-
Type:
Bug
-
Resolution: Duplicate
-
Priority:
Major - P3
-
None
-
Affects Version/s: 100.9.5
-
Component/s: None
-
None
-
Tools and Replicator
Problem Statement/Rationale
After mongodump 5.0 or even with newer releases 100.9.5; backup attempts from the config database are blockeds because system.* collections can't be dumped.
Steps to Reproduce
1. Deploy any supported database release:
db.version() 5.0.26
2. Create a backup user:
admin> db.getUser('backup_user') { _id: 'admin.backup_user', userId: UUID('45dc24ce-6c2d-41c8-8092-6ff95afc9748'), user: 'backup_user', db: 'admin', roles: [ { role: 'backup', db: 'admin' } ], mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ] }
3. Dump the config:
$ /opt/mongo/4.4.10/bin/mongodump --host localhost --port 5026 --username backup_user --authenticationDatabase admin --password sekret -d config --out /mongo_data/dumpbkp/config/ 2024-06-25T22:01:38.304-0300 writing config.tenantMigrationRecipients to /mongo_data/dumpbkp/config/config/tenantMigrationRecipients.bson 2024-06-25T22:01:38.304-0300 writing config.image_collection to /mongo_data/dumpbkp/config/config/image_collection.bson 2024-06-25T22:01:38.304-0300 writing config.external_validation_keys to /mongo_data/dumpbkp/config/config/external_validation_keys.bson 2024-06-25T22:01:38.304-0300 done dumping config.external_validation_keys (0 documents) 2024-06-25T22:01:38.304-0300 done dumping config.tenantMigrationRecipients (0 documents) 2024-06-25T22:01:38.304-0300 done dumping config.image_collection (0 documents) 2024-06-25T22:01:38.308-0300 writing config.tenantMigrationDonors to /mongo_data/dumpbkp/config/config/tenantMigrationDonors.bson 2024-06-25T22:01:38.309-0300 done dumping config.tenantMigrationDonors (0 documents)
4. Check the files:
$ ls /mongo_data/dumpbkp/config/config/ external_validation_keys.bson image_collection.bson tenantMigrationDonors.bson tenantMigrationRecipients.bson external_validation_keys.metadata.json image_collection.metadata.json tenantMigrationDonors.metadata.json tenantMigrationRecipients.metadata.json
Expected Results
That's the expected result. Although I can't dump the system, the other configuration collections were correctly dumped.
I couldn't find the source code from mongodump 4.4, but from 4.2:
https://github.com/mongodb/mongo-tools/blob/v4.2/mongodump/prepare.go#L143C6-L143C31 func shouldSkipSystemNamespace(dbName, collName string) bool { // ignore <db>.system.* except for admin; ignore other specific // collections in config and admin databases used for 3.6 features. switch dbName { case "admin": if collName == "system.keys" { return true } case "config": if collName == "transactions" || collName == "system.sessions" || collName == "transaction_coordinators" { return true } default: if collName == "system.js" { return false } if strings.HasPrefix(collName, "system.") { return true } } // Skip over indexes since they are also listed in system.namespaces in 2.6 or earlier if strings.Contains(collName, "$") && !strings.Contains(collName, ".oplog.$") { return true } return false }
system.* collections were ignored, which is fine.
Actual Results
However, when we go to newer releases of mongodump.
./mongodump --version mongodump version: 100.9.5 git version: 90481484c1783826fe26ca18bbdcd30e933f3b88 Go version: go1.21.11 os: linux arch: amd64 compiler: gc
Trying to dump:
./mongodump --host localhost --port 5026 --username backup_user --authenticationDatabase admin --password sekret -d config --out /mongo_data/dumpbkp/config/
2024-06-25T22:05:22.781-0300 Failed: error creating intents to dump: error counting config.system.sessions: (Unauthorized) not authorized on config to execute command { count: "system.sessions", lsid: { id: UUID("f2d8288d-e547-41cb-9468-5da228e90b6d") }, $clusterTime: { clusterTime: Timestamp(1719363915, 1), signature: { hash: BinData(0, A3777F059FAB49E5F8E76A16DF48B8BE1D581A25), keyId: 7380528817137254406 } }, $db: "config", $readPreference: { mode: "primaryPreferred" } }
Or:
$ /opt/mongo/5.0.26/bin/mongodump --host localhost --port 5026 --username backup_user --authenticationDatabase admin --password sekret -d config --out /mongo_data/dumpbkp/config/
2024-06-25T22:22:07.244-0300 Failed: error creating intents to dump: error counting config.system.sessions: (Unauthorized) not authorized on config to execute command { count: "system.sessions", lsid: { id: UUID("d02cffa7-1737-46c6-944f-a3d6f2442b20") }, $clusterTime: { clusterTime: Timestamp(1719364925, 1), signature: { hash: BinData(0, 594EF93D66556CC2BF35BF6B8281C0759E91D2D4), keyId: 7380528817137254406 } }, $db: "config", $readPreference: { mode: "primaryPreferred" } }
The source code says:
https://github.com/mongodb/mongo-tools/blob/master/mongodump/prepare.go#L145-L183
// By default dumping the entire cluster will only dump config collections
// in dumprestore.ConfigCollectionsToKeep. Every other config collection is ignoered.
// If you set --db=config then everything is included.
// If you set --db=config --collection=foo, then shouldSkipSystemNamespace() is
// never hit since CreateCollectionIntent() is run directly. In this case
// config.foo will be the olny collection dumped.
The dump is trying to first validate if the user is authorized to dump the system.*. But if the dump should skip system.* collections for the non-admin database, validating user authorization against it doesn't seem correct.
- That's leading the dump to fail.
Additional Notes
Any additional information that may be useful to include.
- duplicates
-
-
- Closed
-
- related to
-
-
- Closed
-
-
-
- Closed
-