not authorized to execute listCollections

dblock commented 3 years ago

Description of problem

Unauthorized to run mongo commands such as show collections (my goal is to compact a collection). What am I missing?

How reproducible

Always.

Steps to Reproduce

$ dokku mongo:connect-admin strava-bot
MongoDB shell version: 3.2.1
connecting to: strava-bot

> show collections
2021-04-01T16:03:52.586+0000 E QUERY    [thread1] Error: listCollections failed: {
    "ok" : 0,
    "errmsg" : "not authorized on strava-bot to execute command { listCollections: 1.0, filter: {} }",
    "code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:23:13
DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:746:1
DB.prototype.getCollectionInfos@src/mongo/shell/db.js:758:15
DB.prototype.getCollectionNames@src/mongo/shell/db.js:769:12
shellHelper.show@src/mongo/shell/utils.js:695:9
shellHelper@src/mongo/shell/utils.js:594:15
@(shellhelp2):1:1

Actual Results

Not authorized to execute command.

Expected Results

Show collections since I'm admin.

Environment Information

`dokku report APP_NAME` output

-----> uname: Linux  3.13.0-71-generic #114-Ubuntu SMP Tue Dec 1 02:34:22 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
-----> memory: 
                     total        used        free      shared  buff/cache   available
       Mem:           7985        5847         297          39        1839        1705
       Swap:             0           0           0
-----> docker version: 
       Client:
        Version:      17.05.0-ce
        API version:  1.29
        Go version:   go1.7.5
        Git commit:   89658be
        Built:        Thu May  4 22:06:06 2017
        OS/Arch:      linux/amd64

       Server:
        Version:      17.05.0-ce
        API version:  1.29 (minimum version 1.12)
        Go version:   go1.7.5
        Git commit:   89658be
        Built:        Thu May  4 22:06:06 2017
        OS/Arch:      linux/amd64
        Experimental: false
-----> docker daemon info: 
       Containers: 193
        Running: 20
        Paused: 0
        Stopped: 173
       Images: 864
       Server Version: 17.05.0-ce
       Storage Driver: aufs
        Root Dir: /mnt/dblock_plum_volume_1/var/lib/docker/aufs
        Backing Filesystem: extfs
        Dirs: 1581
        Dirperm1 Supported: false
       Logging Driver: json-file
       Cgroup Driver: cgroupfs
       Plugins: 
        Volume: local
        Network: bridge host macvlan null overlay
       Swarm: inactive
       Runtimes: runc
       Default Runtime: runc
       Init Binary: docker-init
       containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
       runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
       init version: 949e6fa
       Security Options:
        apparmor
       Kernel Version: 3.13.0-71-generic
       Operating System: Ubuntu 16.04.6 LTS
       OSType: linux
       Architecture: x86_64
       CPUs: 4
       Total Memory: 7.798GiB
       Name: dblock-plum
       ID: WYMM:UXKU:SC3Z:U2GV:5Y4V:CPD2:4N4V:LJQJ:K45E:MN3L:QY5W:NMQ7
       Docker Root Dir: /mnt/dblock_plum_volume_1/var/lib/docker
       Debug Mode (client): true
       Debug Mode (server): false
       Registry: https://index.docker.io/v1/
       Experimental: false
       Insecure Registries:
        127.0.0.0/8
       Live Restore Enabled: false

