DOCS-12244: listDB and collection privileges

Author: Kay Kim

source/includes/extracts-listDatabases-auth.yaml

@@ -1,4 +1,76 @@
 ref: listDatabases-auth-privileges
+content: |
+
+   - If ``authorizedDatabases`` is unspecified, and
+   
+     - If the user has :authaction:`listDatabases` action on the
+       cluster resource, :dbcommand:`listDatabases` command returns all
+       databases.
+      
+     - If the user does not have :authaction:`listDatabases` action on
+       the cluster:
+
+       - **For MongoDB 4.0.6+**, :dbcommand:`listDatabases` command returns
+         only the databases for which the user has privileges
+         (including databases for which the user has privileges on
+         specific collections).
+
+       - **For MongoDB 4.0.5**, :dbcommand:`listDatabases` command returns
+         only the databases for which the user has the
+         :authaction:`find` action on the database resource (and not
+         the collection resource).
+
+   - If ``authorizedDatabases`` is ``true``, 
+   
+   
+     - **For MongoDB 4.0.6+**, :dbcommand:`listDatabases` command returns
+       only the databases for which the user has privileges
+       (including databases for which the user has privileges on
+       specific collections).
+
+     - **For MongoDB 4.0.5**, :dbcommand:`listDatabases` command returns
+       only the databases for which the user has the :authaction:`find`
+       action on the database resource (and not the collection
+       resource).
+
+   - If ``authorizedDatabases`` is ``false``, and
+   
+     - If the user has :authaction:`listDatabases` action on the
+       cluster, :dbcommand:`listDatabases` command returns all databases
+
+     - If the user does not have :authaction:`listDatabases` action on
+       the cluster, :dbcommand:`listDatabases` command errors with
+       insufficient permissions.
+---
+ref: listDatabases-auth-privileges-4.0.6
+content: |
+
+   - If ``authorizedDatabases`` is unspecified, and
+   
+     - If the user has :authaction:`listDatabases` action on the
+       cluster resource, :dbcommand:`listDatabases` command returns all
+       databases.
+      
+     - If the user does not have :authaction:`listDatabases` action on
+       the cluster, :dbcommand:`listDatabases` command returns only the
+       databases for which the user has privileges (including databases
+       for which the user has privileges on specific collections).
+
+   - If ``authorizedDatabases`` is ``true``, :dbcommand:`listDatabases`
+     command returns only the databases for which the user has
+     privileges (including databases for which the user has privileges
+     on specific collections).
+
+   - If ``authorizedDatabases`` is ``false``, and
+   
+     - If the user has :authaction:`listDatabases` action on the
+       cluster, :dbcommand:`listDatabases` command returns all databases
+
+     - If the user does not have :authaction:`listDatabases` action on
+       the cluster, :dbcommand:`listDatabases` command errors with
+       insufficient permissions.
+---
+ref: listDatabases-auth-privileges-4.0.5
 content: |
 
    - If ``authorizedDatabases`` is unspecified, and
@@ -16,7 +88,6 @@ content: |
      command returns only the databases for which the user has the
      :authaction:`find` action on the database resource (and not the
      collection resource).
-   
 
    - If ``authorizedDatabases`` is ``false``, and
    
@@ -26,7 +97,6 @@ content: |
      - If the user does not have :authaction:`listDatabases` action on
        the cluster, :dbcommand:`listDatabases` command errors with
        insufficient permissions.
-       
 ---
 ref: listDatabases-auth-4.0.0-4.0.4
 content: |
@@ -38,11 +108,21 @@ content: |
 ---
 ref: listDatabases-auth-4.0.5
 content: |
-   For MongoDB 4.0.5+:
+   For MongoDB 4.0.5:
       If the user does not have the :authaction:`listDatabases`
       privilege action, users can run the :dbcommand:`listDatabases`
       command to return a list of databases for which the user has the
       :authaction:`find` action privilege if the command is run with
       ``authorizedDatabases`` option unspecified or set to ``true``.
-   
+---
+ref: listDatabases-auth-4.0.6
+content: |
+   For MongoDB 4.0.6+:
+      If the user does not have the :authaction:`listDatabases`
+      privilege action, users can run the :dbcommand:`listDatabases`
+      command to return a list of databases for which the user has
+      privileges (including databases for which the user has privileges
+      on specific collections) if the command is run with
+      ``authorizedDatabases`` option unspecified or set to ``true``.
+      
 ...

source/reference/built-in-roles.txt

@@ -61,10 +61,13 @@ Every database includes the following client roles:
    - :authaction:`listIndexes`
    - :authaction:`listCollections`
 
-   .. include:: /includes/extracts/listDatabases-auth-4.0.0-4.0.4.rst
-   
+
+   .. include:: /includes/extracts/listDatabases-auth-4.0.6.rst
+
    .. include:: /includes/extracts/listDatabases-auth-4.0.5.rst
 
+   .. include:: /includes/extracts/listDatabases-auth-4.0.0-4.0.4.rst
+
 .. authrole:: readWrite
 
