
@@ -61,6 +61,12 @@ Definition
 
    .. include:: /includes/apiargs/method-db.createCollection-options-param.rst
 
+Access Control
+--------------
+
+.. include:: /includes/extracts/access-control-createCollection.rst
+
+
 Examples
 --------
 
diff --git a/source/reference/method/db.createView.txt b/source/reference/method/db.createView.txt
@@ -59,6 +59,11 @@ Behavior
 
 .. include:: /includes/extracts/views-behavior.rst
 
+Access Control
+--------------
+
+.. include:: /includes/extracts/access-control-createView.rst
+
 Examples
 --------
 
diff --git a/source/tutorial/manage-users-and-roles.txt b/source/tutorial/manage-users-and-roles.txt
@@ -114,6 +114,8 @@ The following example creates a role named
 
 .. include:: /includes/steps/create-role-dropSystemViews.rst
 
+.. _modify-existing-user-access:
+
 Modify Access for an Existing User
 ----------------------------------
 

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+.. _manual-capped-collection:`
	`2`	`+`
`1`	`3`	`==================`
`2`	`4`	`Capped Collections`
`3`	`5`	`==================`