Users and roles are not restored in a selective restore
Description
Environment
Oracle Linux Server 8.8 x86_64
mongod version v5.0.21-18
pbm-agent version 2.3.0
pbm-agent version 2.2.1
Activity
Aaditya Dubey November 30, 2023 at 10:41 AM
Hi ,
Thank you for the feedback.
Sending the concern to engineering for further review.
Petr Vavra November 28, 2023 at 8:59 PM
Hi,
sorry for the late response, but I've been sick.
We use MongoDB as data storage for Web Apps. A MongoDB cluster instance contains a number of independent databases and users - the Database per user data model, with the fact that user authentication is performed against individual databases.
At the lowest level of recovery granularity, we restore all objects (collections, users, roles) for individual databases after damage/deletion.
This is the most common scenario for us.
Aaditya Dubey November 24, 2023 at 8:55 AM
Hi ,
We are awaiting for your inputs if any.
jan.wieremjewicz November 23, 2023 at 3:05 PM
Hi Petr, thank you for reporting.
This is not a bug but rather an improvement/feature request. We are aware of the limitation, it's there due to the scope of partial restore implemented for now. We have changed the type accordingly.
Restoring a full database as a subset of the instance, with the users and roles is something we want to add to PBM.
The current focus and priority is to enable selective physical restore.
We see a number of issues that are pending analysis before we restore:
Restoring users is a complicated topic from the security point of view. Restoring removed users also has implications to some security procedures within organizations (i.e. after they have been removed due to being removed from the organization).
Users would also have to be restored to the admin database, so it's not restoring one database to more than one location. We would most likely restore only users in the custom database, not the admin ones.
The potential issue we see when restoring the database to the same instance is with collisions with existing users, but these could be most likely handled by skipping existing users and throw a warning/error.
Can you share some more details about your expectations of the users/roles you would want to have restored to address your scenario?
Petr Vavra November 22, 2023 at 1:38 PM
Hello,
thank you for a quick response.
I understand.
From the point of view of the speed of the procedure of restoring only individual databases - without the need to restore the entire instance, it is precisely the possibility of selective restoration of users and roles that is essential.
Similar behavior was already addressed in https://jira.percona.com/browse/PBM-217?jql=project%20%3D%20PBM%20AND%20text%20~%20%22users%22
This is exactly what mongorestore allows - is there a plan to implement this functionality (for example by using a switch)?
Thank you
Details
Details
Assignee
Boris IlijicReporter
Petr VavraLabels
Needs QA
Sprint
Fix versions
Priority
Medium
Hi, i have tried this with 3 node replica set (PSA).
Here's how it looks and how to reproduce.
Preparation: create new custom database, add role and users in database:
Execute backup:
Drop users , roles and custom database:
Wait for mongod remove custom database dir - mongod.log:
"msg":"Removed empty database directory","attr":{"db":"test_poh_pbm"}
Do selective restore:
Check what is restored:
The same procedure was also tested for pbm-agent version 2.3.0
For mongorestore there is an option to restore users/roles mongorestore
is it possible to implement this?
Thank you
Best regards