mongodb_exporter icon indicating copy to clipboard operation
mongodb_exporter copied to clipboard

Published 20 hours ago verified publisher icon percona

Mongo Exporter error - not authorized on admin to execute command

Open GayathriRameshK opened this issue 2 years ago • 12 comments

Describe the bug Getting error in mongod -

{"t":{"$date":"2022-09-16T10:25:36.880+00:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn47584","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on admin to execute command { find: "system.version", filter: { _id: "shardIdentity" }, limit: 1, singleBatch: true, , $db: "admin", $readPreference: { mode: "primaryPreferred" } }"}}

{"t":{"$date":"2022-09-16T09:43:36.878+00:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn46411","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on ais_admindb to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, , $db: "testdb", $readPreference: { mode: "primaryPreferred" } }"}}}

To Reproduce Steps to reproduce the behavior:

  1. Deploy Mongo Exporter version 0.30.0
  2. Mongo DB version - 5.0.6
  3. Roles:
  • name: clusterMonitor db: admin - name: read db: local

Expected behavior

  1. Ideally the error should not come for system related databases
  2. It should be able to list collections from User Defined Databases.

Logs {"t":{"$date":"2022-09-16T10:25:36.880+00:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn47584","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on admin to execute command { find: "system.version", filter: { _id: "shardIdentity" }, limit: 1, singleBatch: true, , $db: "admin", $readPreference: { mode: "primaryPreferred" } }"}}

{"t":{"$date":"2022-09-16T09:43:36.878+00:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn46411","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on ais_admindb to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, , $db: "testdb", $readPreference: { mode: "primaryPreferred" } }"}}}

Environment

  • K8s - mongodb community operator
  • MongoDB version -5.0.6

GayathriRameshK avatar Sep 19 '22 07:09 GayathriRameshK

I can confirm this problem with v0.34.0. There is one entry for the "admin" db and one for another random db that actually contains business-data. The startup arguments are --mongodb.global-conn-pool --collector.diagnosticdata --compatible-mode --no-mongodb.direct-connect, so I am wondering why it tries to listCollections of one of our business databases.

We migrated from the quite old v0.7.0 version, and there we did not have those logs.

The user that is in use has the following roles: [{role:'clusterMonitor', db:'admin'},{role:'read', db:'local'}]

This means the user definitly has no access to the admin and business collections. The question is now: Is the documentation wrong and the exporter user needs more permissions than described in the Readme or is the exporter trying to access something which is not expected?

BlacCello avatar Nov 08 '22 10:11 BlacCello

Hi, we are currently having the same problem. after looking at the code, this block could be responsible for the listCollections problem.

The following can be found in the HTTP handler body: https://github.com/percona/mongodb_exporter/blob/d9b417be3969661ce3314e742891ae46bb06ed0e/exporter/exporter.go#L287-L294

As we can see in common.go, listCollections is called once for all non-system databases.. (includeNamespaces=nil)

https://github.com/percona/mongodb_exporter/blob/d9b417be3969661ce3314e742891ae46bb06ed0e/exporter/common.go#L204-L221

I think nonSystemCollectionsCount returns a error... https://github.com/percona/mongodb_exporter/blob/d9b417be3969661ce3314e742891ae46bb06ed0e/exporter/exporter.go#L288-L289

This happens every time someone calls the http handler...

rriverak avatar Nov 08 '22 15:11 rriverak

We're getting the same problem with exporter version 0.35.0 and MongoDB 4.2 as well as 4.4.

{"t":{"$date":"2023-01-26T17:56:13.835+00:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn193","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on admin to execute command { find: "system.version", filter: { _id: "shardIdentity" }, limit: 1, singleBatch: true, lsid: { id: UUID() }, $clusterTime: { clusterTime: Timestamp(1674755770, 1), signature: { hash: BinData(0, ), keyId: } }, $db: "admin", $readPreference: { mode: "primary" } }"}}}

{"t":{"$date":"2023-01-26T17:56:17.280+00:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn193","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on redacted to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, lsid: { id: UUID() }, $clusterTime: { clusterTime: Timestamp(1674755770, 1), signature: { hash: BinData(0, ), keyId: } }, $db: "redacted", $readPreference: { mode: "primary" } }"}}}

lisenet avatar Jan 26 '23 18:01 lisenet

We're getting the same error as above with version 0.35.0 and MongoDB 6.0.2

krogulecp avatar Feb 20 '23 15:02 krogulecp

We've just bumped our MongoDB from 4.4 to 5.0 as well as tried the lastest exporter version 0.37.0 - the same problem.

