[DOCS-11368] Built-in roles dbAdmin + clusterAdmin do not provide sufficient privilege for Atlas Live Migration Created: 28/Feb/18 Updated: 11/Sep/18 Resolved: 28/Feb/18 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | Atlas |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Critical - P2 |
| Reporter: | Lungang Fang | Assignee: | Ravind Kumar (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Days since reply: | 5 years, 50 weeks ago | ||||||||
| Epic Link: | DOCSP-2982 | ||||||||
| Story Points: | 0.1 | ||||||||
| Description |
|
Hi, The page https://docs.atlas.mongodb.com/import/live-import/index.html#source-cluster-security says:
However, these two roles do not have the privilege to read data from any database and hence make live migration validation fails. Regards, |
| Comments |
| Comment by Lungang Fang [ 28/Feb/18 ] | ||||||||||||||||
|
In my environment, the source database is a 3-node replica set, MongoDB server version: 3.4.13, I'm able to pass live migration validation with readWriteAnyDatabase@admin and clusterAdmin@admin
| ||||||||||||||||
| Comment by Ravind Kumar (Inactive) [ 28/Feb/18 ] | ||||||||||||||||
|
merged and published. If it turns out these permissions are also not valid, then we should sync with engineering as there might be some other issue going on here. | ||||||||||||||||
| Comment by Shane Harvey [ 28/Feb/18 ] | ||||||||||||||||
|
I think it makes the most sense to recommend the "backup" role. That will always provide the permissions that Atlas Import/mongomirror needs even for sharded cluster migration. | ||||||||||||||||
| Comment by Ravind Kumar (Inactive) [ 28/Feb/18 ] | ||||||||||||||||
|
Whoops. lungang.fang you're right, that should be dbOwner that implies read access. Will do some testing on my end to confirm that read@local and readAnyDatabase@admin suffices for live migration. | ||||||||||||||||
| Comment by Shane Harvey [ 28/Feb/18 ] | ||||||||||||||||
|
The minimum set of permissions that mongomirror needs on the source cluster are read@local and readAnyDatabase@admin. | ||||||||||||||||
| Comment by Ravind Kumar (Inactive) [ 28/Feb/18 ] | ||||||||||||||||
|
lungang.fang the dbAdmin role should imply readWrite. What database did you create the user on? cory.mintz shane.harvey can you advise? I'm wondering if we should be specifying dbAdminAnyDatabase (or specifying dbAdmin @ admin ) instead of leaving it unclear. |