search

percona / mongodb_exporter

A Prometheus exporter for MongoDB including sharding, replication and storage engines
Apache License 2.0
1.18k stars 423 forks source link

Mongo Exporter error - not authorized on admin to execute command #562

Open GayathriRameshK opened 2 years ago

GayathriRameshK commented 2 years ago

Describe the bug Getting error in mongod -

{"t":{"$date":"2022-09-16T10:25:36.880+00:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn47584","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on admin to execute command { find: \"system.version\", filter: { _id: \"shardIdentity\" }, limit: 1, singleBatch: true, , $db: \"admin\", $readPreference: { mode: \"primaryPreferred\" } }"}}

{"t":{"$date":"2022-09-16T09:43:36.878+00:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn46411","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on ais_admindb to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, , $db: \"testdb\", $readPreference: { mode: \"primaryPreferred\" } }"}}}

To Reproduce Steps to reproduce the behavior:

  1. Deploy Mongo Exporter version 0.30.0
  2. Mongo DB version - 5.0.6
  3. Roles:
    • name: clusterMonitor db: admin
      • name: read db: local

Expected behavior

  1. Ideally the error should not come for system related databases
  2. It should be able to list collections from User Defined Databases.

Logs {"t":{"$date":"2022-09-16T10:25:36.880+00:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn47584","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on admin to execute command { find: \"system.version\", filter: { _id: \"shardIdentity\" }, limit: 1, singleBatch: true, , $db: \"admin\", $readPreference: { mode: \"primaryPreferred\" } }"}}

{"t":{"$date":"2022-09-16T09:43:36.878+00:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn46411","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on ais_admindb to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, , $db: \"testdb\", $readPreference: { mode: \"primaryPreferred\" } }"}}}

Environment

BlacCello commented 1 year ago

I can confirm this problem with v0.34.0. There is one entry for the "admin" db and one for another random db that actually contains business-data. The startup arguments are --mongodb.global-conn-pool --collector.diagnosticdata --compatible-mode --no-mongodb.direct-connect, so I am wondering why it tries to listCollections of one of our business databases.

We migrated from the quite old v0.7.0 version, and there we did not have those logs.

The user that is in use has the following roles: [{role:'clusterMonitor', db:'admin'},{role:'read', db:'local'}]

This means the user definitly has no access to the admin and business collections. The question is now: Is the documentation wrong and the exporter user needs more permissions than described in the Readme or is the exporter trying to access something which is not expected?

rriverak commented 1 year ago

Hi, we are currently having the same problem. after looking at the code, this block could be responsible for the listCollections problem.

The following can be found in the HTTP handler body: https://github.com/percona/mongodb_exporter/blob/d9b417be3969661ce3314e742891ae46bb06ed0e/exporter/exporter.go#L287-L294

As we can see in common.go, listCollections is called once for all non-system databases.. (includeNamespaces=nil)

https://github.com/percona/mongodb_exporter/blob/d9b417be3969661ce3314e742891ae46bb06ed0e/exporter/common.go#L204-L221

I think nonSystemCollectionsCount returns a error... https://github.com/percona/mongodb_exporter/blob/d9b417be3969661ce3314e742891ae46bb06ed0e/exporter/exporter.go#L288-L289

This happens every time someone calls the http handler...

lisenet commented 1 year ago

We're getting the same problem with exporter version 0.35.0 and MongoDB 4.2 as well as 4.4.

{"t":{"$date":"2023-01-26T17:56:13.835+00:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn193","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on admin to execute command { find: "system.version", filter: { _id: "shardIdentity" }, limit: 1, singleBatch: true, lsid: { id: UUID() }, $clusterTime: { clusterTime: Timestamp(1674755770, 1), signature: { hash: BinData(0, ), keyId: } }, $db: "admin", $readPreference: { mode: "primary" } }"}}}

{"t":{"$date":"2023-01-26T17:56:17.280+00:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn193","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on redacted to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, lsid: { id: UUID() }, $clusterTime: { clusterTime: Timestamp(1674755770, 1), signature: { hash: BinData(0, ), keyId: } }, $db: "redacted", $readPreference: { mode: "primary" } }"}}}

krogulecp commented 1 year ago

We're getting the same error as above with version 0.35.0 and MongoDB 6.0.2

lisenet commented 1 year ago

We've just bumped our MongoDB from 4.4 to 5.0 as well as tried the lastest exporter version 0.37.0 - the same problem.

jpuskar commented 1 year ago

Same deal on 0.37.0 and mongodb 6.0.4. Anyone have a workaround?

pclaudinoo commented 1 year ago

Same error on MongoDB 4.4.9 and Exporter 0.39.0. Our workaround was to grant { "role" : "readAnyDatabase", "db" : "admin"} and it works perfectly, but we are resisting putting it in production since it is an undocumented privilege.

