MongoDB admin user cannot access system.views collection

mongodb

One of our MongoDB databases contains a collection called system.views and I cannot find any information for this collection in Mongo Doc:

https://docs.mongodb.com/manual/reference/system-collections/

When I use admin user to execute command:

db.system.views.findOne()

It returns an authorization error:

"errmsg" : "not authorized on <database> to execute command { find: \"system.views\", filter: {}, limit: 1.0, singleBatch: true, lsid: { id: UUID(\"98bfa592-4d51-4d4a-964c-687c97444a2c\")}, $clusterTime: { clusterTime: Timestamp(1568022175, 1), signature: { hash: BinData(0, 316762B835CC7EBA0A70B314421B9366D679415C), keyId: 6723325935254241281 } }, $db: \"<database>\" }",

Admin user has roles 

"roles" : [
        {
                "role" : "userAdminAnyDatabase",
                "db" : "admin"
        },
        {
                "role" : "clusterAdmin",
                "db" : "admin"
        },
        {
                "role" : "dbAdminAnyDatabase",
                "db" : "admin"
        },
        {
                "role" : "readWriteAnyDatabase",
                "db" : "admin"
        }
]

We are using mongodb x509 authentication mechanism.

My question:

  1. What is this system.views collection?
  2. How can I get my admin user authorised to run command on this collection?

Many thanks.

Best Answer

What is this system.views collection?

As per percona blog here MongoDB 3.4 views are non-materialized views, and behind the scenes the engine runs an aggregation. Creating a view requires that we specify a collection or a previous existing view. When a view is the source collection from another view, it allows us to execute a chained aggregation.

To create a view, we should use the db.createView(‘view_name’,’source’,[pipeline]) command, specifying the view name, the view source collection and the aggregation pipeline. This aggregation pipeline, as well as the other parameters, is saved in the system.views collection. This is the only space that the view will use in the system. A new document is saved in the system.views collection for each view created.

Views appear as a collection when we are listing them. The show collections command shows us views as one collection, but such collections are read-only. To drop a view, we simply execute db.collection.drop(). The collection is removed from the system.collections, but the data remains untouched because it only removes the code that generates the view result.

How can I get my admin user authorised to run command on this collection?

use admin
db.runCommand({ createRole: "readViewCollection",
  privileges: [
    { resource: { db: "", collection: "system.views" }, actions: [ "find"] }],
    roles : []
})

db.grantRolesToUser('<your_user>',['readViewCollection']);

for further your ref here, here and here

Related Question