Bad call to listCollections within the extension ?
Opened this issue · 7 comments
Hi. This is following a post I did in:
https://stackoverflow.com/questions/70753405/create-custom-role-for-luceemongodb-application
It seems the extension will always run the listCollections command... However, in my case, my user performing actions on my collection was only allowed to: "find", "update", "insert" and "remove" on this collection. This broke the usage of the extension, since apparently I also had to force in the listCollections directly on my DB (but this wasn't wanted). Not doing so would lead to this crash:
not authorized on FOO to execute command { listCollections: 1, cursor: { batchSize: 0 }, $readPreference: { mode: "secondaryPreferred" }, $db: "FOO" }
The Mongo documentation states that one without proper piviliges should be able to run the listCollections still by setting the authorizedCollections and nameOnly options to true. Why not do that in the extension's code, if it really needs to call listCollections?
I am new to Mongo, so feal free to correct me if I'm not thinking right, or if I'm doing something wrong.
Cheers! Pat
please file a bug here https://luceeserver.atlassian.net/projects/LDEV/
I will try to look into this, although it's been quite a while since this extension repo has had any activity. That said, I use it every day so I am definitely invested in keeping it current.
One thing to note, the "latest version" in the Lucee Admin (3.4.2.59) is not the current version in this repo. I have asked the folks at Lucee to update the version in the extension provider but have never gotten a response. @zspitzer is this something you could take care of?
Am I understanding correctly that you get this exception when you try to dump() the db object? Is this the only time you get the exception or are you getting it when you try to do actual operations on the collections, like find(), update() etc?
I've looked through the source code and the extension itself does not actually ever call the listCollections command. Keep in mind that the extension is just a Lucee wrapper for the MongoDB java driver. So my guess is it is the java driver that is making this call to listCollections, which I would expect it to need to do if you are trying to dump() the entire db! I don't think dumping the db is an actual use-case for the extension (other than to just quickly verify your connection is working - and I would never do it on a large MongoDB database!)
Am I understanding correctly that you get this exception when you try to dump() the db object? Is this the only time you get the exception or are you getting it when you try to do actual operations on the collections, like find(), update() etc?
Hi. Thanks for your response.
No,. I initially got the error when trying a remove, and also an insert. Only later on, after debugging and trying a dump() did I notice the dump caused the crash also.
Thanks for all you work putting in the newest (3.12) version in Lucee guys!!
Although, I can confirm that I still have the rights issue (most likely coming from the java driver) even with that 3.12 version extension...
I've got no other choices but to grant listCollections on my DB itself in my custom role. Not such a show stopper, but odd perhaps.
I've yet to try the latest 4.4 java driver directly.
@sjdaniels Question which might help with the decision on what to use: does the extension have any build support for transactions, as in: https://docs.mongodb.com/manual/core/transactions/
Thanks for your time. Super appreciated !! :)
I have not ever had a need to use transactions so I'm not 100% sure. But - keep in mind that the Lucee extension is really just a wrapper for the java driver (with some convenient data-type transformations that make using native CFML structs, arrays, etc easier).
The extension also exposes the native java methods though. So, you should be able to try something like:
clientSession = db.getMongo().startSession();
clientSession.startTransaction();
// do some stuff
clientSession.commitTransaction();
I have not tested any of this code mind you, but if the 3.12 version of the java driver supports sessions, then you should be able to get it working.
@sjdaniels I tried exactly that, but no luck. It's like the inserts, updates, whatever after the startTransaction are not attached to the session, so even if I trow an error + clientSession.abortTransaction(), it wont have rolled back as intended... :(
I really thought this would of been simpler ... Too bad for me. Thanks for your help and input though!