Mongo 更改流 "not authorized to execute command"
Mongo Change Stream "not authorized to execute command"
问题来了。
我有连接到远程 mongod 的本地 mongos 实例。
远程数据库使用基本密码身份验证。
我正在尝试使用简单的 Scala 应用程序为特定集合设置 ChangeStream 观察器。
实际代码如下所示:
private val mongo = new MongoClient(
new ServerAddress("localhost", 27017),
MongoCredential.createCredential("username", "myDB", "password".toCharArray),
MongoClientOptions.builder().addServerListener(ServerStateListener).build()
)
private val collection = mongo
.getDatabase(DB)
.getCollection("someObjectsCollection")
private val ch = collection
.watch()
.fullDocument(FullDocument.UPDATE_LOOKUP)
.iterator()
它在 .fullDocument(FullDocument.UPDATE_LOOKUP) 行中断:
Exception in thread "main" com.mongodb.MongoCommandException: Command failed with error 13: 'not authorized on myDB to execute command { aggregate: "someObjectsCollection", pipeline: [ { $changeStream: { fullDocument: "updateLookup" } } ], cursor: {}, $db: "myDB", $clusterTime: { clusterTime: Timestamp(1524064297, 2), ....
这令人困惑,因为给定的用户凭据在远程数据库和本地 mongos 上都通过 mongo shell 工作。此外,我尝试在该应用程序中执行一些其他的集合操作(比如 collection.count())并且它有效!当我尝试设置观察器时出现问题。
我终于弄清楚我的设置出了什么问题...
我用来使用更改流的原始用户 'username' 设置了严格的权限:
"inheritedPrivileges" : [
{
"resource" : {
"db" : "abuCoreDev",
"collection" : ""
},
"actions" : [
"convertToCapped",
"createCollection",
"createIndex",
"dropIndex",
"find",
"insert",
"listCollections",
"listIndexes",
"planCacheIndexFilter",
"remove",
"update"
]
}
],
我没有意识到我需要特殊的 changeStream 权限才能使用更改流!当我连接到 mongos 作为 root 时,一切正常,它具有该诅咒的权限。
在这里你可以看到我的 root 用户的权限:
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"bypassDocumentValidation",
"changeCustomData",
"changePassword",
"changeStream",
"collMod",
"collStats",
"compact",
"convertToCapped",
"createCollection",
"createIndex",
"createRole",
"createUser",
"dbHash",
"dbStats",
"dropCollection",
"dropDatabase",
"dropIndex",
"dropRole",
"dropUser",
"emptycapped",
"enableProfiler",
"enableSharding",
"find",
"getShardVersion",
"grantRole",
"indexStats",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"moveChunk",
"planCacheIndexFilter",
"planCacheRead",
"planCacheWrite",
"reIndex",
"remove",
"renameCollectionSameDB",
"repairDatabase",
"revokeRole",
"setAuthenticationRestriction",
"splitChunk",
"splitVector",
"storageDetails",
"update",
"validate",
"viewRole",
"viewUser"
]
}
问题来了。
我有连接到远程 mongod 的本地 mongos 实例。
远程数据库使用基本密码身份验证。
我正在尝试使用简单的 Scala 应用程序为特定集合设置 ChangeStream 观察器。
实际代码如下所示:
private val mongo = new MongoClient(
new ServerAddress("localhost", 27017),
MongoCredential.createCredential("username", "myDB", "password".toCharArray),
MongoClientOptions.builder().addServerListener(ServerStateListener).build()
)
private val collection = mongo
.getDatabase(DB)
.getCollection("someObjectsCollection")
private val ch = collection
.watch()
.fullDocument(FullDocument.UPDATE_LOOKUP)
.iterator()
它在 .fullDocument(FullDocument.UPDATE_LOOKUP) 行中断:
Exception in thread "main" com.mongodb.MongoCommandException: Command failed with error 13: 'not authorized on myDB to execute command { aggregate: "someObjectsCollection", pipeline: [ { $changeStream: { fullDocument: "updateLookup" } } ], cursor: {}, $db: "myDB", $clusterTime: { clusterTime: Timestamp(1524064297, 2), ....
这令人困惑,因为给定的用户凭据在远程数据库和本地 mongos 上都通过 mongo shell 工作。此外,我尝试在该应用程序中执行一些其他的集合操作(比如 collection.count())并且它有效!当我尝试设置观察器时出现问题。
我终于弄清楚我的设置出了什么问题...
我用来使用更改流的原始用户 'username' 设置了严格的权限:
"inheritedPrivileges" : [
{
"resource" : {
"db" : "abuCoreDev",
"collection" : ""
},
"actions" : [
"convertToCapped",
"createCollection",
"createIndex",
"dropIndex",
"find",
"insert",
"listCollections",
"listIndexes",
"planCacheIndexFilter",
"remove",
"update"
]
}
],
我没有意识到我需要特殊的 changeStream 权限才能使用更改流!当我连接到 mongos 作为 root 时,一切正常,它具有该诅咒的权限。
在这里你可以看到我的 root 用户的权限:
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"bypassDocumentValidation",
"changeCustomData",
"changePassword",
"changeStream",
"collMod",
"collStats",
"compact",
"convertToCapped",
"createCollection",
"createIndex",
"createRole",
"createUser",
"dbHash",
"dbStats",
"dropCollection",
"dropDatabase",
"dropIndex",
"dropRole",
"dropUser",
"emptycapped",
"enableProfiler",
"enableSharding",
"find",
"getShardVersion",
"grantRole",
"indexStats",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"moveChunk",
"planCacheIndexFilter",
"planCacheRead",
"planCacheWrite",
"reIndex",
"remove",
"renameCollectionSameDB",
"repairDatabase",
"revokeRole",
"setAuthenticationRestriction",
"splitChunk",
"splitVector",
"storageDetails",
"update",
"validate",
"viewRole",
"viewUser"
]
}