问题
When I try to get info about replica I get the following error:
rep0:PRIMARY> rs.printReplicationInfo()
2015-05-19T13:30:29.231+0200 error: {
"$err" : "not authorized for query on local.system.namespaces",
"code" : 13
} at src/mongo/shell/query.js:131
I have tried to execute the command with the two following users:
[
{
"_id" : "admin.siteRootAdmin",
"user" : "siteRootAdmin",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
},
{
"_id" : "admin.mongoadmin",
"user" : "mongoadmin",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
]
}
]
Althought I have clusterAdmin
role to work with replicas, I have tried to update roles of mongoadmin to read local database (as all roles are granted on admin db) but I get the following error:
rep0:PRIMARY> db.system.users.update({"user":"mongoadmin"},{$addToSet:{"roles":"readAnyDatabase"}})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on admin to execute command { update: \"system.users\", updates: [ { q: { user: \"mongoadmin\" }, u: { $addToSet: { roles: \"readAnyDatabase\" } }, multi: false, upsert: false } ], ordered: true }"
}
})
- What is supposed I need to have in order to get full access to all
replica commands in addition to
clusterAdmin
role? - If any of both users have permissions in admin db (mongoadmin is dbOwner), why I don't have permissions for update command?
回答1:
I was updating roles with the wrong command here is the right one:
db.grantRolesToUser( "mongoadmin", [{ role: "read", db: "local"}])
Now I can check the replicainfo:
rep0:PRIMARY> rs.printReplicationInfo()
configured oplog size: 990MB
log length start to end: 617347secs (171.49hrs)
oplog first event time: Thu May 14 2015 14:25:04 GMT+0200 (CEST)
oplog last event time: Thu May 21 2015 17:54:11 GMT+0200 (CEST)
now: Thu May 21 2015 17:54:24 GMT+0200 (CEST)
来源:https://stackoverflow.com/questions/30324901/update-role-user-not-authorized-on-admin-to-execute-command