[BUG] DBNAME_stat authorization problem at first launch

[Nyxtorm]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

On first startup, Unifi is unable to list collections for the MongoDB unifinetwork_stat database only.

The first unifinetwork database is filled without any problem.

• User rights for both MongoDB databases are OK. I also tested with dbOwner role just in case but the problem is the same:

unifinetwork :

unifinetwork> db.getUsers()
{
 users: [
   {
     _id: 'unifinetwork.unifinetwork',
     userId: new UUID("9e498b63-0164-4f1f-8ea0-96361996e98e"),
     user: 'unifinetwork',
     db: 'unifinetwork',
     roles: [ { role: 'readWrite', db: 'unifinetwork' } ],
     mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
   }
 ],
 ok: 1
}

unifinetwork_stat :

unifinetwork_stat> db.getUsers()
{
 users: [
   {
     _id: 'unifinetwork_stat.unifinetwork',
     userId: new UUID("9d1b4f4c-f2e3-4b63-ae76-1d0806ccc330"),
     user: 'unifinetwork',
     db: 'unifinetwork_stat',
     roles: [ { role: 'readWrite', db: 'unifinetwork_stat' } ],
     mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
   }
 ],
 ok: 1
}

• Error in MongoDB logs :

{"t":{"$date":"2023-11-10T20:35:58.667+01:00"},"s":"I",  "c":"ACCESS",   "id":20436,   "ctx":"conn84","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on unifinetwork_stat to execute command { listCollections: 1, filter: {}, cursor: {}, nameOnly: true, authorizedCollections: false, lsid: { id: UUID(\"85d89b46-c83b-4989-b7a7-2f721e18a977\") }, $db: \"unifinetwork_stat\", $readPreference: { mode: \"primaryPreferred\" } }"}}}

Expected Behavior

On first startup, the unifinetwork_stat database should not cause any errors by using the same identifier as the unifinetwork database.

Steps To Reproduce

1. Clean install of MongoDB 7 on another Debian host (just users created with roles)
2. On UNRAID, install unifi application and set docker's MongoDB vars (user, password, dbname, host)
3. Launch app

Environment

- MongoDB 7.0.3 on another local Debian host
- Docker on UNRAID 6.12.4

CPU architecture

x86-64

Docker creation

docker run
  -d
  --name='unifi-network-application'
  --net='bridge'
  -e TZ="Europe/Paris"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="carbon"
  -e HOST_CONTAINERNAME="unifi-network-application"
  -e 'MONGO_USER'='unifinetwork'
  -e 'MONGO_PASS'='XXXXXXXXXXXXXXXXXXXXXXXXX'
  -e 'MONGO_HOST'='mongodb-host'
  -e 'MONGO_PORT'='27017'
  -e 'MONGO_DBNAME'='unifinetwork'
  -e 'MEM_LIMIT'='1024'
  -e 'MEM_STARTUP'='1024'
  -e 'MONGO_TLS'=''
  -e 'MONGO_AUTHSOURCE'=''
  -e 'PUID'='99'
  -e 'PGID'='100'
  -e 'UMASK'='022'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.icon='https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/unifi-network-application-icon.png'
  -p '8443:8443/tcp'
  -p '3478:3478/udp'
  -p '10001:10001/udp'
  -p '8080:8080/tcp'
  -p '1900:1900/udp'
  -p '8843:8843/tcp'
  -p '8880:8880/tcp'
  -p '6789:6789/tcp'
  -p '5514:5514/udp'
  -v '/mnt/user/appdata/unifi-network-application':'/config':'rw' 'lscr.io/linuxserver/unifi-network-application'
fcefd5c9f0f021282d57795c513b4892b428af1ff868d4c7d88c17b60ee7be10

