MongoDB privilege required for find operation on db.system.profile

[bmontuelle]

Good morning,

We are building the project on top of Lagom framework
"com.lightbend.lagom" % "lagom-sbt-plugin" % "1.4.0-M2"

Built our connector for lagom ReadSide event handlers and configured akka persistence with this plugin to persist akka journal and realtime on MongoDB with ReactiveMongo
"com.github.scullxbones" %% "akka-persistence-mongo-rxmongo" % "2.0.4"

Other Reactive Mongo usage are in lagom read side processors, updating entity read side in response to event. Its very similar to typical DAO use : insert, update, finds

The MongoDB Administrator had to allow the application to pass find queries on <db_name>.system.profile . He says cannot let this for the production environment, and want to stay with the default MongoDB profile "readWrite"

The problem occurs only when mongoDB server has operationProfiling enabled, in slowOp mode with this in mongo configuration file

operationProfiling:
  mode: slowOp
  slowOpThresholdMs: 500

When this profiling mode is selected the reactive mongo connection fails because of an authentication DatabaseException['not authorized for query on xxxxx.system.profile' (code = 13)] If we allow just the 'find' operation on the system.profile collection it works fine.

I cannot trace back any query to this collection in ReactiveMongo, nor in akka-persistence-mongo sources.

Do anyone of you know of such behavior and could help on this ?

Best regards
Benoit

[scullxbones]

Hi @bmontuelle - thanks for submitting the issue.

Given that I just saw #187 go through, I'm thinking that the suffixed collection name logic is being overly aggressive again about wanting access to every single collection in the database. Are you using this functionality?

[bmontuelle]

Hi ! Thanks for the info, it may relate here.

We are not using suffixed collection name. I can try adding a suffix-builder to see but if not sure it will change something for this.
I see in the 2.0.4 we are using and in masterbranch version there is this in akka.contrib.persistence.mongodb.CurrentEventsByTag

    Source.fromFuture(driver.getAllCollectionsAsFuture(None))
          .flatMapConcat{ xs =>
            xs.map(c =>
              c.find(query)
               .sort(BSONDocument(ID -> 1))
               .cursor[BSONDocument]()
               .documentSource()
            ).reduceLeft(_ ++ _)
          }.map{ doc =>
[...]

which is performing a find query on every single collection of the database if I get it right.
Could this possibly be another case of the same problem as there are no filters passed to getAllCollectionsAsFuture?

[bmontuelle]

Yes I can confirm we pass in this method with cvalue being the xxx.system.profile if this collection already exists (ie. at least one query duration was over slowOpThresholdMs before and the profiling collection got created)

I will try to provide a workaround, I dont think there is a need for watching system collections here

[scullxbones]

Fixed in v2.0.9 - thanks @bmontuelle !

[bmontuelle]

Wonderful ! Many thanks