    .. include:: /includes/extracts/built-in-roles-read-write.rst

source/reference/command/listDatabases.txt

@@ -60,26 +60,48 @@ Behavior
 
 When :doc:`authentication </core/authentication>` is enabled:
 
-- For MongoDB 4.0.5+:
-   The :dbcommand:`listDatabases` command returns different values
-   based on the privileges assigned to the user who
-   executes the command and the ``authorizedDatabases`` command option:
-
-   .. include:: /includes/extracts/listDatabases-auth-privileges.rst
-
-- For MongoDB 4.0.0-4.0.4:
-   The :dbcommand:`listDatabases` command returns different values
-   based on the privileges assigned to the user who
-   executes the command.
-
-   - If the user has the :authaction:`listDatabases` privilege action
-     on the cluster, the :dbcommand:`listDatabases` command returns a
-     list of all existing databases.
-
-   - If the user does not have the :authaction:`listDatabases`
-     privilege action on the cluster, the :dbcommand:`listDatabases`
-     command only returns a list of databases for which the user has
-     the :authaction:`find` action.
+.. tabs::
+
+   tabs:
+
+   - id: mongodb-4.0.6
+     name:  "MongoDB 4.0.6+"
+     content: |
+        For MongoDB 4.0.6+, the :dbcommand:`listDatabases` command
+        returns different values based on the privileges assigned to
+        the user who executes the command and the
+        ``authorizedDatabases`` command option:
+
+        .. include:: /includes/extracts/listDatabases-auth-privileges-4.0.6.rst
+
+   - id: mongodb-4.0.5
+     name:  "MongoDB 4.0.5"
+     content: |
+
+        For MongoDB 4.0.5, the :dbcommand:`listDatabases` command
+        returns different values based on the privileges assigned to
+        the user who executes the command and the
+        ``authorizedDatabases`` command option:
+
+        .. include:: /includes/extracts/listDatabases-auth-privileges-4.0.5.rst
+
+   - id: mongodb-4.0.4
+     name:  "MongoDB 4.0.0-4.0.4"
+     content: |
+
+        For MongoDB 4.0.0-4.0.4, the :dbcommand:`listDatabases` command
+        returns different values based on the privileges assigned to
+        the user who executes the command.
+
+        - If the user has the :authaction:`listDatabases` privilege
+          action on the cluster, the :dbcommand:`listDatabases` command
+          returns a list of all existing databases.
+
+        - If the user does not have the :authaction:`listDatabases`
+          privilege action on the cluster, the
+          :dbcommand:`listDatabases` command only returns a list of
+          databases for which the user has the :authaction:`find`
+          action.
 
 Examples
 --------

source/reference/mongo-shell.txt

@@ -84,6 +84,11 @@ displays some common help methods and commands:
 
      - Print a list of all databases on the server.
 
+       The operation corresponds to the :dbcommand:`listDatabases` command.
+       If the deployment runs with access control, the operation
+       returns different values based on user privileges. See
+       :ref:`listDatabases Behavior <listDatabases-behavior>` for details.
+
    * - ``use <db>``
 
      - Switch current database to ``<db>``. The :binary:`~bin.mongo` shell
@@ -114,6 +119,11 @@ displays some common help methods and commands:
 
      - Print a list of all available databases.
 
+       The operation corresponds to the :dbcommand:`listDatabases` command.
+       If the deployment runs with access control, the operation
+       returns different values based on user privileges. See
+       :ref:`listDatabases Behavior <listDatabases-behavior>` for details.
+
    * - ``load()``
 
      - Execute a JavaScript file. See

source/reference/privilege-actions.txt

@@ -64,10 +64,12 @@ Query and Write Actions
    and :dbcommand:`renameCollection` commands and the
    :method:`db.collection.renameCollection()` helper method.
 
-   .. include:: /includes/extracts/listDatabases-auth-4.0.0-4.0.4.rst
-   
+   .. include:: /includes/extracts/listDatabases-auth-4.0.6.rst
+
    .. include:: /includes/extracts/listDatabases-auth-4.0.5.rst
 
+   .. include:: /includes/extracts/listDatabases-auth-4.0.0-4.0.4.rst
+
    Apply this action to database or collection resources.
 
 .. authaction:: insert
@@ -708,10 +710,12 @@ Diagnostic Actions
    User can perform the :dbcommand:`listDatabases` command. Apply this
    action to the ``cluster`` resource.
 
-   .. include:: /includes/extracts/listDatabases-auth-4.0.0-4.0.4.rst
-   
+   .. include:: /includes/extracts/listDatabases-auth-4.0.6.rst
+
    .. include:: /includes/extracts/listDatabases-auth-4.0.5.rst
 
+   .. include:: /includes/extracts/listDatabases-auth-4.0.0-4.0.4.rst
+
 .. authaction:: listCollections
 
    User can perform the :dbcommand:`listCollections` command. Apply this