[DOCS-13039] Not able to get collection stats of config db Created: 19/Sep/19  Updated: 30/Oct/23

Status: Closed
Project: Documentation
Component/s: manual
Affects Version/s: 3.6.6
Fix Version/s: Server_Docs_20231030

Type: Bug Priority: Major - P3
Reporter: rahul mahor Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: docs-investigating, docs-security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MongoDB 3.6.3 version.

https://docs.mongodb.com/v3.6/reference/built-in-roles/#cluster-administration-roles


Participants:
Days since reply: 1 year, 14 weeks, 2 days ago

 Description   

Description

User with the following role :-

 

db.createUser({user:"user15",pwd:"password", roles:[

{role:"userAdminAnyDatabase", db:"admin"}

, {role:"clusterMonitor", db:"admin"}, {role:"readAnyDatabase", db:"admin"}, {role:"read", db:"config"} ]})

 

Not able to fetch System.sessions.stats() of config db .  Error ->

db.system.sessions.stats()

db.system.sessions.stats(){ "ok" : 0, "errmsg" : "not authorized on config to execute command { collStats: \"system.sessions\", scale: undefined, lsid:

{ id: UUID(\"48024901-b14a-4fa9-b645-ab0b24545c66\") }

, $db: \"config\" }", "code" : 13, "codeName" : "Unauthorized"}

 

 

From which role of user , I am able to get these stats. In document , This is stated that all db's collection stats is able t fetch through ClusterMonitor role . Here I have given all the necessary roles but not able to fetch the stats of config db.

Scope of changes

  • Need to clarify whether roles that have demarc between "All collections in <X> database"  and "only the following system collections" should actually be "All non-system collections..."
  • Generally seems like we need better guidance around how built-in roles work against system collections.

Impact to Other Docs

  • Fixups in 3.6 should be forward-ported if possible. Might make more sense to start with 4.2 and backport more general refinements, making version-specific fixes where possible.

    MVP (Work and Date)

    Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Education Bot [ 31/Oct/22 ]

Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you!

Comment by Ravind Kumar (Inactive) [ 19/Sep/19 ]

Hi rmahor06@gmail.com

I think this might be an issue with how we have worded our documentation, unfortunately.

Looking at the 3.6 docs for clusterMonitor , the table has two separations:

  • "All collections in the *config database"
  • system.indexes, system.js. system.namespace collections

I have to double check, but I wonder if we generally do not provide access to system.x collections outside of the listed collections for the clusterMonitor built in role. That is, the first block should be "All non-system collections in the *config* database". That would, I think, make sense as we often treat system collections more carefully given their internal importance.

Thank you for bringing this to our attention. In the meantime, I would suggest explicitly adding the read built-in role against the system.sessions collection. Try to add a role that specifies both the database and the collection as per this example.

While you have {role : "read", db: "config"} in your user role assignments, we do state the following:

Each of MongoDB’s built-in roles defines access at the database level for all non-system collections in the role’s database and at the collection level for all system collections.

I think what is implied here (and will need to be clarified) is that assigning a role at the database level provides access to all non-system collections in that database. For system collections, you must assign the role at the collection level. I need to verify this, however.

Generated at Thu Feb 08 08:06:47 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.