Container logs

Caused by: com.mongodb.MongoCommandException: Command failed with error 13 (Unauthorized): 'not authorized on unifinetwork_stat to execute command { listCollections: 1, cursor: {}, nameOnly: true, $db: "unifinetwork_stat", lsid: { id: UUID("127f5963-4ff0-4269-b003-c6b580295588") } }' on server mongodb-host:27017. The full response is {"ok": 0.0, "errmsg": "not authorized on unifinetwork_stat to execute command { listCollections: 1, cursor: {}, nameOnly: true, $db: \"unifinetwork_stat\", lsid: { id: UUID(\"127f5963-4ff0-4269-b003-c6b580295588\") } }", "code": 13, "codeName": "Unauthorized"}
        at com.mongodb.internal.connection.ProtocolHelper.getCommandFailureException(ProtocolHelper.java:198)
        at com.mongodb.internal.connection.InternalStreamConnection.receiveCommandMessageResponse(InternalStreamConnection.java:413)
        at com.mongodb.internal.connection.InternalStreamConnection.sendAndReceive(InternalStreamConnection.java:337)
        at com.mongodb.internal.connection.UsageTrackingInternalConnection.sendAndReceive(UsageTrackingInternalConnection.java:116)
        at com.mongodb.internal.connection.DefaultConnectionPool$PooledConnection.sendAndReceive(DefaultConnectionPool.java:644)
        at com.mongodb.internal.connection.CommandProtocolImpl.execute(CommandProtocolImpl.java:71)
        at com.mongodb.internal.connection.DefaultServer$DefaultServerProtocolExecutor.execute(DefaultServer.java:240)
        at com.mongodb.internal.connection.DefaultServerConnection.executeProtocol(DefaultServerConnection.java:226)
        at com.mongodb.internal.connection.DefaultServerConnection.command(DefaultServerConnection.java:126)
        at com.mongodb.internal.connection.DefaultServerConnection.command(DefaultServerConnection.java:116)
        at com.mongodb.internal.connection.DefaultServer$OperationCountTrackingConnection.command(DefaultServer.java:345)
        at com.mongodb.internal.operation.CommandOperationHelper.createReadCommandAndExecute(CommandOperationHelper.java:232)
        at com.mongodb.internal.operation.ListCollectionsOperation.lambda$execute$1(ListCollectionsOperation.java:269)
        at com.mongodb.internal.operation.OperationHelper.lambda$withSourceAndConnection$2(OperationHelper.java:575)
        at com.mongodb.internal.operation.OperationHelper.withSuppliedResource(OperationHelper.java:600)
        at com.mongodb.internal.operation.OperationHelper.lambda$withSourceAndConnection$3(OperationHelper.java:574)
        at com.mongodb.internal.operation.OperationHelper.withSuppliedResource(OperationHelper.java:600)
        at com.mongodb.internal.operation.OperationHelper.withSourceAndConnection(OperationHelper.java:573)
        at com.mongodb.internal.operation.ListCollectionsOperation.lambda$execute$2(ListCollectionsOperation.java:264)
        at com.mongodb.internal.async.function.RetryingSyncSupplier.get(RetryingSyncSupplier.java:65)
        at com.mongodb.internal.operation.ListCollectionsOperation.execute(ListCollectionsOperation.java:284)
        at com.mongodb.internal.operation.ListCollectionsOperation.execute(ListCollectionsOperation.java:93)
        at com.mongodb.client.internal.MongoClientDelegate$DelegateOperationExecutor.execute(MongoClientDelegate.java:191)
        at com.mongodb.client.internal.MongoIterableImpl.execute(MongoIterableImpl.java:135)
        at com.mongodb.client.internal.MongoIterableImpl.iterator(MongoIterableImpl.java:92)
        at com.mongodb.client.internal.MongoIterableImpl.forEach(MongoIterableImpl.java:121)
        at com.mongodb.client.internal.MappingIterable.forEach(MappingIterable.java:59)
        at com.mongodb.client.internal.MappingIterable.into(MappingIterable.java:69)
        at com.ubnt.service.system.intsuper.ø00000(Unknown Source)
        at com.ubnt.service.system.intsuper.afterPropertiesSet(Unknown Source)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1863)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1800)
        ... 76 common frames omitted
[2023-11-10 20:26:53,436] <launcher> ERROR StandardContext - One or more listeners failed to start. Full details will be found in the appropriate container log file
[2023-11-10 20:26:53,437] <launcher> ERROR StandardContext - Context [] startup failed due to previous error

---

EDIT 1 :

• I also tried with MongoDB 6, same issue
• Manual actions are OK :

# mongosh "mongodb://unifinetwork:XXXXXXXXXXXXXXXX@127.0.0.1:27017/unifinetwork_stat"
Current Mongosh Log ID: 654e95d0c645e106d11d8358
Connecting to:          mongodb://<credentials>@127.0.0.1:27017/unifinetwork_stat?directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.0.2
Using MongoDB:          6.0.11
Using Mongosh:          2.0.2

