[DOCS-11368] Built-in roles dbAdmin + clusterAdmin do not provide sufficient privilege for Atlas Live Migration Created: 28/Feb/18  Updated: 11/Sep/18  Resolved: 28/Feb/18

Status: Closed
Project: Documentation
Component/s: Atlas
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Critical - P2
Reporter: Lungang Fang Assignee: Ravind Kumar (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to DOCS-11581 Revise permissions to Live migrate a ... Closed
Participants:
Days since reply: 5 years, 50 weeks ago
Epic Link: DOCSP-2982
Story Points: 0.1

 Description   

Hi,

The page https://docs.atlas.mongodb.com/import/live-import/index.html#source-cluster-security says:

The dbAdmin and clusterAdmin built-in roles provide sufficient privilege for Atlas to perform the Live Migration procedure.

However, these two roles do not have the privilege to read data from any database and hence make live migration validation fails.

Regards,
Lungang



 Comments   
Comment by Lungang Fang [ 28/Feb/18 ]

In my environment, the source database is a 3-node replica set, MongoDB server version: 3.4.13, I'm able to pass live migration validation with readWriteAnyDatabase@admin and clusterAdmin@admin

rs:PRIMARY> db.getUser('atlasAdmin')
{
        "_id" : "admin.atlasAdmin",
        "user" : "atlasAdmin",
        "db" : "admin",
        "roles" : [
                {
                        "role" : "readAnyDatabase",
                        "db" : "admin"
                },
                {
                        "role" : "clusterAdmin",
                        "db" : "admin"
                }
        ]
}

Comment by Ravind Kumar (Inactive) [ 28/Feb/18 ]

merged and published. If it turns out these permissions are also not valid, then we should sync with engineering as there might be some other issue going on here.

Comment by Shane Harvey [ 28/Feb/18 ]

I think it makes the most sense to recommend the "backup" role. That will always provide the permissions that Atlas Import/mongomirror needs even for sharded cluster migration.

Comment by Ravind Kumar (Inactive) [ 28/Feb/18 ]

Whoops. lungang.fang you're right, that should be dbOwner that implies read access.

Will do some testing on my end to confirm that read@local and readAnyDatabase@admin suffices for live migration.

Comment by Shane Harvey [ 28/Feb/18 ]

The minimum set of permissions that mongomirror needs on the source cluster are read@local and readAnyDatabase@admin.

Comment by Ravind Kumar (Inactive) [ 28/Feb/18 ]

lungang.fang the dbAdmin role should imply readWrite. What database did you create the user on?

cory.mintz shane.harvey can you advise? I'm wondering if we should be specifying dbAdminAnyDatabase (or specifying dbAdmin @ admin ) instead of leaving it unclear.

Generated at Thu Feb 08 08:02:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.