[SERVER-56741] How was _schema collection created? Created: 07/May/21  Updated: 01/Jun/22  Resolved: 13/May/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 4.2.8
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: Aayushi Mangal Assignee: Eric Sedor
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

Hi,

We are using trinodb to fetch the data from our existing MongoDB cluster.

In order to make connection, we created a user with readonly privileges as:

"_id" : "admin.readonly", "_id" : "admin.readonly", "userId" : UUID("***"), "user" : "readonly", "db" : "admin", "roles" : [ { "role" : "clusterMonitor", "db" : "admin" }, { "role" : "readAnyDatabase", "db" : "admin" } ],

 

When we make connection using trinodb, we found a collection named "_schema" is created and we found metadata information like data type and collections name inside it.

https://trino.io/docs/current/connector/mongodb.html#mongodb-schema-collection

Now we are wondering with readonly, how it allow to create "_schema" collection.

Please help us to understand if we are having any leakage/missing in our user management or anything.



 Comments   
Comment by Eric Sedor [ 13/May/21 ]

Other lines logged by conn557970 include operations I would expect to see from the sharded cluster balancer which runs on the CSRS primary.

Unfortunately I will need to defer to the community forums for further discussion about how to best address your questions.

Comment by Aayushi Mangal [ 13/May/21 ]

Thanks Eric, I will back trace this logs, but before closing it can you highlight that line that is coming from config primary , and also user name at least that it is creating collection. As create collection statement is clearly been logged. You want me to trace all the lines for this connection?

Comment by Eric Sedor [ 13/May/21 ]

aayushi.mangal@visiblealpha.com it looks like these logs do not cover the full lifetime of conn557970, but I see log lines that strongly suggest the connection is from your sharded cluster's config server replica set primary, which is likely not be authenticating to this node as an end-user.

This SERVER project is for reporting bugs and making feature suggestions for the MongoDB server. For assistance troubleshooting and understanding where this collection comes from, I encourage you to start with our community by posting on the MongoDB Developer Community Forums. Users there can assist you in tracing operations in sharded clusters and identifying the source of this operation.

If your discussion there leads to evidence of a bug, we would be happy to investigate further here in this jira project.

Comment by Aayushi Mangal [ 13/May/21 ]

Hi Eric, I have checked details of that connection, but doesnot found the reason for this.. I need your help to debug this and found the reason or any miss we are having at any of the end.

Logs uploaded

Comment by Eric Sedor [ 11/May/21 ]

aayushi.mangal@visiblealpha.com sorry if I was unclear. I'm asking for the log line that shows what user authenticated on conn557970. If you're unsure, can you please upload the logs to this secure upload portal?

Comment by Aayushi Mangal [ 11/May/21 ]

Hi Eric, My question still persist that how trinodb can create anything from another user also, if it is not allowed/not used or anything.

Comment by Eric Sedor [ 10/May/21 ]

Hi aayushi.mangal@visiblealpha.com, it is my initial suspicion based on the documentation you linked that Trino is creating this collection as part of its management activities using another user. Could you start by confirming in the logs what user authenticated to conn557970 prior to the log line you provided?

Comment by Aayushi Mangal [ 10/May/21 ]

Also this is the log entry:

2021-04-13T06:55:21.328-0500 I ACCESS [conn1476202] Successfully authenticated as principal __system on local from client ip:54380
2021-04-13T06:55:21.484-0500 I STORAGE [conn557970] createCollection: insightsDB._schema with generated UUID: a219482a-e0c9-4308-bf77-a1b629d9c09e and options: {}
2021-04-13T06:55:21.493-0500 I INDEX [conn557970] index build: done building index id on ns insightsDB._schema
2021-04-13T06:55:21.537-0500 I INDEX [conn1475968] index build: starting on insightsDB._schema properties: { v: 2, unique: true, key:

{ table: 1 }

, name: "table_1", ns: "insightsDB._schema" } using method: Hybrid

Comment by Aayushi Mangal [ 10/May/21 ]

Yes, that will be failed. Did you found any "_schema" collection already created in your database. With 1 or 2 metadata entry.

 

Comment by Yuya Ebihara [ 07/May/21 ]

As far as I tried in MongoDB 4.2.8 & 4.4.5 and Trino 353, I couldn't reproduce it. SELECT query (create _schema collection internally) failed with unauthorized message. 

Comment by Aayushi Mangal [ 07/May/21 ]

Connection used: 

connector.name=mongodb
mongodb.seeds=mongo-router
mongodb.read-preference=SECONDARY
mongodb.credentials=readonly:pwd@admin
mongodb.case-insensitive-name-matching=true

Generated at Thu Feb 08 05:40:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.