why readWrite on admin required?

Question

why readWrite on admin required?

dzmitry-lahoda opened this issue 5 years ago · 3 comments

MongoDB provider works with next config:

db.getSiblingDB("MYAPP").dropUser("MYAPP_readWrite");
db.getSiblingDB("MYAPP").createUser(
  {
    user: "MYAPP_readWrite",
    pwd: "3r31qr24gh34",
    roles: [ 
      { role: "readWrite", db: "MYAPP" },
      { role: "readWrite", db: "admin" }
    ]
  }
);
db.getSiblingDB("MYAPP").getUser("MYAPP_readWrite");

db.getSiblingDB("admin").dropUser("MYAPP_readWrite");
db.getSiblingDB("admin").createUser(
  {
    user: "MYAPP_readWrite",
    pwd: "3r31qr24gh34",
    roles: [ 
      { role: "readWrite", db: "MYAPP" },
      { role: "readWrite", db: "admin" }
    ]
  }
);
db.getSiblingDB("admin").getUser("MYAPP_readWrite");

MongoDB provider fails withe next config:

db.getSiblingDB("MYAPP").dropUser("MYAPP_readWrite");
db.getSiblingDB("MYAPP").createUser(
  {
    user: "MYAPP_readWrite",
    pwd: "3r31qr24gh34",
    roles: [ 
      { role: "readWrite", db: "MYAPP" },
      { role: "read", db: "admin" }
    ]
  }
);
db.getSiblingDB("MYAPP").getUser("MYAPP_readWrite");

db.getSiblingDB("admin").dropUser("MYAPP_readWrite");
db.getSiblingDB("admin").createUser(
  {
    user: "MYAPP_readWrite",
    pwd: "3r31qr24gh34",
    roles: [ 
      { role: "readWrite", db: "MYAPP" },
      { role: "read", db: "admin" }
    ]
  }
);
db.getSiblingDB("admin").getUser("MYAPP_readWrite");

In code on both caseы only storage is used (all other storages are in memory)

          .AddMongoDBGrainStorage(Constants.GrainStorageProviderName, options =>
                    {                        
                        var connectionString = hostContext.Configuration.GetValue<string>("Meta:Back:GrainStorage:ConnectionString");
                        //https://github.com/OrleansContrib/Orleans.Providers.MongoDB/pull/64
                        var connectionUrl = MongoUrl.Create(connectionString);                        
                        options.ConnectionString = connectionString;
                        options.DatabaseName = connectionUrl.DatabaseName;
                    })

Connection string:

mongodb://MYAPP_readWrite:3r31qr24gh34@127.0.0.1:27018/MYAPP

Same connection string is used for ASP.NET Identity and it works with no admin rights.

So why readWrite on admin is required?

Answer 1 · 2019-07-16T13:03:43.000Z

workaround

        .ConfigureServices(x=>
                    {
                        x.AddTransient<IConfigurationValidator, EmptyValidator>();                  
                    })

     public class EmptyValidator : IConfigurationValidator
        {
            public void ValidateConfiguration()
            {                
            }
        }

#64

Answer 2 · 2019-07-16T13:28:57.000Z

I am not sure if I follow you, but there is no explicit permission requested.

Answer 3 · 2019-07-16T15:33:34.000Z

Database is erased by validator. Orleans calls for state storage lead to Mongo trying to auth client against all databases and fails on admin. And all fails. Even if I never asked to use admin.