Uploaded image for project: 'Percona Monitoring and Management'
  1. Percona Monitoring and Management
  2. PMM-10072

Need extra privileges for pmm user when enabling advanced collectors in MongoDB

Details

    • 1
    • Yes
    • Yes
    • Yes
    • [obsolete] Observability
    • Hide
      1. Create MongoDB instance with profiler enabled to level 2 (to force generation of system.profile collection)
      2. Create explain role in MongoDB database without permissions on system.profile collection
      3. Connect to DB with MongoDB exporter. No failure should be observed for generating metrics.
      Show
      Create MongoDB instance with profiler enabled to level 2 (to force generation of system.profile collection) Create explain role in MongoDB database without permissions on system.profile collection Connect to DB with MongoDB exporter. No failure should be observed for generating metrics.

    Description

      From PMM 2.26, advanced metric collectors are included. When enabling the advanced metrics (see here), the existing user created as mentioned in https://docs.percona.com/percona-monitoring-and-management/setting-up/client/mongodb.html#create-pmm-account-and-set-permissions will fail.

      Log:

      May 24 16:05:05 host.com pmm-agent[43698]: INFO[2022-05-23T16:05:05.959-05:00] time="2022-05-23T16:05:05-05:00" level=error msg="cannot get $indexStats cursor for collection auditDb.system.profile: (Unauthorized) not authorized on auditDb to execute command { aggregate: \"system.profile\", pipeline: [ { $indexStats: {} } ], cursor: {}, lsid: { id: UUID(\"d744d0eb-9c3a-4cfc-a0f9-e685a12f718e\") }, $clusterTime: { clusterTime: Timestamp(1653339904, 1), signature: { hash: BinData(0, 2D391D8744A230BA092DC5B456D01C88367B9BE8), keyId: 7062423455928418306 } }, $db: \"auditDb\", $readPreference: { mode: \"primaryPreferred\" } }" agentID=/agent_id/b3ad1adc-0fe8-418e-8db2-3591d7435aab component=agent-process type=mongodb_exporter 

       

      Workaround:

      Provide extra privilege to the pmm user as follows:

             {
             resource : {
                  db : "",
                  collection : "system.profile"
                  },
             actions : [
                  "collStats",
                  "dbStats",
                 "indexStats"
                 ]
             }

       

      Need to add this in the doc to make sure the customer provides this privilege to make the pmm user fetch those advanced metrics:

      If already the role "explainRole" exists, then below command can be used to add extra privileges to it:

      db.runCommand(    {      grantPrivilegesToRole: "explainRole",      privileges: [          { "resource" : { "db" : "", "collection" : "system.profile" }, "actions" : [ "indexStats", "dbStats", "collStats" ] } ] } )

       

       

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            vinodh.krishnaswamy Vinodh Krishnaswamy
            Votes:
            1 Vote for this issue
            Watchers:
            10 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Smart Checklist