Cannot auto discover databases and collections: cannot list the collections & Checking authorization failed

Kay_Khan · August 3, 2023, 12:21pm

We appear to be getting a few permissions related errors, seen else where that this could be related to metrics server related.

time=“2023-08-01T00:53:04Z” level=error msg=“cannot auto discover databases and collections: cannot list the collections for "avatar-store": cannot get the list of collections for discovery: (Unauthorized) not authorized on avatar-store to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, lsid: { id: UUID("87045589-a8c0-4fd7-800f-3680a205feaa") }, $clusterTime: { clusterTime: Timestamp(1690851181, 2), signature: { hash: BinData(0, 3AEFD3A070F0C63D712A1CD4CF1AB119BAF0495D), keyId: 7235977075700531206 } }, $db: "avatar-store", $readPreference: { mode: "primaryPreferred" } }”

{“t”:{“$date”:“2023-08-01T00:53:04.387+00:00”},“s”:“I”, “c”:“ACCESS”, “id”:20436, “ctx”:“conn27024609”,“msg”:“Checking authorization failed”,“attr”:{“error”:{“code”:13,“codeName”:“Unauthorized”,“errmsg”:“not authorized on avatar-store to execute command { listCollections: 1, filter: {}, nameOnly: true, cursor: {}, lsid: { id: UUID("87045589-a8c0-4fd7-800f-3680a205feaa") }, $clusterTime: { clusterTime: Timestamp(1690851181, 2), signature: { hash: BinData(0, 3AEFD3A070F0C63D712A1CD4CF1AB119BAF0495D), keyId: 7235977075700531206 } }, $db: "avatar-store", $readPreference: { mode: "primaryPreferred" } }”}}}

psmdb-db.values.yaml

pmm:
  enabled: false
  image:
    repository: percona/pmm-client
    tag: 2.35.0
  serverHost: monitoring-service

replsets:
  - name: rs0
    size: 1
    sidecars:
    - image: percona/mongodb_exporter:0.36
      env:
      - name: EXPORTER_USER
        valueFrom:
          secretKeyRef:
            name: psmdb-db-secrets
            key: MONGODB_CLUSTER_MONITOR_USER
      - name: EXPORTER_PASS
        valueFrom:
          secretKeyRef:
            name: psmdb-db-secrets
            key: MONGODB_CLUSTER_MONITOR_PASSWORD
      - name: POD_IP
        valueFrom:
          fieldRef:
            fieldPath: status.podIP
      - name: MONGODB_URI
        value: "mongodb://$(EXPORTER_USER):$(EXPORTER_PASS)@$(POD_IP):27017"
      args: ["--discovering-mode", "--compatible-mode", "--collect-all", "--mongodb.uri=$(MONGODB_URI)"]
      name: metrics

Any fix or workaround for this? ( strangely it seems to only be affecting this one db and collection)

Parag_Bhayani · August 4, 2023, 10:10am

Hi @Kay_Khan ,

From the above error, it seems to be lack of privileges granted to MONGODB_CLUSTER_MONITOR_USER.
Kindly share the roles granted to this user. Also verify all the roles and privileges are granted as mentioned in the link.

Regards,
Parag

Kay_Khan · August 4, 2023, 10:20am

I believe this user is automatically created by the percona operator? We did not create this user or define its roles.

{
    "_id" : "admin.clusterMonitor",
    "userId" : UUID("d4f1e927-6838-4f2b-b7c6-6ad02431e319"),
    "user" : "clusterMonitor",
    "db" : "admin",
    "credentials" : {
        "SCRAM-SHA-1" : {
         ...
        },
        "SCRAM-SHA-256" : {
          ...
         }
    },
    "roles" : [
        {
            "role" : "explainRole",
            "db" : "admin"
        },
        {
            "role" : "read",
            "db" : "local"
        },
        {
            "role" : "clusterMonitor",
            "db" : "admin"
        }
    ]
}

Parag_Bhayani · August 4, 2023, 12:12pm

Hi @Kay_Khan ,

For the above output, the user has lack of privileges. Kindly manually add the below mentioned roles to the above user and verify it.

db.getSiblingDB(“admin”).updateUser(“clusterMonitor”, {
roles: [
{ role: “explainRole”, db: “admin” },
{ role: “clusterMonitor”, db: “admin” },
{ role: “read”, db: “local” },
{ “db” : “admin”, “role” : “readWrite”, “collection”: “” },
{ “db” : “admin”, “role” : “backup” },
{ “db” : “admin”, “role” : “clusterMonitor” },
{ “db” : “admin”, “role” : “restore” },
{ “db” : “admin”, “role” : “pbmAnyAction” }
]
})

Post adding the necessary roles, if you still facing issue then do let us know.

