[SERVER-12035] clusterMonitor role missing privileges for MMS compatibility Created: 11/Dec/13  Updated: 28/Sep/16  Resolved: 14/Jan/14

Status: Closed
Project: Core Server
Component/s: Diagnostics, Replication, Security
Affects Version/s: 2.5.4
Fix Version/s: 2.5.5

Type: Bug Priority: Major - P3
Reporter: John Morales Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OS X 10.8.4
MongoDB 2.5.4 community edition


Issue Links:
Documented
is documented by DOCS-9009 clusterMonitor role missing privilege... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Not particularly straightforward to repro - I modified my MMS agent to log every exception. (The standard mms.mongodb.com agent ignores a variety of command failures.) I can put together my modified version of the agent if it would help.

Participants:

 Description   

The following actions/privileges are not permitted by the 2.6 clusterMonitor role in order to maintain compatibility with MMS:

1.) Permission to read the current profiling level via the {profile: -1} command.
2.) Permission to read the local.oplog.rs namespace for oplog stats.
3.) Permission to read the local.oplog.$main namespace for config svr oplog stats
4.) Permission to read the local.system.replset namespace for replica set conf

Also, not sure if related or should be separate ticket, but I'm also occasionally seeing this error from the monitoring agent log (via pymongo) when trying to run dbstats command against both of my clusterMonitor-authed shard secondaries: "expected to be write locked for config.$freelist"

Corresponding trace from MongoDB server log:

...
2013-12-10T17:47:12.279-0500 [conn5] Unauthorized not authorized on admin to execute command { profile: -1 }
2013-12-10T17:47:12.280-0500 [conn5] creating profile collection: cloud-docs.system.profile
2013-12-10T17:47:12.282-0500 [conn5] Unauthorized not authorized on cloud-docs to execute command { profile: -1 }
2013-12-10T17:47:12.289-0500 [conn5] lock status: r recursive:1 otherCount:-1 otherdb:config
2013-12-10T17:47:12.290-0500 [conn5] Assertion: 16105:expected to be write locked for config.$freelist
2013-12-10T17:47:12.343-0500 [conn5] config 0x10063800b 0x1005f7d02 0x1005e864f 0x1005e872d 0x1001b151d 0x10011790f 0x100117a48 0x100117aa4 0x1001b6bc3 0x1001cbe3c 0x1001bebb5 0x1001bfa9d 0x1001c059c 0x100323b6e 0x10032462c 0x1002a84a6 0x100006e34 0x100604e41 0x100669fd5 0x7fff8ea867a2 
 0   mongod                              0x000000010063800b _ZN5mongo15printStackTraceERSo + 43
 1   mongod                              0x00000001005f7d02 _ZN5mongo10logContextEPKc + 114
 2   mongod                              0x00000001005e864f _ZN5mongo11msgassertedEiPKc + 255
 3   mongod                              0x00000001005e872d _ZN5mongo11msgassertedEiRKSs + 29
 4   mongod                              0x00000001001b151d _ZN5mongo4Lock17assertWriteLockedERKNS_10StringDataE + 393
 5   mongod                              0x000000010011790f _ZN5mongo14NamespaceIndex6add_nsERKNS_9NamespaceEPKNS_16NamespaceDetailsE + 95
 6   mongod                              0x0000000100117a48 _ZN5mongo14NamespaceIndex6add_nsERKNS_10StringDataEPKNS_16NamespaceDetailsE + 192
 7   mongod                              0x0000000100117aa4 _ZN5mongo14NamespaceIndex6add_nsERKNS_10StringDataERKNS_7DiskLocEb + 56
 8   mongod                              0x00000001001b6bc3 _ZN5mongo8Database19_initExtentFreeListEv + 137
 9   mongod                              0x00000001001cbe3c _ZN5mongo7DBStats3runERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 2696
 10  mongod                              0x00000001001bebb5 _ZN5mongo12_execCommandEPNS_7CommandERKSsRNS_7BSONObjEiRSsRNS_14BSONObjBuilderEb + 37
 11  mongod                              0x00000001001bfa9d _ZN5mongo7Command11execCommandEPS0_RNS_6ClientEiPKcRNS_7BSONObjERNS_14BSONObjBuilderEb + 2223
 12  mongod                              0x00000001001c059c _ZN5mongo12_runCommandsEPKcRNS_7BSONObjERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 1388
 13  mongod                              0x0000000100323b6e _ZN5mongo11runCommandsEPKcRNS_7BSONObjERNS_5CurOpERNS_11_BufBuilderINS_16TrivialAllocatorEEERNS_14BSONObjBuilderEbi + 46
 14  mongod                              0x000000010032462c _ZN5mongo8runQueryERNS_7MessageERNS_12QueryMessageERNS_5CurOpES1_ + 2204
 15  mongod                              0x00000001002a84a6 _ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortE + 1958
 16  mongod                              0x0000000100006e34 _ZN5mongo16MyMessageHandler7processERNS_7MessageEPNS_21AbstractMessagingPortEPNS_9LastErrorE + 308
 17  mongod                              0x0000000100604e41 _ZN5mongo17PortMessageServer17handleIncomingMsgEPv + 1681
 18  mongod                              0x0000000100669fd5 thread_proxy + 229
 19  libsystem_c.dylib                   0x00007fff8ea867a2 _pthread_start + 327
2013-12-10T17:47:12.357-0500 [conn5] Unauthorized not authorized on local to execute command { profile: -1 }
...



