search

rwynn / monstache-site

documentation for the monstache project
https://rwynn.github.io/monstache-site/
MIT License
22 stars 31 forks source link

Permissions Error on Admin DB upon startup #25

Closed philbannon closed 1 year ago

philbannon commented 3 years ago

Hey Ryan,

Probably another stupid question so sorry in Advance. We've started to clean up our mongo DB's and restrict user accounts etc.

I've noticed that when monstache starts we get this error here:

ERROR 2021/06/15 08:06:39 (Unauthorized) not authorized on admin to execute command { serverStatus: 1, lsid: { id: UUID("ca0613e6-b41a-4099-85bd-9c9afd207b6a") }, $clusterTime: { clusterTime: Timestamp(1623740798, 1), signature: { hash: BinData(0, 7651E7F14A06ACE166AA1AF0E6AF6526713118F9), keyId: 6972539819171774466 } }, $db: "admin", $readPreference: { mode: "primary" } }

Now whats interesting here is that the sync still continues to work on the collection but the error above happens on start up. Is permissions on the admin db required (I'm trying limit my db service accounts) or is it something stupid I'm doing in my config file (see below)

mongo-url = "mongodb+srv://xxxxxxxxxx@xxx.xxxxxxxx.mongodb.net"
elasticsearch-urls = ["xxxxxxxxxxxx"]

direct-read-namespaces = ["test.collection"]
change-stream-namespaces = ["test.collection"]
gzip = true
elasticsearch-user = "xxxxxxxxx"
elasticsearch-password = "xxxxxxxxxxxxxx"
elasticsearch-max-conns = 4
dropped-collections = false
dropped-databases = false
replay = false
resume = true
resume-write-unsafe = false
resume-name = "default"
file-highlighting = true
verbose = true
exit-after-direct-reads = false

Thanks you!

rwynn commented 3 years ago

hey @philbannon I think when you have resume and direct-read-namespaces, monstache attempts to grab a timestamp from either the serverStatus or replSetGetStatus commands. This timestamp read is done just to update monstache's progress collection for the next restart.

I think you can ignore this error for the most part. If monstache keeps running it will most likely eventually get a change event and use that event to update the timestamp.

There are probably some things I can clean up around this behavior though. Let me know if it becomes a blocker for you.

philbannon commented 3 years ago

Hey @rwynn,

Sorry for the massive delay in my response. Thanks for the comment. No no its by no means a blocker just more of "crap, did we do something wrong" type of thing. Yeah monstache seems to be still running fine so its a non issue.

Do you want me to leave the issue open or close it off for you?

ymchun commented 1 year ago

I have the same issue when doing re-index of the whole mongodb, seems not enough to just grant read permission. what kind of perrmision should grant to the user on admin db?

my config file

dropped-collections = false
dropped-databases = false
gzip = true
resume = true
resume-name = "123456"
docker run \
    --env MONSTACHE_DIRECT_READ_NS="some namespace" \
    --env MONSTACHE_ES_URLS="elasticsearch host" \
    --env MONSTACHE_MONGO_URL="mongodb://xxxxxx" \
    -v $(pwd)/monstache-config.toml:/monstache-config.toml \
    rwynn/monstache:rel6 \
        -f /monstache-config.toml \
        -direct-read-bounded \
        -direct-read-concur=1 \
        -direct-read-split-max=1 \
        -disable-change-events \
        -exit-after-direct-reads \
        -fail-fast \
        -replay

and the error

ERROR 2022/12/25 08:59:50 (Unauthorized) not authorized on admin to execute command { serverStatus: 1, lsid: { id: UUID("6575fe58-0386-4cf0-b0f3-a747da982be0") }, $clusterTime: { clusterTime: Timestamp(1671958783, 1), signature: { hash: BinData(0, 505D378AC2A78D3EE56493FEEEA3B4835D4CD674), keyId: 7165851581290643461 } }, $db: "admin", $readPreference: { mode: "primary" } }

update: found that the db.serverStatus() require clusterMonitor permission on admin db

reference:

mix4242 commented 1 month ago

As mentioned above, granting the clusterMonitor built-in role on the admin db resolves the issue.

For anyone concerned that the role is too permissive you can easily create a custom role:

# The custom role needs to be created in the admin db as it applies to the cluster resource
use admin

# Create a custom role that only allows the 'serverStatus' action
db.createRole({ role: "serverStatusRole", privileges: [{ resource: { cluster: true }, actions: ["serverStatus"] } ], roles: [] })

# Grant the custom role to the MongoDB user
db.grantRolesToUser("<MONGODB_USERNAME>", [{ role: "serverStatusRole", db: "admin" }])