-
Bug
-
Resolution: Cannot Reproduce
-
Major
-
None
-
2.4.0.Alpha1
-
None
-
None
-
False
-
None
-
False
-
Moderate
Bug report
I'm having trouble starting debezium with MongoDB.
I saw in another topic that the permissions adjustment at the cluster level was done in version 2.4.0.Alpha1
When I specify the database to apply the changeStreams and find actions I am getting the error:
Caused by: com.mongodb.MongoCommandException: Command failed with error 13 (Unauthorized): 'not authorized on admin to execute command { aggregate: 1, pipeline: [ { $changeStream: { fullDocument: "updateLookup", allChangesForCluster: true } }, { $replaceRoot: { newRoot: { namespace: { $concat: [ "$ns.db", ".", "$ns.coll" ] }, event: "$$ROOT" } } }, { $match: { $and: [ { $and: [ { event.ns.db: /inventory/i }, { namespace: /inventory.customers|inventory.orders|inventory.products/i } ] }, { event.operationType: { $in: [ "insert", "update", "replace", "delete" ] } } ] } }, { $replaceRoot: { newRoot: "$event" } } ], cursor: {}, $db: "admin", lsid: { id: UUID("a33a3a2c-7bf7-4b47-87f5-6c5e81c17d50") } }' on server mongodb:27017. The full response is {"ok": 0.0, "errmsg": "not authorized on admin to execute command { aggregate: 1, pipeline: [ { $changeStream: { fullDocument: \"updateLookup\", allChangesForCluster: true } }, { $replaceRoot: { newRoot: { namespace: { $concat: [ \"$ns.db\", \".\", \"$ns.coll\" ] }, event: \"$$ROOT\" } } }, { $match: { $and: [ { $and: [ { event.ns.db: /inventory/i }, { namespace: /inventory.customers|inventory.orders|inventory.products/i } ] }, { event.operationType: { $in: [ \"insert\", \"update\", \"replace\", \"delete\" ] } } ] } }, { $replaceRoot: { newRoot: \"$event\" } } ], cursor: {}, $db: \"admin\", lsid: { id: UUID(\"a33a3a2c-7bf7-4b47-87f5-6c5e81c17d50\") } }", "code": 13, "codeName": "Unauthorized", "$clusterTime": {"clusterTime": {"$timestamp": {"t": 1694448032, "i": 1}}, "signature": {"hash": {"$binary": {"base64": "ckzZOR1Ykdt8ayHeT2gWFEZkuTw=", "subType": "00"}}, "keyId": 7277598594448752646}}, "operationTime": {"$timestamp": {"t": 1694448032, "i": 1}}}
Role:
db.runCommand({
createRole: "debeziumRole",
privileges: [
{ resource: { cluster : true }, actions: ["listDatabases"] },
{ resource: { db: "admin", collection: ""}, actions: [ "find", "changeStream" ] },
{ resource: { db: "config", collection: ""}, actions: [ "find", "changeStream" ] },
{ resource: { db: "inventory", collection: ""}, actions: [ "find", "changeStream" ] },
{ resource: { db: "local", collection: ""}, actions: [ "find", "changeStream" ] }
],
roles: []
});
If I don't specify the database, it works normally. But, I need to restrict the database permissions.
What Debezium connector do you use and what version?
Debezium Server 2.4.0.Alpha1
What is the connector configuration?
debezium.sink.type=pubsub debezium.sink.pubsub.project.id= debezium.sink.pubsub.ordering.enabled=true debezium.source.offset.flush.interval.ms=0 debezium.source.tombstones.on.delete=false debezium.source.topic.prefix=test debezium.source.snapshot.mode=initial debezium.source.connector.class=io.debezium.connector.mongodb.MongoDbConnector debezium.source.mongodb.connection.mode=sharded debezium.source.mongodb.connection.string=mongodb://mongodb:27017 debezium.source.mongodb.user=debezium debezium.source.mongodb.password= debezium.source.capture.mode=change_streams_update_full debezium.source.collection.include.list=inventory.customers,inventory.orders,inventory.products debezium.source.database.include.list=inventory debezium.format.value.schemas.enable=false debezium.format.value=json quarkus.http.port=8080 quarkus.log.console.json=true quarkus.log.level=INFO
