Basically, the MMS monitoring agent has two ways that it tries to read the oplog. One requires read on the local database and the other requires the permissions in the 2.6 clusterMonitor role. The clusterMonitor role does not give read on the local database. Users are seeing mongod log messages about unauthorized queries to the local db because the monitoring agent currently attempts both methods. The logic may change in the future but in the meantime we should clarify the source of the messages in the mongod log and clarify the fact that they are benign and can be ignored if the mms agent log does not show errors.

The page about MMS agent authorization looks like a good spot for a note about this.