Regards,
Parag

Kay_Khan · February 26, 2024, 2:48pm

Sorry for late response but if i change the permissions it reverts back instantly

rs0 [direct: primary] admin> db.getSiblingDB("admin").updateUser("clusterMonitor", { roles: [ { role: "explainRole", db: "admin" }, { role: "clusterMonitor", db: "admin" }, { role: "read", db: "local" }, { db: "admin", role: "readWrite", collection: "" }, { db: "admin", role: "backup" }, { db: "admin", role: "clusterMonitor" }, { db: "admin", role: "restore" }, { db: "admin", role: "pbmAnyAction" }] });
{
  ok: 1,
  '$clusterTime': {
    clusterTime: Timestamp({ t: 1708958831, i: 1 }),
    signature: {
      hash: Binary(Buffer.from("683443a3f3749cc3da1c7ae0f485281dc43ad61e", "hex"), 0),
      keyId: Long("7286379826884116487")
    }
  },
  operationTime: Timestamp({ t: 1708958831, i: 1 })
}
rs0 [direct: primary] admin> db.getUser("clusterMonitor")
{
  _id: 'admin.clusterMonitor',
  userId: UUID("2d15ad6c-b2b1-4a51-a50e-ac1c08109e4d"),
  user: 'clusterMonitor',
  db: 'admin',
  roles: [
    { role: 'read', db: 'local' },
    { role: 'explainRole', db: 'admin' },
    { role: 'pbmAnyAction', db: 'admin' },
    { role: 'restore', db: 'admin' },
    { role: 'readWrite', db: 'admin' },
    { role: 'clusterMonitor', db: 'admin' },
    { role: 'backup', db: 'admin' }
  ],
  mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
}
rs0 [direct: primary] admin> db.getUser("clusterMonitor")
{
  _id: 'admin.clusterMonitor',
  userId: UUID("2d15ad6c-b2b1-4a51-a50e-ac1c08109e4d"),
  user: 'clusterMonitor',
  db: 'admin',
  roles: [
    { role: 'explainRole', db: 'admin' },
    { role: 'read', db: 'local' },
    { role: 'clusterMonitor', db: 'admin' }
  ],
  mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
}

Slava_Sarzhan · September 22, 2024, 11:14am

Hi @Kay_Khan , this issue was fixed for PSMDB k8s operator 1.16.0. Please see GitHub and Jira issues [K8SPSMDB-1058] - Percona JIRA
K8SPSMDB-1058: A minor missing privileges issue caused flooding MongoDB logs with “Checking authorization failed” errors · Issue #1657 · percona/percona-server-mongodb-operator · GitHub
Also, as you need to know, almost all the changes we are trying to add are only for the new DB deployment (crVersion) to ensure good Backward compatibility. In order to get this fix you need to update your DB deployment as well (bump crVersion) in psmdb object.

Topic		Replies	Views
Cannot auto discover databases and collections (pmm-client container) Percona Operator for MongoDB	4	1349	January 27, 2023
Pbm backup failed command listCollections requires authentication Percona Backup for MongoDB	8	885	October 11, 2023
Permissions Help - LDAP grant create database Percona Server for MongoDB	1	563	May 26, 2020
Percona Mongodb Replica set Access control list not working Percona Server for MongoDB percona	3	783	March 1, 2021
Mongo errors associated with mongodb_exporter pmm jobs Percona Backup for MongoDB	2	362	February 16, 2024

Cannot auto discover databases and collections: cannot list the collections & Checking authorization failed

Related topics