WARNING: No swap limit support
-----> sigil version: 0.4.0
-----> herokuish version: 
       herokuish: 0.5.5
       buildpacks:
         heroku-buildpack-multi     v1.0.0
         heroku-buildpack-ruby      v207
         heroku-buildpack-nodejs    v166
         heroku-buildpack-clojure   v84
         heroku-buildpack-python    v162
         heroku-buildpack-java      v66
         heroku-buildpack-gradle    v31
         heroku-buildpack-scala     v86
         heroku-buildpack-play      v26
         heroku-buildpack-php       v166
         heroku-buildpack-go        v136
         buildpack-nginx            v12
-----> dokku version: dokku version 0.19.12
-----> dokku plugins: 
       plugn: 0.3.2
         00_dokku-standard    0.19.12 enabled    dokku core standard plugin
         20_events            0.19.12 enabled    dokku core events logging plugin
         app-json             0.19.12 enabled    dokku core app-json plugin
         apps                 0.19.12 enabled    dokku core apps plugin
         builder-dockerfile   0.19.12 enabled    dokku core builder-dockerfile plugin
         builder-herokuish    0.19.12 enabled    dokku core builder-herokuish plugin
         buildpacks           0.19.12 enabled    dokku core buildpacks plugin
         certs                0.19.12 enabled    dokku core certificate management plugin
         checks               0.19.12 enabled    dokku core checks plugin
         common               0.19.12 enabled    dokku core common plugin
         config               0.19.12 enabled    dokku core config plugin
         docker-options       0.19.12 enabled    dokku core docker-options plugin
         domains              0.19.12 enabled    dokku core domains plugin
         enter                0.19.12 enabled    dokku core enter plugin
         git                  0.19.12 enabled    dokku core git plugin
         letsencrypt          0.9.1 enabled    Automated installation of let's encrypt TLS certificates
         logging-supervisord  0.1.0 enabled    A plugin for dokku that injects supervisord
         logs                 0.19.12 enabled    dokku core logs plugin
         mongo                1.11.2 enabled    dokku mongo service plugin
         network              0.19.12 enabled    dokku core network plugin
         nginx-vhosts         0.19.12 enabled    dokku core nginx-vhosts plugin
         plugin               0.19.12 enabled    dokku core plugin plugin
         proxy                0.19.12 enabled    dokku core proxy plugin
         ps                   0.19.12 enabled    dokku core ps plugin
         repo                 0.19.12 enabled    dokku core repo plugin
         resource             0.19.12 enabled    dokku core resource plugin
         scheduler-docker-local 0.19.12 enabled    dokku core scheduler-docker-local plugin
         shell                0.19.12 enabled    dokku core shell plugin
         ssh-keys             0.19.12 enabled    dokku core ssh-keys plugin
         storage              0.19.12 enabled    dokku core storage plugin
         tags                 0.19.12 enabled    dokku core tags plugin
         tar                  0.19.12 enabled    dokku core tar plugin
         trace                0.19.12 enabled    dokku core trace plugin
=====> strava-bot app information
       App dir:                       /home/dokku/strava-bot   
       Git sha:                       ebfb98b                  
       Deploy source:                 git                      
       Locked:                        false                    
=====> strava-bot buildpacks information
       Buildpacks list:               
xargs: unmatched single quote; by default quotes are special to xargs unless you use the -0 option
=====> strava-bot ssl information
       Ssl dir:                       /home/dokku/strava-bot/tls
       Ssl enabled:                   true                     
       Ssl hostnames:                 slava.playplay.io        
       Ssl expires at:                Jun  9 04:00:37 2021 GMT 
       Ssl issuer:                    C=US,                    
       Ssl starts at:                 Mar 11 04:00:37 2021 GMT 
       Ssl subject:                   CN=slava.playplay.io     
       Ssl verified:                  self signed              
=====> strava-bot checks information
       Checks disabled list:          none                     
       Checks skipped list:           none                     
=====> strava-bot docker options information
       Docker options build:          --link dokku.mongo.strava-bot:dokku-mongo-strava-bot 
       Docker options deploy:         --link dokku.mongo.strava-bot:dokku-mongo-strava-bot --restart=on-failure:10 
       Docker options run:            --link dokku.mongo.strava-bot:dokku-mongo-strava-bot 
=====> strava-bot domains information
       Domains app enabled:           true                     
       Domains app vhosts:            slava.playplay.io        
       Domains global enabled:        true                     
       Domains global vhosts:         dblock-plum.digitalocean.playplay.io
=====> strava-bot git information
       Git deploy branch:             master                   
       Git global deploy branch:      master                   
       Git keep git dir:              false                    
       Git rev env var:               GIT_REV                  
=====> strava-bot network information
       Network bind all interfaces:   false
       Network listeners:             172.17.0.23:5000
=====> strava-bot nginx information
       Nginx bind address ipv4:                                
       Nginx bind address ipv6:       ::                       
=====> strava-bot proxy information
       Proxy enabled:                 true                     
       Proxy type:                    nginx                    
       Proxy port map:                http:80:5000 https:443:5000
=====> strava-bot ps information
       Processes:                     1                        
       Deployed:                      true                     
       Running:                       true                     
       Restore:                       true                     
       Restart policy:                on-failure:10            
       Ps can scale:                  true                     
       Status web.1:                  running    (CID: 96cf20ed9145)
=====> strava-bot scheduler-docker-local information
       Scheduler docker local disable chown:                          
=====> strava-bot storage information
       Storage build mounts:                                   
       Storage deploy mounts:                                  
       Storage run mounts:

