Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-3579

mongodump wrongly blocks dump from config database.

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 100.9.5
    • Component/s: None
    • None
    • Tools and Replicator

      Problem Statement/Rationale

      After mongodump 5.0 or even with newer releases 100.9.5; backup attempts from the config database are blockeds because system.* collections can't be dumped.

      Steps to Reproduce

      1. Deploy any supported database release:

      db.version()
      5.0.26

       

      2. Create a backup user:

      admin> db.getUser('backup_user')
      {
        _id: 'admin.backup_user',
        userId: UUID('45dc24ce-6c2d-41c8-8092-6ff95afc9748'),
        user: 'backup_user',
        db: 'admin',
        roles: [ { role: 'backup', db: 'admin' } ],
        mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
      }

       

      3. Dump the config:

      $ /opt/mongo/4.4.10/bin/mongodump  --host localhost --port 5026 --username backup_user --authenticationDatabase admin --password sekret -d config --out /mongo_data/dumpbkp/config/
      2024-06-25T22:01:38.304-0300    writing config.tenantMigrationRecipients to /mongo_data/dumpbkp/config/config/tenantMigrationRecipients.bson
      2024-06-25T22:01:38.304-0300    writing config.image_collection to /mongo_data/dumpbkp/config/config/image_collection.bson
      2024-06-25T22:01:38.304-0300    writing config.external_validation_keys to /mongo_data/dumpbkp/config/config/external_validation_keys.bson
      2024-06-25T22:01:38.304-0300    done dumping config.external_validation_keys (0 documents)
      2024-06-25T22:01:38.304-0300    done dumping config.tenantMigrationRecipients (0 documents)
      2024-06-25T22:01:38.304-0300    done dumping config.image_collection (0 documents)
      2024-06-25T22:01:38.308-0300    writing config.tenantMigrationDonors to /mongo_data/dumpbkp/config/config/tenantMigrationDonors.bson
      2024-06-25T22:01:38.309-0300    done dumping config.tenantMigrationDonors (0 documents)

       

      4. Check the files: 

      $ ls /mongo_data/dumpbkp/config/config/
      external_validation_keys.bson           image_collection.bson           tenantMigrationDonors.bson           tenantMigrationRecipients.bson
      external_validation_keys.metadata.json  image_collection.metadata.json  tenantMigrationDonors.metadata.json  tenantMigrationRecipients.metadata.json

       

      Expected Results

      That's the expected result. Although I can't dump the system, the other configuration collections were correctly dumped.

      I couldn't find the source code from mongodump 4.4, but from 4.2:

      https://github.com/mongodb/mongo-tools/blob/v4.2/mongodump/prepare.go#L143C6-L143C31
      
      func shouldSkipSystemNamespace(dbName, collName string) bool {
          // ignore <db>.system.* except for admin; ignore other specific
          // collections in config and admin databases used for 3.6 features.
          switch dbName {
          case "admin":
              if collName == "system.keys" {
                  return true
              }
          case "config":
              if collName == "transactions" || collName == "system.sessions" || collName == "transaction_coordinators" {
                  return true
              }
          default:
              if collName == "system.js" {
                  return false
              }
              if strings.HasPrefix(collName, "system.") {
                  return true
              }
          }
      
          // Skip over indexes since they are also listed in system.namespaces in 2.6 or earlier
          if strings.Contains(collName, "$") && !strings.Contains(collName, ".oplog.$") {
              return true
          }
      
          return false
      }

      system.* collections were ignored, which is fine.

      Actual Results

      However, when we go to newer releases of mongodump.

      ./mongodump --version
      mongodump version: 100.9.5
      git version: 90481484c1783826fe26ca18bbdcd30e933f3b88
      Go version: go1.21.11
         os: linux
         arch: amd64
         compiler: gc

      Trying to dump:

      ./mongodump  --host localhost --port 5026 --username backup_user --authenticationDatabase admin --password sekret -d config --out /mongo_data/dumpbkp/config/
      2024-06-25T22:05:22.781-0300    Failed: error creating intents to dump: error counting config.system.sessions: (Unauthorized) not authorized on config to execute command { count: "system.sessions", lsid: { id: UUID("f2d8288d-e547-41cb-9468-5da228e90b6d") }, $clusterTime: { clusterTime: Timestamp(1719363915, 1), signature: { hash: BinData(0, A3777F059FAB49E5F8E76A16DF48B8BE1D581A25), keyId: 7380528817137254406 } }, $db: "config", $readPreference: { mode: "primaryPreferred" } }

      Or:

      $ /opt/mongo/5.0.26/bin/mongodump  --host localhost --port 5026 --username backup_user --authenticationDatabase admin --password sekret -d config --out /mongo_data/dumpbkp/config/
      2024-06-25T22:22:07.244-0300    Failed: error creating intents to dump: error counting config.system.sessions: (Unauthorized) not authorized on config to execute command { count: "system.sessions", lsid: { id: UUID("d02cffa7-1737-46c6-944f-a3d6f2442b20") }, $clusterTime: { clusterTime: Timestamp(1719364925, 1), signature: { hash: BinData(0, 594EF93D66556CC2BF35BF6B8281C0759E91D2D4), keyId: 7380528817137254406 } }, $db: "config", $readPreference: { mode: "primaryPreferred" } }

       

      The source code says:

      https://github.com/mongodb/mongo-tools/blob/master/mongodump/prepare.go#L145-L183

      // By default dumping the entire cluster will only dump config collections
      // in dumprestore.ConfigCollectionsToKeep. Every other config collection is ignoered.
      // If you set --db=config then everything is included.
      // If you set --db=config --collection=foo, then shouldSkipSystemNamespace() is
      // never hit since CreateCollectionIntent() is run directly. In this case
      // config.foo will be the olny collection dumped.

       

      The dump is trying to first validate if the user is authorized to dump the system.*. But if the dump should skip system.* collections for the non-admin database, validating user authorization against it doesn't seem correct.

      • That's leading the dump to fail.

       

       

      Additional Notes

      Any additional information that may be useful to include.

            Assignee:
            jian.guan@mongodb.com Jian Guan
            Reporter:
            jean_nsilva@hotmail.com Jean da Silva
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: