[DOCS-13030] clusterMonitor role user is not able to fetch collections from db Created: 16/Sep/19  Updated: 30/Oct/23

Status: Closed
Project: Documentation
Component/s: Server
Affects Version/s: 3.6.6
Fix Version/s: Server_Docs_20231030

Type: Bug Priority: Major - P3
Reporter: rahul mahor Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: docs-investigating
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MongoDB 3.6.3 .


Participants:
Days since reply: 1 year, 14 weeks, 2 days ago
Epic Link: DOCSP-1769

 Description   

Description

running with auth 

user role : clusterMonitor , db:admin

 

In mongoDB documentation , clusterMonitor user can read all the collection in all the db but 

in mongodb 3.6.3 , when I have tried to fetch the collections from the db it shows that authorisation error - user is not authorise to run the command - 

Command failed with error 13: 'not authorized on test to execute command { listCollections: 1, cursor:

{ batchSize: 0 }

, $db: "test", lsid: { id: UUID("71939577-10f4-41ca-b759-d170b6fca2b6") } }' on server 10.10.30.12:27017. The full response is { "ok" : 0.0, "errmsg" : "not authorized on test to execute command { listCollections: 1, cursor:

{ batchSize: 0 }

, $db: \"test\", lsid: { id: UUID(\"71939577-10f4-41ca-b759-d170b6fca2b6\") } }", "code" : 13, "codeName" : "Unauthorized" }

 

 

 

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Education Bot [ 31/Oct/22 ]

Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you!

Comment by rahul mahor [ 18/Sep/19 ]

Hi , 

thanks for your response.

 

Command run on 3.6.3

show collections

2019-09-18T12:27:13.630+0530 E QUERY    [thread1] Error: listCollections failed: { "ok" : 0, "errmsg" : "not authorized on test to execute command { listCollections: 1.0, filter: {}, lsid: { id: UUID(\"107efc5d-3d56-4944-b284-e3c678f40893\") }, $db: \"test\" }", "code" : 13, "codeName" : "Unauthorized"} :_getErrorWithCode@src/mongo/shell/utils.js:25:13DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:941:1DB.prototype.getCollectionInfos@src/mongo/shell/db.js:953:19DB.prototype.getCollectionNames@src/mongo/shell/db.js:964:16shellHelper.show@src/mongo/shell/utils.js:853:9shellHelper@src/mongo/shell/utils.js:750:15@(shellhelp2):1:1

 

 

User : 

{{ "_id" : "test.user_cluster", "user" : "user_cluster", "db" : "test", "roles" : [

{ "role" : "clusterMonitor", "db" : "admin" }

]}

 

With same user , same command run on 4.2 : there is no problem and all collections , I am able to fetch.

 

 

Comment by Ravind Kumar (Inactive) [ 16/Sep/19 ]

rmahor06@gmail.com copying in your feedback from another ticket:

in mongodb, clusterMonitor role has the access to find all the collections in all the databases.
but when I installed mongodb 3.6.3 , I am getting unauthorise error .
User with the same role in mongodb 4.0.2 is able to find all the collection in db.

I think the behavior you are seeing is likely due to changes introduced in MongoDB 4.0 that allow listCollections to work if specified with certain options. The release notes also reference this, though its not really straightforward to parse.

Can you verify the exact command you are specifying in 4.0/3.6, as well as whether the user you are authenticating as has any additional roles or privileges attached to it?

If this is a case of the 4.0 behavior not being clear, I think we can make some tweaks to better call out the new behavior. If there's something else going on, however, I would strongly recommend starting with our Community Support Forum. Potential documentation updates would depend on the outcome of discussions on that forum.

As a general note, the clusterMonitor role states that it provides read-only access to monitoring tools. That does not necessarily mean read-access to all databases, collections, and documents. Looking at the privilege list, it specifically lists databases, and can list collections for certain system or local collections. If you need explicit all-database access, please use one of the built-in all-database roles

Generated at Thu Feb 08 08:06:46 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.