Cannot create database as admin user.

[Bjohnson131]

What did you do to encounter the bug?
Steps to reproduce the behavior:

1. apply the most recent operator yaml in a namespace
2. apply this database yaml in the same namespace:
3. try to log in as "my-user" from mongodb compass
4. try to create any database

---
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
  name: mongodb
  namespace: default
spec:
  members: 1
  type: ReplicaSet
  version: "6.0.2"
  statefulSet:
    spec:
      volumeClaimTemplates:
        - metadata:
            name: data-volume
          spec:
            accessModes: [ "ReadWriteOnce" ]
            storageClassName: "longhorn"
            resources:
              requests:
                storage: 20Gi
        - metadata:
            name: logs-volume
          spec:
            accessModes: [ "ReadWriteOnce" ]
            storageClassName: "longhorn"
            resources:
              requests:
                storage: 2Gi
  security:
    authentication:
      modes: ["SCRAM"]
  users:
    - name: my-user
      db: admin
      passwordSecretRef: # a reference to the secret that will be used to generate the user's password
        name: my-user-password
      roles:
        - name: clusterAdmin
          db: admin
        - name: userAdminAnyDatabase
          db: admin
      scramCredentialsSecretName: my-scram
  additionalMongodConfig:
    storage.wiredTiger.engineConfig.journalCompressor: zlib

# the user credentials will be generated from this secret
# once the credentials are generated, this secret is no longer required
---
apiVersion: v1
kind: Secret
metadata:
  name: my-user-password
  namespace: default
type: Opaque
stringData:
  password: [whatever]

What did you expect?
I expected to be able to create a database

What happened instead?
not authorized on newdb to execute command { create: "newcollection", lsid: { id: UUID("ef310b16-9dab-4ffd-a4af-04e98b397619") }, $clusterTime: { clusterTime: Timestamp(1668065708, 1), signature: { hash: BinData(0, C4955DD8863109D20A7BC68745801BE04209F547), keyId: 7164285172358053892 } }, $db: "newdb" }

Screenshots

Operator Information

• 0.7.6
• 6.0.2

Kubernetes Cluster Information

• vanilla
• 1.24.7
• Image Registry location (quay, or an internal registry): quay

Additional context
see line 78 of the log:
mongodb-0-1668066394382142449.log

If possible, please include:

• kubectl describe output
• yaml definitions for your objects
• log files for the operator and database pods

[mircea-cosbuc]

Hi @Bjohnson131,
The roles configured for my-user in your sample are not sufficient for creating new databases. You could add the readWriteAnyDabase role to your user e.g.:

...
      roles:
        - name: clusterAdmin
          db: admin
        - name: userAdminAnyDatabase
          db: admin
        - name: readWriteAnyDatabase
          db: admin
...

or you can use a custom role that allows the user to create collections in your specific database (based on this example):

apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
  annotations:
  name: mongodb
spec:
  additionalMongodConfig:
    storage.wiredTiger.engineConfig.journalCompressor: zlib
  members: 1
  security:
    authentication:
      ignoreUnknownUsers: true
      modes:
      - SCRAM
    roles:
    - db: admin
      privileges:
      - actions:
        - createCollection
        resource:
          collection: ""
          db: mynewdb
      role: customRole
  type: ReplicaSet
  users:
  - db: admin
    name: my-user
    passwordSecretRef:
      name: my-user-password
    roles:
    - db: admin
      name: clusterAdmin
    - db: admin
      name: userAdminAnyDatabase
    - db: admin
      name: customRole
    scramCredentialsSecretName: my-scram
  version: 6.0.2

Please refer to https://www.mongodb.com/docs/manual/reference/built-in-roles/ for the built-in roles that can be used directly and https://www.mongodb.com/docs/manual/reference/privilege-actions/ for actions available when creating custom roles.

[mircea-cosbuc]

Closing this ticket as explained. If the information above is not sufficient to accomplish the desired credentials, please re-open with a comment.

[dan-mckean]

Hi, I'm Dan and I'm the Product Manager for MongoDB's support of Kubernetes.

I'm doing some work right now to try and identify how the Community Operator is being used. The Community Operator is something I inherited when I started at MongoDB, but it doesn't get as much attention from us as we'd like and we're trying to understand how it's used in order to establish its future. It will help us prioritize future issues and PRs raised by the community 🙂

Here's a super short survey (it's much easier for us to review all the feedback that way!): https://docs.google.com/forms/d/e/1FAIpQLSfwrwyxBSlUyJ6AmC-eYlgW_3JEdfA48SB2i5--_WpiynMW2w/viewform?usp=sf_link

If you'd rather email me instead: dan.mckean@mongodb.com

Thank you in advance!
Dan