How (deb/make/rpm) and where (AWS, VirtualBox, physical, etc.) was Dokku installed?:

DigitalOcean, deb I believe

dblock commented 3 years ago

> db.runCommand({connectionStatus : 1})
{
    "authInfo" : {
        "authenticatedUsers" : [
            {
                "user" : "admin",
                "db" : "admin"
            }
        ],
        "authenticatedUserRoles" : [
            {
                "role" : "userAdminAnyDatabase",
                "db" : "admin"
            }
        ]
    },
    "ok" : 1
}

JanRuettinger commented 3 years ago

I get a similar error when I try to call list_collections() with pymongo from a python app.

josegonzalez commented 3 years ago

Does this require admin credentials? The default credentials aren't admin, you'd need to do mongo:connect-admin and then authorize the user to give them access to those commands.

JanRuettinger commented 3 years ago

I tried to do that but there is no user except admin. Do we need to create a new user manually?

What I tried:

dokku mongo:connect-admin
use admin;
db.getUsers();

I can only see the admin user.

josegonzalez commented 3 years ago

Default username is the service username... it def should be there (idk anything about mongodb though).

JanRuettinger commented 3 years ago

I just destroyed all dbs, deleted the plugin, reinstalled it and created a new service.

> db.getUsers();
[
        {
                "_id" : "admin.admin",
                "userId" : UUID("d0a2fa45-ff50-49cf-8adf-489c458f5f27"),
                "user" : "admin",
                "db" : "admin",
                "roles" : [
                        {
                                "role" : "userAdminAnyDatabase",
                                "db" : "admin"
                        },
                        {
                                "role" : "__system",
                                "db" : "admin"
                        },
                        {
                                "role" : "root",
                                "db" : "admin"
                        }
                ]
        }
]

There is no user with the service name. I guess a quick fix is to create the user manually.

BTW: I am on Debian 10.

EDIT: When I create the user manually I need to use the same password as in the MONGO_URL env variable, right?

josegonzalez commented 3 years ago

What is the output of mongodb:info for that service?

JanRuettinger commented 3 years ago

Output of dokku mongo:info <service_name>

=====> test_mongodb mongo service information
       Config dir:          /var/lib/dokku/services/mongo/test_mongodb/config
       Data dir:            /var/lib/dokku/services/mongo/test_mongodb/data
       Dsn:                 mongodb://test_mongodb:85b1e50b3de319091c33fb252d174713@dokku-mongo-test-mongodb:27017/test_mongodb
       Exposed ports:       -
       Id:                  4959752c30771c0100d7ff5fe7de62d86b707aa5aae16f85cd0d0968283600a9
       Internal ip:         172.17.0.3
       Links:               -
       Service root:        /var/lib/dokku/services/mongo/test_mongodb
       Status:              running
       Version:             mongo:3.6.15
➜  ~

josegonzalez commented 3 years ago

So test_mongodb is... somewhere. Where is that user?

JanRuettinger commented 3 years ago

So test_mongodb is... somewhere. Where is that user?

