[DOCS-9009] clusterMonitor role missing privileges for MMS compatibility Created: 28/Sep/16  Updated: 30/Oct/23

Status: Closed
Project: Documentation
Component/s: Server
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Task Priority: Major - P3
Reporter: Emily Hall Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-12035 clusterMonitor role missing privilege... Closed
Participants:
Days since reply: 1 year, 14 weeks, 2 days ago
Epic Link: DOCSP-1769

 Description   

The following actions/privileges are not permitted by the 2.6 clusterMonitor role in order to maintain compatibility with MMS:

1.) Permission to read the current profiling level via the {profile: -1} command.
2.) Permission to read the local.oplog.rs namespace for oplog stats.
3.) Permission to read the local.oplog.$main namespace for config svr oplog stats
4.) Permission to read the local.system.replset namespace for replica set conf

Also, not sure if related or should be separate ticket, but I'm also occasionally seeing this error from the monitoring agent log (via pymongo) when trying to run dbstats command against both of my clusterMonitor-authed shard secondaries: "expected to be write locked for config.$freelist"

Corresponding trace from MongoDB server log:

...
2013-12-10T17:47:12.279-0500 [conn5] Unauthorized not authorized on admin to execute command { profile: -1 }
2013-12-10T17:47:12.280-0500 [conn5] creating profile collection: cloud-docs.system.profile
2013-12-10T17:47:12.282-0500 [conn5] Unauthorized not authorized on cloud-docs to execute command { profile: -1 }
2013-12-10T17:47:12.289-0500 [conn5] lock status: r recursive:1 otherCount:-1 otherdb:config
2013-12-10T17:47:12.290-0500 [conn5] Assertion: 16105:expected to be write locked for config.$freelist
2013-12-10T17:47:12.343-0500 [conn5] config 0x10063800b 0x1005f7d02 0x1005e864f 0x1005e872d 0x1001b151d 0x10011790f 0x100117a48 0x100117aa4 0x1001b6bc3 0x1001cbe3c 0x1001bebb5 0x1001bfa9d 0x1001c059c 0x100323b6e 0x10032462c 0x1002a84a6 0x100006e34 0x100604e41 0x100669fd5 0x7fff8ea867a2 
 0   mongod                              0x000000010063800b _ZN5mongo15printStackTraceERSo + 43
 1   mongod                              0x00000001005f7d02 _ZN5mongo10logContextEPKc + 114
 2   mongod                              0x00000001005e864f _ZN5mongo11msgassertedEiPKc + 255
 3   mongod                              0x00000001005e872d _ZN5mongo11msgassertedEiRKSs + 29
 4   mongod                              0x00000001001b151d _ZN5mongo4Lock17assertWriteLockedERKNS_10StringDataE + 393
 5   mongod                              0x000000010011790f _ZN5mongo14NamespaceIndex6add_nsERKNS_9NamespaceEPKNS_16NamespaceDetailsE + 95
 6   mongod                              0x0000000100117a48 _ZN5mongo14NamespaceIndex6add_nsERKNS_10StringDataEPKNS_16NamespaceDetailsE + 192
 7   mongod                              0x0000000100117aa4 _ZN5mongo14NamespaceIndex6add_nsERKNS_10StringDataERKNS_7DiskLocEb + 56
 8   mongod                              0x00000001001b6bc3 _ZN5mongo8Database19_initExtentFreeListEv + 137
 9   mongod                              0x00000001001cbe3c _ZN5mongo7DBStats3runERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 2696
 10  mongod                              0x00000001001bebb5 _ZN5mongo12_execCommandEPNS_7CommandERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 37
 11  mongod                              0x00000001001bfa9d _ZN5mongo7Command11execCommandEPS0_RNS_6ClientEiPKcRNS_7BSONObjERNS_14BSONObjBuilderEb + 2223
 12  mongod                              0x00000001001c059c _ZN5mongo12_runCommandsEPKcRNS_7BSONObjERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 1388
 13  mongod                              0x0000000100323b6e _ZN5mongo11runCommandsEPKcRNS_7BSONObjERNS_5CurOpERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 46
 14  mongod                              0x000000010032462c _ZN5mongo8runQueryERNS_7MessageERNS_12QueryMessageERNS_5CurOpES1_ + 2204
 15  mongod                              0x00000001002a84a6 _ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortE + 1958
 16  mongod                              0x0000000100006e34 _ZN5mongo16MyMessageHandler7processERNS_7MessageEPNS_21AbstractMessagingPortEPNS_9LastErrorE + 308
 17  mongod                              0x0000000100604e41 _ZN5mongo17PortMessageServer17handleIncomingMsgEPv + 1681
 18  mongod                              0x0000000100669fd5 thread_proxy + 229
 19  libsystem_c.dylib                   0x00007fff8ea867a2 _pthread_start + 327
2013-12-10T17:47:12.357-0500 [conn5] Unauthorized not authorized on local to execute command { profile: -1 }
...



 Comments   
Comment by Education Bot [ 31/Oct/22 ]

Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you!

Generated at Thu Feb 08 07:57:24 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.