From e56b1b964037af3f8a512be3aa56775850746507 Mon Sep 17 00:00:00 2001 From: Allison Moore Date: Wed, 11 May 2016 13:42:38 -0400 Subject: [PATCH 1/2] DOCS-7664: clarifies query and write privilege action descriptions --- .../extracts-privilege-actions-base.yaml | 8 ++ .../includes/extracts-privilege-actions.yaml | 36 ++++++ source/reference/command/listCollections.txt | 6 + source/reference/command/listIndexes.txt | 5 + .../method/db.collection.getIndexes.txt | 5 + .../method/db.getCollectionNames.txt | 5 + source/reference/privilege-actions.txt | 118 ++++++++++++++++-- 7 files changed, 170 insertions(+), 13 deletions(-) create mode 100644 source/includes/extracts-privilege-actions-base.yaml create mode 100644 source/includes/extracts-privilege-actions.yaml diff --git a/source/includes/extracts-privilege-actions-base.yaml b/source/includes/extracts-privilege-actions-base.yaml new file mode 100644 index 00000000000..e1c2e2a44eb --- /dev/null +++ b/source/includes/extracts-privilege-actions-base.yaml @@ -0,0 +1,8 @@ +ref: _action-list +content: | + The user executing the {{type}} requires either :authaction:`find` + privileges on the {{collection}} collection or the + {{listAction}} privilege action. At a minimum, the + :authrole:`read` :doc:`built-in role ` provide + the requisite permissions. +... diff --git a/source/includes/extracts-privilege-actions.yaml b/source/includes/extracts-privilege-actions.yaml new file mode 100644 index 00000000000..84caac2d53c --- /dev/null +++ b/source/includes/extracts-privilege-actions.yaml @@ -0,0 +1,36 @@ +ref: actions-listIndexes +inherit: + file: extracts-privilege-actions-base.yaml + ref: _action-list +replacement: + type: "command" + collection: ":data:`system.indexes <.system.indexes>`" + listAction: ":authaction:`listIndexes`" +--- +ref: actions-db.collection.getIndexes +inherit: + file: extracts-privilege-actions-base.yaml + ref: _action-list +replacement: + type: "method" + collection: ":data:`system.indexes <.system.indexes>`" + listAction: ":authaction:`listIndexes`" +--- +ref: actions-listCollections +inherit: + file: extracts-privilege-actions-base.yaml + ref: _action-list +replacement: + type: "command" + collection: ":data:`system.namespaces <.system.namespaces>`" + listAction: ":authaction:`listCollections`" +--- +ref: actions-db.getCollectionNames +inherit: + file: extracts-privilege-actions-base.yaml + ref: _action-list +replacement: + type: "method" + collection: ":data:`system.namespaces <.system.namespaces>`" + listAction: ":authaction:`listCollections`" +... \ No newline at end of file diff --git a/source/reference/command/listCollections.txt b/source/reference/command/listCollections.txt index 360c39a6797..5d2d4e7e308 100644 --- a/source/reference/command/listCollections.txt +++ b/source/reference/command/listCollections.txt @@ -77,6 +77,12 @@ Output The return value for the command. A value of ``1`` indicates success. +Required Access +--------------- + +.. include:: /includes/extracts/actions-listCollections.rst + + Example ------- diff --git a/source/reference/command/listIndexes.txt b/source/reference/command/listIndexes.txt index 0df3e008ee5..1f8901f97fc 100644 --- a/source/reference/command/listIndexes.txt +++ b/source/reference/command/listIndexes.txt @@ -32,6 +32,11 @@ Definition .. include:: /includes/apiargs/dbcommand-listIndexes-field.rst +Required Access +--------------- + +.. include:: /includes/extracts/actions-listIndexes.rst + Output ------ diff --git a/source/reference/method/db.collection.getIndexes.txt b/source/reference/method/db.collection.getIndexes.txt index 897ca4f9548..c19e12bd91b 100644 --- a/source/reference/method/db.collection.getIndexes.txt +++ b/source/reference/method/db.collection.getIndexes.txt @@ -36,6 +36,11 @@ Considerations .. include:: /includes/fact-wiredtiger-compatibility-with-old-shells.rst +Required Access +--------------- + +.. include:: /includes/extracts/actions-db.collection.getIndexes.rst + Output ------ diff --git a/source/reference/method/db.getCollectionNames.txt b/source/reference/method/db.getCollectionNames.txt index 623102930fb..d853fb60ee3 100644 --- a/source/reference/method/db.getCollectionNames.txt +++ b/source/reference/method/db.getCollectionNames.txt @@ -28,6 +28,11 @@ Considerations .. include:: /includes/fact-wiredtiger-compatibility-with-old-shells.rst +Required Access +--------------- + +.. include:: /includes/extracts/actions-db.getCollectionNames.rst + Example ------- diff --git a/source/reference/privilege-actions.txt b/source/reference/privilege-actions.txt index 33657dbac81..771d5975f34 100644 --- a/source/reference/privilege-actions.txt +++ b/source/reference/privilege-actions.txt @@ -28,34 +28,126 @@ Query and Write Actions ----------------------- .. authaction:: find + + User can perform the following commands, and their equivalent helper methods: + + - :dbcommand:`aggregate` for all :doc:`pipeline operations + ` **except** :pipeline:`$out` and + :pipeline:`$indexStats`. + - :dbcommand:`checkShardingIndex` + - :dbcommand:`count` + - :dbcommand:`dataSize` + - :dbcommand:`distinct` + - :dbcommand:`filemd5` + - :dbcommand:`find` + - :dbcommand:`geoNear` + - :dbcommand:`geoSearch` + - :dbcommand:`getLastError` + - :dbcommand:`getMore` + - :dbcommand:`getPrevError` + - :dbcommand:`group` + - :dbcommand:`mapReduce` with the ``{out: inline}`` option. + - :dbcommand:`parallelCollectionScan` + - :dbcommand:`repairCursor` + - :dbcommand:`resetError` + + Required for the query portion of the :dbcommand:`mapReduce` command and + :method:`db.collection.mapReduce` helper method when :ref:`outputting + to a collection `. + + Required for the query portion of the :dbcommand:`findAndModify` command + and :method:`db.collection.findAndModify` helper method. - User can perform the :method:`db.collection.find()` method. Apply this - action to database or collection resources. + Required on the *source* collection for the :dbcommand:`cloneCollectionAsCapped` + and :dbcommand:`renameCollection` commands and the + :method:`db.collection.renameCollection()` helper method. + + Apply this action to database or collection resources. .. authaction:: insert - User can perform the :dbcommand:`insert` command. Apply this action to - database or collection resources. + User can perform the following commands and their equivalent methods: + + - :dbcommand:`insert` + - :dbcommand:`create` + + Required for the output portion of the :dbcommand:`mapReduce` + command and :method:`db.collection.mapReduce()` helper method when + :ref:`outputting to a collection `. + + Required for the :dbcommand:`aggregate` command and + :method:`db.collection.aggregate()` helper method when using the + :pipeline:`$out` pipeline operator. + + Required for the :dbcommand:`update` and :dbcommand:`findAndModify` + commands and equivalent helper methods when used with the ``upsert`` + option. + + Required on the *destination* collection for the following + commands and their helper methods: + + - :dbcommand:`clone` + - :dbcommand:`cloneCollection` + - :dbcommand:`cloneCollectionAsCapped` + - :dbcommand:`copydb` + - :dbcommand:`renameCollection` + + Apply this action to database or collection resources. .. authaction:: remove - User can perform the :method:`db.collection.remove()` method. Apply this - action to database or collection resources. + User can perform the :dbcommand:`delete` command and equivalent + helper method. + + Required for the write portion of the :dbcommand:`findAndModify` + command and :method:`db.collection.findAndModify()` method. + + Required for the :dbcommand:`mapReduce` command and + :method:`db.collection.mapReduce()` helper method when you specify + the ``replace`` action when :ref:`outputting to a collection + `. + + Required for the :dbcommand:`aggregate` command and + :method:`db.collection.aggregate()` helper method when using the + :pipeline:`$out` pipeline operator. + + Apply this action to database or collection resources. .. authaction:: update - User can perform the :dbcommand:`update` command. Apply this action to - database or collection resources. + User can perform the :dbcommand:`update` command and equivalent + helper methods. + + Required for the + :dbcommand:`mapReduce` command and :method:`db.collection.mapReduce()` + helper method when :ref:`outputting to a collection ` + without specifying the ``replace`` action. + + Required for the :dbcommand:`findAndModify` command and + :method:`db.collection.findAndModify()` helper method. + + Apply this action to database or collection resources. .. authaction:: bypassDocumentValidation .. versionadded:: 3.2 - User can bypass document validation on commands that support the - ``bypassDocumentValidation`` option. For a list of commands that - support the ``bypassDocumentValidation`` option, see - :ref:`3.2-rel-notes-document-validation`. Apply this action to - database or collection resources. + Users can bypass :doc:`document validation + ` on commands and methods that support + the ``bypassDocumentValidation`` option. The following commands and + their equivalent methods support bypassing document validation: + + - :dbcommand:`aggregate` + - :dbcommand:`applyOps` + - :dbcommand:`cloneCollection` on the *destination* collection + - :dbcommand:`clone` on the *destination* + - :dbcommand:`copydb` on the *destination* + - :dbcommand:`findAndModify` + - :dbcommand:`insert` + - :dbcommand:`mapReduce` + - :dbcommand:`update` + + Apply this action to database or collection resources. Database Management Actions --------------------------- From a637c2e764b9bc72ba8af08756f14c297e579dd7 Mon Sep 17 00:00:00 2001 From: Allison Moore Date: Wed, 17 Aug 2016 13:40:35 -0400 Subject: [PATCH 2/2] DOCS-7630: adds privilege reqs to mapReduce cmd/method ref --- source/reference/command/mapReduce.txt | 24 ++++++++++++++++++++++++ source/reference/privilege-actions.txt | 3 +++ 2 files changed, 27 insertions(+) diff --git a/source/reference/command/mapReduce.txt b/source/reference/command/mapReduce.txt index 5993670de7a..f345f6021a7 100644 --- a/source/reference/command/mapReduce.txt +++ b/source/reference/command/mapReduce.txt @@ -93,6 +93,30 @@ mapReduce :start-after: start-out :end-before: end-out +Required Access +--------------- + +If your MongoDB deployment enforces authentication, the user executing +the :dbcommand:`mapReduce` command must possess the following +privilege actions: + +Map-reduce with ``{out : inline}`` output option: + - :authaction:`find` + +Map-reduce with the ``replace`` action when :ref:`outputting to a +collection `: + - :authaction:`find`, + - :authaction:`insert`, + - :authaction:`replace` + +Map-reduce with the ``merge`` or ``reduce`` actions when +:ref:`outputting to a collection `: + - :authaction:`find`, + - :authaction:`insert`, + - :authaction:`update` + +The :authrole:`readWrite` built-in role provides the necessary +permissions to perform map-reduce aggregation. Map-Reduce Examples ------------------- diff --git a/source/reference/privilege-actions.txt b/source/reference/privilege-actions.txt index 771d5975f34..c3bd19718c6 100644 --- a/source/reference/privilege-actions.txt +++ b/source/reference/privilege-actions.txt @@ -46,6 +46,9 @@ Query and Write Actions - :dbcommand:`getMore` - :dbcommand:`getPrevError` - :dbcommand:`group` + - :dbcommand:`killCursors` + - :dbcommand:`listCollections` + - :dbcommand:`listIndexes` - :dbcommand:`mapReduce` with the ``{out: inline}`` option. - :dbcommand:`parallelCollectionScan` - :dbcommand:`repairCursor`