lisenet avatar Feb 20 '23 15:02 lisenet

Same deal on 0.37.0 and mongodb 6.0.4. Anyone have a workaround?

jpuskar avatar May 06 '23 23:05 jpuskar

Same error on MongoDB 4.4.9 and Exporter 0.39.0. Our workaround was to grant { "role" : "readAnyDatabase", "db" : "admin"} and it works perfectly, but we are resisting putting it in production since it is an undocumented privilege.

pclaudinoo avatar Jul 25 '23 17:07 pclaudinoo

We also stumbled upon this issue. Currently, it's blowing up the log. The mentioned workaround by pclaudinoo will be no solution for our prod environment also. The clusterMonitor Builtin-Role (with local db read) should have enough permission to get all the metrics without errors.

With version 5.0 the query changed and is using a find instead of listCollections. Maybe that's a thing?

Error Message on 5.0.18: {"t":{"$date":"2023-07-23T23:00:43.263+02:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn115311","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on admin to execute command { find: \"system.version\", filter: { _id: \"shardIdentity\" }, limit: 1, singleBatch: true, lsid: { id: UUID(\"d232d5be-2acd-46e7-8c51-0934925bd4c1\") }, $clusterTime: { clusterTime: Timestamp(1690146038, 1), signature: { hash: BinData(0, A697C488B34052043B67E12CAEBD3127ED3F604E), keyId: * } }, $db: \"admin\", $readPreference: { mode: \"primary\" } }"}}}

Error Message on 4.4: {"t":{"$date":"2023-07-31T10:01:37.378+02:00"},"s":"I", "c":"ACCESS", "id":20436, "ctx":"conn539485","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on <name> to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, lsid: { id: UUID(\"038c1db3-b19b-46a9-bb15-3322ef0edaab\") }, $clusterTime: { clusterTime: Timestamp(1690790497, 52), signature: { hash: BinData(0, B99BB1925B01D803255E224502B7D1900FAA077D), keyId: *} }, $db: \"name\", $readPreference: { mode: \"secondaryPreferred\" } }"}}} Error Message on 4.2: 2023-07-31T15:32:39.277+0200 I ACCESS [conn449914] Unauthorized: not authorized on RetailStoreArticle to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, lsid: { id: UUID("9d490655-dc9f-4ad8-a347-1b05b80cd28b") }, $clusterTime: { clusterTime: Timestamp(1690810357, 1), signature: { hash: BinData(0, 48F178166C5CCFBBE6D3BEB54CF558E8113377A9), keyId: 7199634372406804481 } }, $db: "RetailStoreArticle", $readPreference: { mode: "secondaryPreferred" } }

OllowainT avatar Jul 31 '23 13:07 OllowainT

Got the same issue, fixed it like this:

admin.createRole({
  role: 'versionFind',
  privileges: [{ resource: { db: '', collection: 'system.version' }, actions: ['find'] }], // may also work if you set db:'admin'
  roles: [],
});
admin.createUser({
  user: process.env.MONGO_EXPORTER_USER,
  pwd: process.env.MONGO_EXPORTER_PASSWORD,
  roles: [
    { role: 'clusterMonitor', db: 'admin' },
    { role: 'read', db: 'local' },
    { role: 'versionFind', db: 'admin' },
  ],
});

abecodes avatar Aug 05 '23 18:08 abecodes

I also added this privilege to prevent the mongodb error log not authorized on **BUSINESS_DB** to execute command { listCollections: 1,

{ resource: { db: "**BUSINESS_DB**", collection: "" }, actions: [ "listCollections" ] }

FrancoisGuegnaudMB avatar Sep 13 '23 09:09 FrancoisGuegnaudMB

Got the same issue, fixed it like this:

admin.createRole({
  role: 'versionFind',
  privileges: [{ resource: { db: '', collection: 'system.version' }, actions: ['find'] }], // may also work if you set db:'admin'
  roles: [],
});
admin.createUser({
  user: process.env.MONGO_EXPORTER_USER,
  pwd: process.env.MONGO_EXPORTER_PASSWORD,
  roles: [
    { role: 'clusterMonitor', db: 'admin' },
    { role: 'read', db: 'local' },
    { role: 'versionFind', db: 'admin' },
  ],
});

Great, it's resolved. I had a similar issue and managed to resolve it too.

Habeeb556 avatar Jul 09 '24 12:07 Habeeb556