[SERVER-50211] Getting issue "ACCESS [conn298810] Unauthorized: not authorized on admin to execute command { endSessions: [ { id: UUID("acb7b7b0-5cfd-48d9-ae40-25e20d1ead63") } ], $db: "admin" }" Created: 10/Aug/20 Updated: 25/Aug/20 Resolved: 24/Aug/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 3.6.19 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Sambasivarao Gajula | Assignee: | Eric Sedor |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Operating System: | ALL | ||||||||
| Participants: | |||||||||
| Description |
|
I am using mongo-3.6.17 version and enabled the auth in that. With the auth, I am getting the below message contentiously in on the logs ACCESS [conn298810] Unauthorized: not authorized on admin to execute command { endSessions: [ { id: UUID("acb7b7b0-5cfd-48d9-ae40-25e20d1ead63") }], $db: "admin" } When I verified the mongo documentation, I have not seen any specific role to execute the endSession command. But in my user roles, I gave almost all high priority roles like dbAdmin, dbOwner ...etc but still getting the same issue. Is there any way to avoid this issue ? |
| Comments |
| Comment by Sambasivarao Gajula [ 25/Aug/20 ] |
|
Thanks Eric for providing the required information so far. Regards, Samba. |
| Comment by Eric Sedor [ 24/Aug/20 ] |
|
sivag9@gmail.com, I've found |
| Comment by Eric Sedor [ 20/Aug/20 ] |
|
Samba, To clarify, the log line is triggered when the shell is closed. It is not ping specifically but happens right after your eval option is complete. I'd like to keep this ticket open as I look into that. But, for your questions about how to set up exactly what you need for your users, roles, and for ensuring you are setting up authentication correctly, I encourage you to ask our community by posting on the MongoDB Community Forums. The SERVER project here is for bugs and feature suggestions for the MongoDB server. Thanks! |
| Comment by Sambasivarao Gajula [ 20/Aug/20 ] |
|
Hi Eric, Based on the google search (https://github.com/helm/charts/issues/12631) I just tried to reproduce the issue with the ping command but right now I am not sure, does ping alone causing the issue or any other command also causing the same issue. Your analysis also "occurs any time an un-authenticated shell connection" saying the same point right. Anyway, I will try from my side as well by authenticating the ping . Right now as part of my work, I am authenticating the DB and adding the users with the roles I mentioned earlier. As part of the operations, my application is not using the ping directly. So, it might be the internal communication in between the mongo DBs. In that case, can you please help on how can I make the ping authenticated or else which role exactly need to be added to the existing/new user to access the ping ? Thanks,
|
| Comment by Eric Sedor [ 19/Aug/20 ] |
|
Thanks for your patience, Samba, The logs have been helpful and I have been able to reproduce this readily. Initially, it looks like the issue is that the mongo hostNameXXX:27719 --eval "db.adminCommand('ping').ok" --quiet isn't authenticating (with the -u and -p arguments). I can see the "not authorized on admin to execute command { endSessions" occurs any time an un-authenticated shell connection is closed and am working to determine if this is intentional or if it is a bug. In the meantime you should be able to prevent this message by authenticating when running this script. Does that make sense and does this work for you? Eric |
| Comment by Sambasivarao Gajula [ 19/Aug/20 ] |
|
Hi Eric, I hope the shared logs are helpful to debug the issue . If you need any further information, please let me know and also, if you find any suspect point, please share to me as well. I also can cross check in my setup. Thanks, |
| Comment by Sambasivarao Gajula [ 14/Aug/20 ] |
|
Hi Eric, Please find the attached log, which is taken by the time of mongoAuth enable to the 'Unauthorized' messages are coming. I have three members in the replicaset and have collected the logs from the Primary (hostmgr01) only. By the time of taking the logs mongoAuth was enabling member by member and due to that only, secondary & Arbiter was not reachable but later point, those were reachable. After completion of the mongoAuth, I collected the Users info well separately and added to below to the attached logs. Please let me know, if you need any other info Thanks Samba. |
| Comment by Eric Sedor [ 12/Aug/20 ] |
|
The information we are looking for will be logged when the client connects and authenticates. Are you able to provide a log file that covers the whole span of time between the time you connect and the time you see the log messages? |
| Comment by Sambasivarao Gajula [ 11/Aug/20 ] |
|
Hi Eric, Thanks for the response. How can I get the user belong to 'conn298810' in mongoDB ?? Please share the command to verify this. I have captured and attached the sample logs and 'Users & Roles' information. Right now I have two users with different roles but for the information, I tried the same by giving the same roles to both of the users. Thanks Sambasivarao. |
| Comment by Eric Sedor [ 10/Aug/20 ] |
|
Hi sivag9@gmail.com, Can you help us understand exactly what user is authenticated for conn298810 in the above example? We can help with this if you attach mongod log files for a period of time. That said, we may also need to see the output of getUsers and if any custom roles are in use, getRoles. Sincerely, |
| Comment by Sambasivarao Gajula [ 10/Aug/20 ] |
|
There is a small observation that, If I use the ping command continuously with out auth credentials "mongo hostNameXXX:27719 --eval "db.adminCommand('ping').ok" --quiet" , I am getting success out put as '1' but at the same time , have seen the increase of the above messages in the same rate of the ping command |