I wish I knew that. I am trying to figure that out for a couple of hours already. No luck so far.

After a new service is created I get the following two warnings:

2021-04-28T15:36:40.466+0000 I STORAGE  [initandlisten]
2021-04-28T15:36:40.466+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2021-04-28T15:36:40.466+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
2021-04-28T15:36:41.085+0000 I CONTROL  [initandlisten]
2021-04-28T15:36:41.085+0000 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2021-04-28T15:36:41.085+0000 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2021-04-28T15:36:41.085+0000 I CONTROL  [initandlisten]

Does this help to pinpoint where my error is?

josegonzalez commented 3 years ago

Just tried this out:

# dokku mongo:create test
       Waiting for container to be ready
=====> MongoDB container created: test
=====> test mongo service information
       Config dir:          /var/lib/dokku/services/mongo/test/config
       Data dir:            /var/lib/dokku/services/mongo/test/data
       Dsn:                 mongodb://test:ace043160321d352f4d78d91ae6902d9@dokku-mongo-test:27017/test
       Exposed ports:       -
       Id:                  aae8d589ccc7a7b5cbe0c3b460a91b4ad5e39cd8139dd7c0e6dc54909ed5582f
       Internal ip:         172.17.0.7
       Links:               -
       Service root:        /var/lib/dokku/services/mongo/test
       Status:              running
       Version:             mongo:3.6.15

# dokku mongo:connect-admin test
MongoDB shell version v3.6.15
connecting to: mongodb://127.0.0.1:27017/test?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("3ddb7215-18d6-4322-bb2b-ecb97b436306") }
MongoDB server version: 3.6.15
Server has startup warnings:
2021-04-28T19:31:34.865+0000 I STORAGE  [initandlisten]
2021-04-28T19:31:34.865+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2021-04-28T19:31:34.865+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
> db.getUsers();
[
    {
        "_id" : "test.test",
        "userId" : UUID("aec7071b-ec6e-4bbc-9989-0aa01e3ddd9e"),
        "user" : "test",
        "db" : "test",
        "roles" : [
            {
                "role" : "readWrite",
                "db" : "test"
            }
        ]
    }
]
>
bye

JanRuettinger commented 3 years ago

Hm weird. Why don't you have an admin user? I feel like we are coming closer ;) Thank so much for your help!

josegonzalez commented 3 years ago

Can you show me the output of:

dokku report | grep mongo

josegonzalez commented 3 years ago

Note, for the initial issue, the requested command works fine for me. Might just be an issue with an older version of the image that is in use (im on 3.6.15 and the issue referenced 3.2.1).

# dokku mongo:create test
       Waiting for container to be ready
=====> MongoDB container created: test
=====> test mongo service information
       Config dir:          /var/lib/dokku/services/mongo/test/config
       Data dir:            /var/lib/dokku/services/mongo/test/data
       Dsn:                 mongodb://test:a098fe92faef8d1abf5ab6c7ab9c86a1@dokku-mongo-test:27017/test
       Exposed ports:       -
       Id:                  983f88455ac387c3081dca54275114bcbc03b15b6e8f9fcd0e9207ea8976991c
       Internal ip:         172.17.0.7
       Links:               -
       Service root:        /var/lib/dokku/services/mongo/test
       Status:              running
       Version:             mongo:3.6.15
root@dokku:~# dokku mongo:connect-admin test
MongoDB shell version v3.6.15
connecting to: mongodb://127.0.0.1:27017/test?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("83a26e71-37c8-4225-bd1c-edf970e82161") }
MongoDB server version: 3.6.15
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
    http://docs.mongodb.org/
Questions? Try the support group
    http://groups.google.com/group/mongodb-user
Server has startup warnings:
2021-04-28T19:55:53.576+0000 I STORAGE  [initandlisten]
2021-04-28T19:55:53.576+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2021-04-28T19:55:53.576+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
> show collections
>
bye

josegonzalez commented 3 years ago

@JanRuettinger users in mongodb seem to be scoped to specific databases. Are you switching databases before calling getUsers()? When I call it on the admin database, seems to list the admin user.

