CODEWITHSUNDEEP
mongodbpermission-denied
user521990
user521990

Reputation: 829

MongoDB permissions error to access Config collection

I am trying to figure out which built-in role in MongoDB 4.0 can perform the following query:

Caused by: com.mongodb.MongoQueryException: Query failed with error code 13 and error message 'not authorized on config to execute command { find: "system.sessions", filter: {}, $db: "config", $clusterTime: { clusterTime: Timestamp(1625944650, 1), signature: { hash: BinData(0, 5B0A62A5164EB17E7C0A1EB182AE1B9B44FC8DEF), keyId: 6983378611524861955 } }, lsid: { id: UUID("814ada4e-e25d-4598-89a5-197c9962eb50") }, $readPreference: { mode: "primaryPreferred" } }' on server localhost:27017

I tried the following:

db.createUser(
   {user: "order", pwd: "xxxx", 
    roles: [
        {role: "root", db: "admin"}, 
        {role: "clusterManager", db: "admin"}, 
        {role: "clusterMonitor", db: "admin"}]
   });

But, I'm pretty sure I'm using the wrong role (or completely missing something else).

Edit** To answer the questions below:

I am running the query as the user I just created above. I also tried using the root account built-in (I'm very new to Mongo so I'm still learning).

The docs say clusterManager as the "listSessions" actions built into the role.

I am using a CDC library - Debezium so it is automatically making that query to the sessions collection.

Upvotes: 0

Views: 1307

Answers (2)

user521990
user521990

Reputation: 829

I ended up solving it by doing the following (I'm using a CDC library called Debezium and they were not very clear in the docs)

db.createUser({user: "order", pwd: "xxxx", roles: ["debezium"]});

db.createRole({
    role: "debezium",
    privileges: [
        { resource: { db: "config", collection: "" }, actions: [ "find" ] },
        { resource: { db: "local", collection: "oplog.rs" }, actions: [ "find" ] },
        { resource: { db: "", collection: ""}, actions: ["listDatabases", "listCollections", "find"] }
    ],
    roles: [
        { role: "readWrite", db: "admin" }
    ]
})

I need to find tune this a little bit more to make it more secure for this specific role.

Upvotes: 1

R2D2
R2D2

Reputation: 10737

You need to add listSessions action to your role to cluster resource to be able to list sessions...

Upvotes: 0

Related Questions