“not authorized on admin to execute command” even using root role

0
votes

I'm trying to execute the following 'query' on the primary node of my mongodb cluster:

> db.system.sessions.count()

The cluster gives me an error as follow:

"not authorized on admin to execute command", "unauthorized"

The docs said that the role 'root' has implicitly the 'clusterAdmin' role, what I suppose is enough to query the sessions count.

This is the user/roles I'm logged in:

{
    "user" : "admshard",
    "db" : "admin",
    "roles" : [
        {
            "role" : "root",
            "db" : "admin"
        },
        {
            "role" : "clusterManager",
            "db" : "admin"
        },
        {
            "role" : "userAdminAnyDatabase",
            "db" : "admin"
        },
        {
            "role" : "dbOwner",
            "db" : "admin"
        }
    ]
}

My mongodb version is 4.2.3. I'm working with 2 databases and 2 arbiters.

Any clue about this?

Thanks!!

1
mongodbadminroot
Obviously, I'm not authorized to any query on db.system :(thatsallfolks
The system.sessions collection is in config database.prasad_
Strange, role { role : "root", db: "admin"} should permit almost everything. Did you connect with correct password?Wernfried Domscheit
Got it. So I'm trying to run against config db the $listSessions but it requires privileges with listSessions action and I have no idea on how I grant it to the logged in user!thatsallfolks
Also, I found someone that was trying to access the system.sessions collection and he/she had to give access (grant a role) to the collection specifically. I tried the same, but no results.thatsallfolks

1 Answers

1
votes

The root role provide the privileges granted by the roles:

  • readWriteAnyDatabase
  • dbAdminAnyDatabase
  • userAdminAnyDatabase
  • clusterAdmin
  • restore
  • backup

clusterManager grants the find privilege on All non-system collections in the config database

readWriteAnyDatabase grants the same privileges as readWrite on all databases except local and config, and also provides the listDatabases action on the cluster as a whole.

You may need to create a custom role, and use grantPivildgesToRole to give it the find action on the config.system.sessions collection.