Cannot auto discover databases and collections: cannot list the collections & Checking authorization failed

We appear to be getting a few permissions related errors, seen else where that this could be related to metrics server related.

time=“2023-08-01T00:53:04Z” level=error msg=“cannot auto discover databases and collections: cannot list the collections for "avatar-store": cannot get the list of collections for discovery: (Unauthorized) not authorized on avatar-store to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, lsid: { id: UUID("87045589-a8c0-4fd7-800f-3680a205feaa") }, $clusterTime: { clusterTime: Timestamp(1690851181, 2), signature: { hash: BinData(0, 3AEFD3A070F0C63D712A1CD4CF1AB119BAF0495D), keyId: 7235977075700531206 } }, $db: "avatar-store", $readPreference: { mode: "primaryPreferred" } }”

{“t”:{“$date”:“2023-08-01T00:53:04.387+00:00”},“s”:“I”, “c”:“ACCESS”, “id”:20436, “ctx”:“conn27024609”,“msg”:“Checking authorization failed”,“attr”:{“error”:{“code”:13,“codeName”:“Unauthorized”,“errmsg”:“not authorized on avatar-store to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, lsid: { id: UUID("87045589-a8c0-4fd7-800f-3680a205feaa") }, $clusterTime: { clusterTime: Timestamp(1690851181, 2), signature: { hash: BinData(0, 3AEFD3A070F0C63D712A1CD4CF1AB119BAF0495D), keyId: 7235977075700531206 } }, $db: "avatar-store", $readPreference: { mode: "primaryPreferred" } }”}}}

psmdb-db.values.yaml

pmm:
  enabled: false
  image:
    repository: percona/pmm-client
    tag: 2.35.0
  serverHost: monitoring-service

replsets:
  - name: rs0
    size: 1
    sidecars:
    - image: percona/mongodb_exporter:0.36
      env:
      - name: EXPORTER_USER
        valueFrom:
          secretKeyRef:
            name: psmdb-db-secrets
            key: MONGODB_CLUSTER_MONITOR_USER
      - name: EXPORTER_PASS
        valueFrom:
          secretKeyRef:
            name: psmdb-db-secrets
            key: MONGODB_CLUSTER_MONITOR_PASSWORD
      - name: POD_IP
        valueFrom:
          fieldRef:
            fieldPath: status.podIP
      - name: MONGODB_URI
        value: "mongodb://$(EXPORTER_USER):$(EXPORTER_PASS)@$(POD_IP):27017"
      args: ["--discovering-mode", "--compatible-mode", "--collect-all", "--mongodb.uri=$(MONGODB_URI)"]
      name: metrics

Any fix or workaround for this? ( strangely it seems to only be affecting this one db and collection)

Hi @Kay_Khan ,

From the above error, it seems to be lack of privileges granted to MONGODB_CLUSTER_MONITOR_USER.
Kindly share the roles granted to this user. Also verify all the roles and privileges are granted as mentioned in the link.

Regards,
Parag

I believe this user is automatically created by the percona operator? We did not create this user or define its roles.

{
    "_id" : "admin.clusterMonitor",
    "userId" : UUID("d4f1e927-6838-4f2b-b7c6-6ad02431e319"),
    "user" : "clusterMonitor",
    "db" : "admin",
    "credentials" : {
        "SCRAM-SHA-1" : {
         ...
        },
        "SCRAM-SHA-256" : {
          ...
         }
    },
    "roles" : [
        {
            "role" : "explainRole",
            "db" : "admin"
        },
        {
            "role" : "read",
            "db" : "local"
        },
        {
            "role" : "clusterMonitor",
            "db" : "admin"
        }
    ]
}

Hi @Kay_Khan ,

For the above output, the user has lack of privileges. Kindly manually add the below mentioned roles to the above user and verify it.

db.getSiblingDB(“admin”).updateUser(“clusterMonitor”, {
roles: [
{ role: “explainRole”, db: “admin” },
{ role: “clusterMonitor”, db: “admin” },
{ role: “read”, db: “local” },
{ “db” : “admin”, “role” : “readWrite”, “collection”: “” },
{ “db” : “admin”, “role” : “backup” },
{ “db” : “admin”, “role” : “clusterMonitor” },
{ “db” : “admin”, “role” : “restore” },
{ “db” : “admin”, “role” : “pbmAnyAction” }
]
})

Post adding the necessary roles, if you still facing issue then do let us know.

Regards,
Parag

Sorry for late response but if i change the permissions it reverts back instantly

rs0 [direct: primary] admin> db.getSiblingDB("admin").updateUser("clusterMonitor", { roles: [ { role: "explainRole", db: "admin" }, { role: "clusterMonitor", db: "admin" }, { role: "read", db: "local" }, { db: "admin", role: "readWrite", collection: "" }, { db: "admin", role: "backup" }, { db: "admin", role: "clusterMonitor" }, { db: "admin", role: "restore" }, { db: "admin", role: "pbmAnyAction" }] });
{
  ok: 1,
  '$clusterTime': {
    clusterTime: Timestamp({ t: 1708958831, i: 1 }),
    signature: {
      hash: Binary(Buffer.from("683443a3f3749cc3da1c7ae0f485281dc43ad61e", "hex"), 0),
      keyId: Long("7286379826884116487")
    }
  },
  operationTime: Timestamp({ t: 1708958831, i: 1 })
}
rs0 [direct: primary] admin> db.getUser("clusterMonitor")
{
  _id: 'admin.clusterMonitor',
  userId: UUID("2d15ad6c-b2b1-4a51-a50e-ac1c08109e4d"),
  user: 'clusterMonitor',
  db: 'admin',
  roles: [
    { role: 'read', db: 'local' },
    { role: 'explainRole', db: 'admin' },
    { role: 'pbmAnyAction', db: 'admin' },
    { role: 'restore', db: 'admin' },
    { role: 'readWrite', db: 'admin' },
    { role: 'clusterMonitor', db: 'admin' },
    { role: 'backup', db: 'admin' }
  ],
  mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
}
rs0 [direct: primary] admin> db.getUser("clusterMonitor")
{
  _id: 'admin.clusterMonitor',
  userId: UUID("2d15ad6c-b2b1-4a51-a50e-ac1c08109e4d"),
  user: 'clusterMonitor',
  db: 'admin',
  roles: [
    { role: 'explainRole', db: 'admin' },
    { role: 'read', db: 'local' },
    { role: 'clusterMonitor', db: 'admin' }
  ],
  mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
}