OllowainT commented 1 year ago

We also stumbled upon this issue. Currently, it's blowing up the log. The mentioned workaround by pclaudinoo will be no solution for our prod environment also. The clusterMonitor Builtin-Role (with local db read) should have enough permission to get all the metrics without errors.

With version 5.0 the query changed and is using a find instead of listCollections. Maybe that's a thing?

Error Message on 5.0.18: {"t":{"$date":"2023-07-23T23:00:43.263+02:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn115311","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on admin to execute command { find: \"system.version\", filter: { _id: \"shardIdentity\" }, limit: 1, singleBatch: true, lsid: { id: UUID(\"d232d5be-2acd-46e7-8c51-0934925bd4c1\") }, $clusterTime: { clusterTime: Timestamp(1690146038, 1), signature: { hash: BinData(0, A697C488B34052043B67E12CAEBD3127ED3F604E), keyId: * } }, $db: \"admin\", $readPreference: { mode: \"primary\" } }"}}}

Error Message on 4.4: {"t":{"$date":"2023-07-31T10:01:37.378+02:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn539485","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on <name> to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, lsid: { id: UUID(\"038c1db3-b19b-46a9-bb15-3322ef0edaab\") }, $clusterTime: { clusterTime: Timestamp(1690790497, 52), signature: { hash: BinData(0, B99BB1925B01D803255E224502B7D1900FAA077D), keyId: *} }, $db: \"name\", $readPreference: { mode: \"secondaryPreferred\" } }"}}} Error Message on 4.2: 2023-07-31T15:32:39.277+0200 I ACCESS [conn449914] Unauthorized: not authorized on RetailStoreArticle to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, lsid: { id: UUID("9d490655-dc9f-4ad8-a347-1b05b80cd28b") }, $clusterTime: { clusterTime: Timestamp(1690810357, 1), signature: { hash: BinData(0, 48F178166C5CCFBBE6D3BEB54CF558E8113377A9), keyId: 7199634372406804481 } }, $db: "RetailStoreArticle", $readPreference: { mode: "secondaryPreferred" } }

abecodes commented 1 year ago

Got the same issue, fixed it like this:

admin.createRole({
  role: 'versionFind',
  privileges: [{ resource: { db: '', collection: 'system.version' }, actions: ['find'] }], // may also work if you set db:'admin'
  roles: [],
});
admin.createUser({
  user: process.env.MONGO_EXPORTER_USER,
  pwd: process.env.MONGO_EXPORTER_PASSWORD,
  roles: [
    { role: 'clusterMonitor', db: 'admin' },
    { role: 'read', db: 'local' },
    { role: 'versionFind', db: 'admin' },
  ],
});
FrancoisGuegnaudMB commented 1 year ago

I also added this privilege to prevent the mongodb error log not authorized on **BUSINESS_DB** to execute command { listCollections: 1,

{ resource: { db: "**BUSINESS_DB**", collection: "" }, actions: [ "listCollections" ] }
Habeeb556 commented 3 months ago

Got the same issue, fixed it like this:

admin.createRole({
  role: 'versionFind',
  privileges: [{ resource: { db: '', collection: 'system.version' }, actions: ['find'] }], // may also work if you set db:'admin'
  roles: [],
});
admin.createUser({
  user: process.env.MONGO_EXPORTER_USER,
  pwd: process.env.MONGO_EXPORTER_PASSWORD,
  roles: [
    { role: 'clusterMonitor', db: 'admin' },
    { role: 'read', db: 'local' },
    { role: 'versionFind', db: 'admin' },
  ],
});

Great, it's resolved. I had a similar issue and managed to resolve it too.

gopitellakulka commented 1 month ago

i'm getting this eror from my config server

not authorized on config to execute command { find: "version", filter: {}, projection: { minCompatibleVersion: 0, excluding:0, upgradeId: 0, upgradeState: 0 }, limit: 1, lsid: { id: UUID("4623145c-e760-4d91-9775-d99bc872bf8f") }, $clusterTime: { clusterTime: Timestamp(1725002058,1), signature: { hash: BinData(0, F10C2A4A956C1896E3BB2EB446AF98A223736730), keyId: 7408774274422407193 } }, $readPreference: { mode: "primaryPreferred" }, $db: "config" }