Monitoring MongoDB and getting a problem with the User Role

Hello all

I am working with MongoDB for the first time and currently need to monitor a MongoDB. For that I have a plugin.

My current setup of MongoDB looks like this:
Primary, a Secondary (priority 0) and an Arbiter (don’t ask :slight_smile: )

MongoDB version:
v4.4.10

The Monitoring User has been assigned these roles:

“role” : “clusterMonitor” / “db” : “admin”.
“role”: “read” / “db”: "local
“role”: “read” / “db” : “admin”

As soon as I run the plugin, I get this error message:

Traceback (most recent call last):
  File "./mk_mongodb.py", line 904, in <module>
    sys.exit(main())
  File "./mk_mongodb.py", line 881, in main
    potentially_piggybacked_sections(client, server_status)
  File "./mk_mongodb.py", line 892, in potentially_piggybacked_sections
    databases = get_database_info(client)
  File "./mk_mongodb.py", line 83, in get_database_info
    databases[name]["collstats"][collection] = database.command("collstats", col                             lection)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/site-packages/pymongo/datab                             ase.py", line 516, in command
    codec_options, **kwargs)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/site-packages/pymongo/datab                             ase.py", line 428, in _command
    parse_write_concern_error=parse_write_concern_error)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/site-packages/pymongo/pool.                             py", line 476, in command
    collation=collation)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/site-packages/pymongo/netwo                             rk.py", line 116, in command
    parse_write_concern_error=parse_write_concern_error)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/site-packages/pymongo/helpe                             rs.py", line 210, in _check_command_response
    raise OperationFailure(msg % errmsg, code, response)
pymongo.errors.OperationFailure: not authorized on admin to execute command { co                             llstats: "system.version", $readPreference: { mode: "secondaryPreferred" }, $db:"admin" }

Can anyone here provide me with a suggested solution as to what I am doing wrong?

I don’t think clusterMonitor can run collstats on system.version
Check this link

and in DB you can verify what all clusterMonitor can do

db.getRole( “clusterMonitor”, { showPrivileges: true } )

Also, I see you have been assigned clusterMonitor and read on “db” admin? Is it possible you don’t have the correct role?

This document you linked says clusterMonitor can run collStats on all databases (maybe system.profile is a unique case?):
Permits the following actions on all databases in the cluster:

Please read this line in the document

" Each of MongoDB’s built-in roles defines access at the database level for all non -system collections in the role’s database and at the collection level for all system collections"

If you look at the privileges/actions for each built-in role you will see system related objects were listed and given permission at collection level.Only those mentioned are given access(mostly find)
You have to give explicit privs through a custom role or choose appropriate custom built-in role

1 Like