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

unifinetwork_stat> db.createCollection("test")
{ ok: 1 }
unifinetwork_stat> db.getCollectionNames()
[ 'test' ]
unifinetwork_stat> db.getCollectionInfos()
[
  {
    name: 'test',
    type: 'collection',
    options: {},
    info: {
      readOnly: false,
      uuid: new UUID("e371fd7c-5bf9-4153-9d1a-e6817bb9fe00")
    },
    idIndex: { v: 2, key: { _id: 1 }, name: '_id_' }
  }
]

---

EDIT 2 :

• Same issue with MongoDB 4 :

{"t":{"$date":"2023-11-10T21:59:52.616+01:00"},"s":"I",  "c":"NETWORK",  "id":51800,   "ctx":"conn8","msg":"client metadata","attr":{"remote":"10.15.48.150:51616","client":"conn8","doc":{"driver":{"name":"mongo-java-driver|sync","version":"4.6.1"},"os":{"type":"Linux","name":"Linux","architecture":"amd64","version":"6.1.49-Unraid"},"platform":"Java/Private Build/17.0.8.1+1-Ubuntu-0ubuntu122.04"}}}
{"t":{"$date":"2023-11-10T21:59:52.644+01:00"},"s":"I",  "c":"ACCESS",   "id":20250,   "ctx":"conn8","msg":"Authentication succeeded","attr":{"mechanism":"SCRAM-SHA-256","speculative":true,"principalName":"unifinetwork","authenticationDatabase":"unifinetwork","remote":"10.15.48.150:51616","extraInfo":{}}}
{"t":{"$date":"2023-11-10T21:59:52.646+01:00"},"s":"I",  "c":"ACCESS",   "id":20436,   "ctx":"conn8","msg":"Checking authorization failed","attr":{"error":{"code":13,"codeName":"Unauthorized","errmsg":"not authorized on unifinetwork_stat to execute command { listCollections: 1, cursor: {}, nameOnly: true, $db: \"unifinetwork_stat\", lsid: { id: UUID(\"87017751-7a8c-4588-b790-291d4207a96f\") } }"}}}
{"t":{"$date":"2023-11-10T21:59:52.654+01:00"},"s":"I",  "c":"NETWORK",  "id":22944,   "ctx":"conn8","msg":"Connection ended","attr":{"remote":"10.15.48.150:51616","connectionId":8,"connectionCount":6}}

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[Nyxtorm]

In the README :

db.getSiblingDB("MONGO_DBNAME").createUser({user: "MONGO_USER", pwd: "MONGO_PASS", roles: [{role: "dbOwner", db: "MONGO_DBNAME"}]});
db.getSiblingDB("MONGO_DBNAME_stat").createUser({user: "MONGO_USER", pwd: "MONGO_PASS", roles: [{role: "dbOwner", db: "MONGO_DBNAME_stat"}]});

It seems the role for the unifi_stat database must also be defined on the unifinetwork database and not unifinetwork_stat :

db.createUser( { user: "unifinetwork", pwd: "XXXXXXXXXXXXXXXXXX", roles: [ { role: "dbOwner", db: "unifinetwork" }, { role: "dbOwner", db: "unifinetwork_stat" } ] } )`

or

db.getSiblingDB("MONGO_DBNAME").createUser({
  user: "MONGO_USER",
  pwd: "MONGO_PASS",
  roles: [
    { role: "dbOwner", db: "MONGO_DBNAME" },
    { role: "dbOwner", db: "MONGO_DBNAME_stat" }
  ]
});

[jack60612]

the readme should be updated :), should i open a pr?

[thespad]

We're addressing this in the next build of the image, but for existing users if you edit your system.properties and remove the &authsource=unifi from the mongo URI strings it should fix the problem (or you can alter the permissions for the user, both should achieve the same result).

[nickholway]

In my case I had to make the following changes to system.properties to get it to work.

db.mongo.uri=mongodb\://XXXXX\:YYYYY@unifi-db\:27017/?tls\=false
statdb.mongo.uri=mongodb\://XXXXX\:YYYYY@unifi-db\:27017/?tls\=false

Hopefully, this helps someone

[sxb1n9]

the fix for this is only to change the 2 line mongo script to this

db.getSiblingDB("MONGO_DBNAME").createUser({user: "MONGO_USER", pwd: "MONGO_PASS", roles: [{role: "dbOwner", db: "MONGO_DBNAME"}, { role: "dbOwner", db: "MONGO_DBNAME_stat" }]});

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

[siikanen]

This is still valid issue. Readme should be updated

[LinuxServer-CI]

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

[github-actions]

This issue is locked due to inactivity