root@dokku:~# dokku mongo:create test
       Waiting for container to be ready
=====> MongoDB container created: test
=====> test mongo service information
       Config dir:          /var/lib/dokku/services/mongo/test/config
       Data dir:            /var/lib/dokku/services/mongo/test/data
       Dsn:                 mongodb://test:0e46e8460eddbdb2b7802622ce545fc0@dokku-mongo-test:27017/test
       Exposed ports:       -
       Id:                  409913c34f343c37db94e1bfed48b4afe428d021c841c3047e271252343b67ea
       Internal ip:         172.17.0.7
       Links:               -
       Service root:        /var/lib/dokku/services/mongo/test
       Status:              running
       Version:             mongo:3.6.15
root@dokku:~# dokku mongo:connect-admin test
MongoDB shell version v3.6.15
connecting to: mongodb://127.0.0.1:27017/test?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("ae655117-3130-4123-a9ef-7f2091c33978") }
MongoDB server version: 3.6.15
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
    http://docs.mongodb.org/
Questions? Try the support group
    http://groups.google.com/group/mongodb-user
Server has startup warnings:
2021-04-28T19:59:18.794+0000 I STORAGE  [initandlisten]
2021-04-28T19:59:18.795+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2021-04-28T19:59:18.795+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
> db.system.users.find({}, {"_id" : 1})
>
> db.system.users.find({}, {"_id" : 2})
> db.getUsers()
[
    {
        "_id" : "test.test",
        "userId" : UUID("29589cbb-fbfb-41e2-a693-d228c38884d7"),
        "user" : "test",
        "db" : "test",
        "roles" : [
            {
                "role" : "readWrite",
                "db" : "test"
            }
        ]
    }
]
> show users;
{
    "_id" : "test.test",
    "userId" : UUID("29589cbb-fbfb-41e2-a693-d228c38884d7"),
    "user" : "test",
    "db" : "test",
    "roles" : [
        {
            "role" : "readWrite",
            "db" : "test"
        }
    ]
}
> db.getSiblingDB('admin').getUsers()
[
    {
        "_id" : "admin.admin",
        "userId" : UUID("cf885bc0-f04b-4835-980f-d4e94e93e92a"),
        "user" : "admin",
        "db" : "admin",
        "roles" : [
            {
                "role" : "userAdminAnyDatabase",
                "db" : "admin"
            },
            {
                "role" : "__system",
                "db" : "admin"
            },
            {
                "role" : "root",
                "db" : "admin"
            }
        ]
    }
]
>

JanRuettinger commented 3 years ago

Ah okay I found my error. Yes you are right they are scoped that's why I didn't see the user. I tried show dbs and couldn't see the the db test. I think that's because it's empty. I then tried to create a new database with the test user and that didn't work.

josegonzalez commented 3 years ago

Alright it seems like user scope is the problem here, and using the correct scope for the database in question will allow you to do things on that database. Closing.

dblock commented 3 years ago

Does this require admin credentials? The default credentials aren't admin, you'd need to do mongo:connect-admin and then authorize the user to give them access to those commands.

I don't think I understand. What do i need to do, specifically, in my example after mongo:connect-admin to be able to run show collections or eventually compact a database?

mawoka-myblock commented 3 years ago

Does this require admin credentials? The default credentials aren't admin, you'd need to do mongo:connect-admin and then authorize the user to give them access to those commands.

I don't think I understand. What do i need to do, specifically, in my example after mongo:connect-admin to be able to run show collections or eventually compact a database?

You are not the only one who does not understand it.

josegonzalez commented 3 years ago

If anyone is still having this issue, please open a new ticket with the output of dokku report and the exact commands you are running to:

create the database
run a mongo:info on the database
connect to the db
the mongo command you ran to list

With all the output as well.

dokku / dokku-mongo