mongo create role time out

84 views
Skip to first unread message

rohit reddy

unread,
Feb 20, 2018, 5:48:08 PM2/20/18
to mongodb-user
Hello,
I have a request from to create a User for several reporting instance (Tableau). The reporting tool lists the databases for validation once connected, so its need access to admin command listDatabases.
I need to grant this privileged action to several users and i do not want to grant it directly and i want to create a role that specifically does that.

below is my role creation statement


mongodb version 3.6 on CentOS Linux release 7.4.1708 (Core)

##########################################################################################
clk:PRIMARY> admin.createRole(
...  {
...  role:"ReportingUser1",
...  privileges: [ { resource: {cluster:true},actions:["listDatabases"] } ]
...  }
...  )
2018-02-20T22:29:52.247+0000 E QUERY    [thread1] Error: "createRole" command requires a "roles" array :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.createRole@src/mongo/shell/db.js:1541:1
@(shell):1:1
##########################################################################################

From the above message it is clear that createRole command needs atleast one inherited role. I come from Oracle RDBMS world, where a custom role can be created even without any privileges or roles granted to it. However, looks like mongodb is different.
However, i tried slightly different syntax my reading through documents and tried below.


##########################################################################################
clk:PRIMARY> admin.createRole(
...  {
...  role:"ReportingUser1",
...  privileges: [ { resource: {cluster:true},actions:["listDatabases"] } ],
...  roles:[]
...  }
...  )

2018-02-20T22:31:05.643+0000 E QUERY    [thread1] Error: timeout :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.createRole@src/mongo/shell/db.js:1541:1
@(shell):1:1
##########################################################################################

From the above statement, the role creation statement does not error out, but gives me a timeout error message.
Curiously, this time the shell does not error out but instead sits there for about 30 seconds and comes out with timeout.

Can someone guide me on how to create a customRole with just one privileged action assigned?

Thanks
Rohit




Kevin Adistambha

unread,
Feb 25, 2018, 8:15:15 PM2/25/18
to mongodb-user

Hi Rohit

From the above message it is clear that createRole command needs atleast one inherited role

This is correct, as per db.createRole() page: “You must include the roles field. Use an empty array to specify no roles to inherit from.”

From the above statement, the role creation statement does not error out, but gives me a timeout error message.

If you don’t specify the write concern setting for db.createRole(), it will default to majority (see Write Concern for Replica Sets for more details).

Having said that, if the error was caused by a write concern timeout, it should output a different message, such as Error: waiting for replication timed out instead of just timeout.

There are some things you can check:

  • I noticed that you are running a replica set. Do you run it with any arbiter, and you have offline Secondaries? Write concern majority will wait until the write propagates to the majority of voting nodes. Since arbiters are voting nodes but carry no data, it is possible that majority write stalls waiting for an acknowledgment. For example, if you have a Primary-Secondary-Arbiter setup and the Secondary is offline, the Primary would still accept writes due to the presence of the Arbiter. However, majority write will wait until it can propagate to a data-bearing node. Since the data-bearing Secondary is offline, the write will never be acknowledged.
  • It is also possible that it is a network issue. I tested the exact command you posted and the role was successfully created.

If you have more questions, please post:

  • Your exact MongoDB version (e.g. 3.6.3)
  • Your topology details (e.g. output of rs.conf() and rs.status())
  • Whether other commands using write concern majority also fails in this deployment

Best regards
Kevin

rohit reddy

unread,
Mar 1, 2018, 3:58:31 PM3/1/18
to mongodb-user
Hello Kevin,
Thank you for your response and clarification.

However, according to the documentation
  https://docs.mongodb.com/manual/core/replica-set-write-concern/

   For a replica set, the default write concern requests acknowledgement only from the primary. You can, however, override this default write concern, such as to confirm write operations on a specified number of the replica set members.
Is the above behavior different for db.createRole command?

Thanks
Rohit Reddy

Kevin Adistambha

unread,
Mar 1, 2018, 4:47:03 PM3/1/18
to mongodb-user

Hi Rohit

Is the above behavior different for db.createRole command?

Yes, the default write concern for some user & role management commands are not using the “standard” w:1 write concern. Rather, they’re using w:majority.

This is reflected in the code for MongoDB 3.6.3 in this line.

However, I just noticed that this fact is not mentioned in the relevant documentation page. Thanks for bringing this oversight into attention. I have created DOCS-11378 to document this fact.

Best regards
Kevin

rohit reddy

unread,
Mar 2, 2018, 12:06:29 PM3/2/18
to mongodb-user
Hello Kevin,
thank you for all your help. your clarification was very helpful.

Thanks
Rohit
Reply all
Reply to author
Forward
0 new messages