 Comments   
Comment by Spencer Brody (Inactive) [ 14/Jan/14 ]

https://github.com/mongodb/mongo/commit/e6257f5996ffcfb3c1d1b1aed734a599b05d3456 <- Fixes sporadic test failure.

Comment by Githook User [ 13/Jan/14 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-12035 Add "oplog" section to serverStatus output
Branch: master
https://github.com/mongodb/mongo/commit/6105f6aa2408ff6f2f95e302e3e39adff51867c8

Comment by Githook User [ 08/Jan/14 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-12035 Allow clusterMonitor role to get the current profiling level
Branch: master
https://github.com/mongodb/mongo/commit/c3aff7ead075d1ed955d072e083b8527b4bc07fe

Comment by Githook User [ 08/Jan/14 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-12035 Allow the clusterMonitor role to read local.system.replset
Branch: master
https://github.com/mongodb/mongo/commit/dfdfcefb7d0d7c484ffb6ca2519ec2e0272e25d7

Comment by Andy Schwerin [ 16/Dec/13 ]

I propose that we add the data to the self entry in replSetGetStatus. I propose a field named earliestOptime with the same type and form as the optime field.

Comment by John Morales [ 11/Dec/13 ]

True - to be clear, it's only capturing the first/last entry's timestamp for the timespan, but perhaps there is a different way to obtain this info. E.g., example from ping data:

            "oplog": {
                "start": {
                    "$ts": 1385108946,
                    "$inc": 336
                },
                "rsStats": {
                    "indexSizes": {},
                    "ns": "local.oplog.rs",
                    "max": 9223372036854775807,
                    "count": 660504,
                    "systemFlags": 0,
                    "paddingFactor": 1,
                    "userFlags": 0,
                    "size": 94288036,
                    "lastExtentSize": 104857600,
                    "capped": true,
                    "numExtents": 1,
                    "totalIndexSize": 0,
                    "storageSize": 104857600,
                    "ok": 1,
                    "avgObjSize": 142.75165025495681,
                    "nindexes": 0
                },
                "end": {
                    "$ts": 1386721218,
                    "$inc": 1
                }
            }

Comment by Andy Schwerin [ 11/Dec/13 ]

Is reading the oplog the only way to get oplog stats? I ask because it provides read access to all user data modifications, which isn't typically desirable for a monitor.

Generated at Thu Feb 08 03:27:25 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.