[SERVER-9191] cannot see replsetoplogs when db needs admin logins Created: 31/Mar/13  Updated: 11/Jul/16  Resolved: 26/Jun/13

Status: Closed
Project: Core Server
Component/s: Tools
Affects Version/s: 2.4.1
Fix Version/s: 2.5.1

Type: Bug Priority: Minor - P4
Reporter: Xiuming Chen Assignee: Matt Dannenberg
Resolution: Done Votes: 0
Labels: pull-request
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: JPEG File 1.jpg    
Issue Links:
Related
Operating System: ALL
Steps To Reproduce:

have a replset
enable auth
create an admin account
enable rest api
go to page: /_replSetOplog?_id=0

Participants:

 Description   

cannot see replsetoplogs when db needs admin logins
$err: "not authorized for query on local.oplog.rs" code: 16550



 Comments   
Comment by Brett Cave [ 01/Jul/14 ]

Could this bug also be affecting mongooplog when replaying the oplog to a db with authentication enabled?

http://stackoverflow.com/questions/24454372/mongooplog-is-failing-with-unauthorized-error/

I have added a user to admin with readWriteAnyDatabase,clusterAdmin in the admin db, but get the same error message, and wondering if its related to this bug, or possibly a new bug. I am seeing this on mongo 2.4.10.

Comment by Matt Kangas [ 26/Jun/13 ]

Impact: fixes broken feature of REST interface. Merged in 23f8257fa

Comment by auto [ 26/Jun/13 ]

Author:

{u'username': u'cxmcc', u'name': u'Xiuming Chen', u'email': u'cc@cxm.cc'}

Message: SERVER-9191 In oplog page on rest interface, use oplogreader (which did authentication) instead of dbclient (w/o auth) to query oplogs. This fixes the broken oplog page for dbs having a admin account.

Signed-off-by: Matt Kangas <matt.kangas@10gen.com>
Branch: master
https://github.com/mongodb/mongo/commit/23f8257fa37ff164e16094db044a113779f84b2b

Comment by Xiuming Chen [ 05/Apr/13 ]

Hi Eric, I have signed the agreement. Please let me know if there is any problem. thanks

Comment by Eric Milkie [ 05/Apr/13 ]

Hi Xiuming. Thanks for the pull request. Have you signed the Contributor Agreement?
I will try to incorporate this fix in the next release.

Comment by Xiuming Chen [ 05/Apr/13 ]

@Jason I am trying to fix this by opening a pull request that I believe is gonna fix this issue:

https://github.com/mongodb/mongo/pull/412

From the code I read, I think the oplog page should fail if the collection local.oplog.rs requires authentication, since the original logic tried to use DBClient to query without auth.

Comment by Xiuming Chen [ 31/Mar/13 ]

the roles of the admin user is set to [ "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase" ]
this information is accessible through clients with this admin user account
however on the the rest ui an error still prompted: $err: "unauthorized db:local ns:local.oplog.rs lock type:0 client:SOMEIP" code: 10057

Comment by J Rassi [ 31/Mar/13 ]

I assume your admin user has either the role "dbAdminAnyDatabase" or "clusterAdmin" – note that these roles do not have the privilege to view replication statistics. You will need to grant this user the "read" role on the "local" database in order to access this information (however, be warned that the local database contains the oplog, which contains a record of every write to this replica set member).

Generated at Thu Feb 08 03:19:39 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.