I have dropped a collection from my TestDB (from both Stage and Prod Server), and I wanted to restore it back using OplogReplay by taking backup of oplog.rs collection. But it is throwing the below error.
Can you please help?
Thanks for sharing let me try it out, however to me ‘root’ role is super user roles right, we should not need any additional role.
for me this looks to be bug in extension to similar issue raised earlier - https://jira.mongodb.org/browse/TOOLS-2952
It kind of is, if you’re dealing with databases and collections. However, applyOps is an internal MongoDB command, and thus require a special system-level privilege.
Please refer to the link shared by Kevin.Restore has access to all non system related objects but when you are accessing system related objects/running internal commands additional privileges need to be given
That’s why you need to create a custom role with access any object and grant it to the user who is performing the restore
It’s basically allows you to do data operations across all databases and all collections, but not system objects and system operations. Thus it’s not a superuser in the traditional UNIX convention.
There is another role that’s basically superuser, but no user should be given this role according to the documentation:
__system
MongoDB assigns this role to user objects that represent cluster members, such as replica set members and mongos instances. The role entitles its holder to take any action against any object in the database.
Do not assign this role to user objects representing applications or human administrators, other than in exceptional circumstances.
If you need access to all actions on all resources, for example to run applyOps commands, do not assign this role. Instead, create a user-defined role that grants anyAction on anyResource and ensure that only the users who need access to these operations have this access.
I’d like to go back to the earlier error that is being discussed:
Failed: restore error: error applying oplog: applyOps: (Unauthorized) not authorized on admin to execute command
The error is saying that you need applyOps privilege to execute an oplog apply operation. This was answered earlier:
And we can be assured that with these roles - we wont hit issue which were reported in this bug# and there are few open items still still as followup to this bug https://jira.mongodb.org/browse/TOOLS-3203
Or do you suggest to use - __system role to resolve every issues universally.
Thanks again for helping on this.
This is a totally different issue, as far as I can tell. Firstly, it’s a mongodump issue, not mongorestore, and secondly it concerns the config database of a sharded cluster.
The applyOps permission issue you’re seeing is about executing a system level command that manipulates the oplog: a dangerous and potentially irreversible destructive operation if done by accident, hence the need for a special permission.
No, I would follow the documentation’s recommendation to not use this role and instead create a new user-defined role (anyAction on anyResource). Similar to UNIX, running everything as root and doing chmod 777 * when you’re seeing permission issues is usually not the right answer
Yes, I agree with input.
I feel this jira ticket https://jira.mongodb.org/browse/TOOLS-2952 and ‘anyAction’ on ‘anyResource’ privileges are tightly coupled.
In jira we are skipping system collections like session/cache/transaction etc at both mongodump and restore both, as per code changes .
And at the same time we are also asking users to give additional privileges if there are some system collections which are not skipped in above jira.
Any ways - We will go with document you have shared where additional privileges are mentioned to be used for restore.
Thanks again for all your inputs , we can close this thread - Also if you agree that skipping jira and additional permission are relevant then further followup can be done with Dev team.
I have admin user with below privilege : anyAction on anyResource and still restore is failing with below error -
replaying oplog
2023-06-22T08:15:12.152-0700 Failed: restore error: error applying oplog: applyOps: (Location40528) Direct writes against config.transactions cannot be performed using a transaction or on a session.
I am on mongdb 4.4.22 version.
This was never the case earlier while using mongo shell, recently we have started using mongosh.