search

linuxserver / docker-unifi-network-application

GNU General Public License v3.0
553 stars 41 forks source link

[BUG] db permissions not enough #11

Closed andrasg closed 9 months ago

andrasg commented 9 months ago

Is there an existing issue for this?

Current Behavior

Docs recommend creating the db with readWrite permissions:

db.getSiblingDB("MONGO_DBNAME").createUser({user: "MONGO_USER", pwd: "MONGO_PASS", roles: [{role: "readWrite", db: "MONGO_DBNAME"}]});
db.getSiblingDB("MONGO_DBNAME_stat").createUser({user: "MONGO_USER", pwd: "MONGO_PASS", roles: [{role: "readWrite", db: "MONGO_DBNAME_stat"}]});

When I have tried this, got an error:

[2023-09-15 13:45:59,095] <launcher> WARN  AnnotationConfigApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'dbService' defined in com.ubnt.service.DatabaseSpringContext: Invocation of init method failed; nested exception is com.mongodb.MongoCommandException: Command failed with error 13 (Unauthorized): 'not authorized on unifi to execute command { aggregate: "heatmap", pipeline: [ { $match: {} }, { $group: { _id: 1, n: { $sum: 1 } } } ], cursor: {}, $db: "unifi", lsid: { id: UUID("565bc11d-4cb2-4e16-9177-fcbc1aab6dae") } }' on server unifi-db:27017. The full response is {"ok": 0.0, "errmsg": "not authorized on unifi to execute command { aggregate: \"heatmap\", pipeline: [ { $match: {} }, { $group: { _id: 1, n: { $sum: 1 } } } ], cursor: {}, $db: \"unifi\", lsid: { id: UUID(\"565bc11d-4cb2-4e16-9177-fcbc1aab6dae\") } }", "code": 13, "codeName": "Unauthorized"}

I was able to fix by changing the assigned db permissions to dbAdmin in the init-mongo.js file, removing the db and redeploying:

db.getSiblingDB("MONGO_DBNAME").createUser({user: "MONGO_USER", pwd: "MONGO_PASS", roles: [{role: "dbAdmin", db: "MONGO_DBNAME"}]});
db.getSiblingDB("MONGO_DBNAME_stat").createUser({user: "MONGO_USER", pwd: "MONGO_PASS", roles: [{role: "dbADmin", db: "MONGO_DBNAME_stat"}]});

Note: I am using mongo:4.4.18 as I am on a rpi4, and I not able to confirm whether this issue is because this older mongo version.

Expected Behavior

Docs should contain the right permissions (dbAdmin?) needed so the network controller is able to run.

Steps To Reproduce

  1. deploy stack
  2. mongo-init.js runs with suggested content from docs

Environment

- OS: docker on rpi4 (Linux ha-rpi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr  3 17:24:16 BST 2023 aarch64 GNU/Linux)
- How docker service was installed: using official docker guidance (apt install container.io)

CPU architecture

arm64

Docker creation

---
version: "2.1"
services:
  unifi-mongo:
    image: mongo:4.4.18
    container_name: unifi-db
    restart: unless-stopped
    environment:
      MONGO_INITDB_DATABASE: unifi
      TZ: Europe/London
    volumes:
      - /home/pi/volumemaps/unifi/db:/config
      - /home/pi/volumemaps/unifi2/mongo-init.js:/docker-entrypoint-initdb.d/init-mongo.js:ro
      - /home/pi/volumemaps/unifi2/db:/data/db
    networks:
    - unifi-network
  unifi-network-application:
    image: lscr.io/linuxserver/unifi-network-application:latest
    container_name: unifi-network-application
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      - MONGO_USER=unifi
      - MONGO_PASS=password
      - MONGO_HOST=unifi-db
      - MONGO_PORT=27017
      - MONGO_DBNAME=unifi
      - MEM_LIMIT=1024 #optional
      - MEM_STARTUP=1024 #optional
    volumes:
      - /home/pi/volumemaps/unifi2/networkapp:/config
    ports:
      - 192.168.20.39:8443:8443
      - 192.168.20.39:443:8443 # ui
      - 192.168.20.39:3478:3478/udp # stun
      - 192.168.20.39:10001:10001/udp # device discovery
      - 192.168.20.39:8080:8080 # device comms
#      - 1900:1900/udp #optional L2 discovery
      - 192.168.20.39:8843:8843 #optional https redirection
      - 192.168.20.39:8880:8880 #optional http redirection
      - 192.168.20.39:6789:6789 #optional mobile speedtest
      - 192.168.20.39:5514:5514/udp #optional remote syslog
    restart: unless-stopped
    networks:
    - unifi-network
networks:
  unifi-network:
    driver: bridge
    ipam:
      config:
        - subnet: 172.35.0.0/24

Container logs

server.log:

[2023-09-15 13:45:30,186] <launcher> INFO  system - *** Running for the first time, creating identity ***
[2023-09-15 13:45:30,202] <launcher> INFO  system - UUID: b98dae57-e9d0-4a58-9456-13e451e3533c
[2023-09-15 13:45:30,280] <launcher> INFO  system - Reporter UUID: 4fb57895-8aa4-4d7d-b340-c726cdc7a3c5
[2023-09-15 13:45:34,241] <launcher> INFO  tomcat - Adding basic REST API support during the startup
[2023-09-15 13:45:37,694] <launcher> INFO  system - Tomcat startup took 5733ms
[2023-09-15 13:45:37,849] <launcher> INFO  tomcat - Adding basic REST API support during the startup
[2023-09-15 13:45:56,857] <launcher> INFO  db     - Starting database service initialization...
[2023-09-15 13:45:56,858] <launcher> INFO  db     - waiting for db connection...
[2023-09-15 13:45:57,359] <launcher> INFO  db     - Connecting to mongodb://unifi:password@unifi-db:27017/unifi
[2023-09-15 13:45:57,892] <launcher> INFO  db     - db connection established...
[2023-09-15 13:45:58,963] <launcher> INFO  db     - db connected (v4.4.18@mongodb://unifi:password@unifi-db:27017/unifi)
[2023-09-15 13:45:59,095] <launcher> WARN  AnnotationConfigApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'dbService' defined in com.ubnt.service.DatabaseSpringContext: Invocation of init method failed; nested exception is com.mongodb.MongoCommandException: Command failed with error 13 (Unauthorized): 'not authorized on unifi to execute command { aggregate: "heatmap", pipeline: [ { $match: {} }, { $group: { _id: 1, n: { $sum: 1 } } } ], cursor: {}, $db: "unifi", lsid: { id: UUID("565bc11d-4cb2-4e16-9177-fcbc1aab6dae") } }' on server unifi-db:27017. The full response is {"ok": 0.0, "errmsg": "not authorized on unifi to execute command { aggregate: \"heatmap\", pipeline: [ { $match: {} }, { $group: { _id: 1, n: { $sum: 1 } } } ], cursor: {}, $db: \"unifi\", lsid: { id: UUID(\"565bc11d-4cb2-4e16-9177-fcbc1aab6dae\") } }", "code": 13, "codeName": "Unauthorized"}
github-actions[bot] commented 9 months ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

aptalca commented 9 months ago

The issue is likely because you're setting MONGO_INITDB_DATABASE: unifi.

You need to only set the init.js file as other initialization steps may/will interfere with the commands in there.

andrasg commented 9 months ago

Perfect, that solved it. Thanks for the quick help!