Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Need extra privileges for pmm user when enabling advanced collectors in MongoDB

Description

From PMM 2.26, advanced metric collectors are included. When enabling the advanced metrics (see here), the existing user created as mentioned in https://docs.percona.com/percona-monitoring-and-management/setting-up/client/mongodb.html#create-pmm-account-and-set-permissions will fail.

Log:

 

Workaround:

Provide extra privilege to the pmm user as follows:

 

Need to add this in the doc to make sure the customer provides this privilege to make the pmm user fetch those advanced metrics:

If already the role "explainRole" exists, then below command can be used to add extra privileges to it:

 

 

 

How to test

  1. Create MongoDB instance with profiler enabled to level 2 (to force generation of system.profile collection)

  2. Create explain role in MongoDB database without permissions on system.profile collection

  3. Connect to DB with MongoDB exporter. No failure should be observed for generating metrics.

How to document

None

AFFECTED CS IDs

CS0027209, CS0028132

Attachments

1

Smart Checklist

Activity

Show:

Ivan Groenewold May 27, 2024 at 2:26 PM
Edited

addresses this

Ihor Cherkasov May 2, 2023 at 11:17 AM

rasika.chivate July 28, 2022 at 8:52 AM

Please provide your input on this.

Ivan Groenewold June 13, 2022 at 12:44 PM

Hello, the collections where the name has the system. prefix are treated differently and not covered by the "resource": { "db": "", "collection": ""} entry, hence we need to provide specific entries for both system.version and system.profile. As for your third question I am not sure about the reason, this is a privilege pmm user had historically

shashank.sinha June 10, 2022 at 6:31 AM

, I have following doubts about privileges we provide in explainRole :

  1. Why do we need to provide access to system.version collection ? From what I understand, finding MongoDB server version is not a privileged action.

  2. Why do we need collStats and indexStats actions on system.profile collection ?

  3. Why do we need find action on all DBs? Assuming find is necessary, we don't need to specify listIndexes and listCollections (reference)

I feel that we need to perform a quick cleanup of the privileges we need to make PMM work smoothly with MongoDB. We should document use case for each privilege we add for PMM user. This should make things easy to understand and avoid unnecessary addition or removal of privileges in future.

, I suggest to move the ticket to devs for further discussion/cleanup. Only post it, we should go ahead and make the necessary PR for docs. 

Done

Details

Assignee

Reporter

Priority

Components

Labels

Needs QA

Yes

Needs Doc

Yes

Planned Version/s

Fix versions

Story Points

Smart Checklist

Created May 25, 2022 at 5:20 AM
Updated October 9, 2024 at 8:36 AM
Resolved May 2, 2023 at 11:18 AM
Configure