MongoServerError[Unauthorized]: not authorized to execute command listCollections: ...

[TLINDEN]

What did you do to encounter the bug?
Deployed the operator and the sample CR.

What did you expect?
I expected to be able to login into mongodb and restore an existing database.

What happened instead?
It is not possible to restore a mongodb backup or execute listCollections using the user created by the operator.

Screenshots

Unable to list collections:

root@mongosh-client:/# mongosh -u rocketchat -p *********** --host rocketchat-footest-mongodb-instance-0.rocketchat-footest-mongodb-instance-svc.rocketchat-footest.svc.cluster.local:27017 --authenticationDatabase rocketchat rocketchat
Current Mongosh Log ID: 6880c9f1a579241b2932a03b
Connecting to:          mongodb://<credentials>@rocketchat-footest-mongodb-instance-0.rocketchat-footest-mongodb-instance-svc.rocketchat-footest.svc.cluster.local:27017/rocketchat?directConnection=true&authSource=rocketchat&appName=mongosh+2.5.5
Using MongoDB:          6.0.13
Using Mongosh:          2.5.5
mongosh 2.5.6 is available for download: https://www.mongodb.com/try/download/shell

For mongosh info see: https://www.mongodb.com/docs/mongodb-shell/

rocketchat-footest-mongodb-instance [direct: primary] rocketchat> db.getCollectionInfos();
MongoServerError[Unauthorized]: not authorized on rocketchat to execute command { listCollections: 1, filter: {}, cursor: {}, nameOnly: false, authorizedCollections: false, lsid: { id: UUID("77ad08b0-fd58-4397-b63f-684d599f2b42") }, $clusterTime: { clusterTime: Timestamp(1753270765, 1), signature: { hash: BinData(0, 54F810E5F1570DACF97D0E9EB0BBA3F6370EA2B2), keyId: 7530199575475257350 } }, $readPreference: { mode: "primaryPreferred" }, $db: "rocketchat" }

A restore fails as well:

mongorestore -u rocketchat -d rocketchat -p  ******** --gzip --archive=/tmp/rocketchatdb-hour-1753264800.gz --host rocketchat-footest-mongodb-instance-0.rocketchat-footest-mongodb-instance-svc.rocketchat-fitstest.svc.cluster.local:27017
025-07-23T11:41:30.366+0000    preparing collections to restore from                                                                                                                                                                                                             
2025-07-23T11:41:30.371+0000    reading metadata for rocketchat.omnichannel_queue_inactivity_monitor from archive '/tmp/rocketchatdb-hour-1753264800.gz'
2025-07-23T11:41:30.372+0000    reading metadata for rocketchat.rocketchat_export_operations from archive '/tmp/rocketchatdb-hour-1753264800.gz'
2025-07-23T11:41:30.372+0000    reading metadata for rocketchat.rocketchat_banner from archive '/tmp/rocketchatdb-hour-1753264800.gz'                                                                                                                                             
2025-07-23T11:41:30.372+0000    reading metadata for rocketchat.rocketchat_import_data from archive '/tmp/rocketchatdb-hour-1753264800.gz' 
[..]
2025-07-23T11:41:30.378+0000    finished restoring rocketchat.rocketchat_permissions (0 documents, 0 failures)
2025-07-23T11:41:30.378+0000    Failed: rocketchat.rocketchat_permissions: error reading database: (Unauthorized) not authorized on rocketchat to execute command { listCollections: 1, filter: {}, cursor: {}, lsid: { id: UUID("7bc57148-e098-4987-bc00-6d0464ec39b7") }, $clusterTime: { clusterTime: Timestamp(1753270885, 1), signature: { hash: BinData(0, 18C018DC6C44B954B0EB6C7CCD1F051A90F6A99C), keyId: 7530199575475257350 } }, $db: "rocketchat", $readPreference: { mode: "primaryPreferred" } }
2025-07-23T11:41:30.378+0000    0 document(s) restored successfully. 0 document(s) failed to restore.

Operator Information

• Operator Version: 1.2.0
• MongoDB Image used: 6.0.13

Kubernetes Cluster Information

• Distribution: metal-stack
• Version: 1.28.15
• Image Registry location (quay, or an internal registry): quay

Additional information

% kgp
NAME                                            READY   STATUS  RESTARTS        AGE 
mongodb-kubernetes-operator-57b5b56c6d-2sj89    1/1     Running 0               136m
rocketchat-footest-mongodb-instance-0           2/2     Running 0               100m

k get mdbc
NAME                                   PHASE     VERSION
rocketchat-footest-mongodb-instance   Running   6.0.13                                                                             

• yaml definitions of your MongoDB Deployment(s):

---
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
  name: {{ nsname }}-mongodb-instance
  namespace: {{ nsname }}
spec:
  members: 1
  type: ReplicaSet
  version: "6.0.13"
  security:
    authentication:
      modes: ["SCRAM"]
  users:
    - name: {{ rcConfig.mongodb.username }}
      db: {{ rcConfig.mongodb.database }}
      passwordSecretRef:
        name: mongodb-user
      roles:
        - name: clusterAdmin
          db: {{ rcConfig.mongodb.database }}
        - name: userAdminAnyDatabase
          db: {{ rcConfig.mongodb.database }}
      scramCredentialsSecretName: my-scram
  additionalMongodConfig:
    storage.wiredTiger.engineConfig.journalCompressor: zlib

---
apiVersion: v1
kind: Secret
metadata:
  name: mongodb-user
  namespace: {{ nsname }}
type: Opaque
stringData:
  password: {{ rcConfig.mongodb.userpw }}

[TLINDEN]

Found the solution, the permissions were missing. Fixed:

  users:
    - name: {{ rcConfig.mongodb.username }}
      db: {{ rcConfig.mongodb.database }}
      passwordSecretRef:
        name: mongodb-user
      roles:
        - name: clusterAdmin
          db: {{ rcConfig.mongodb.database }}
        - name: userAdminAnyDatabase
          db: {{ rcConfig.mongodb.database }}
        - name: backup
          db: {{ rcConfig.mongodb.database }}
        - name: restore
          db: {{ rcConfig.mongodb.database }}
        - name: dbOwner
          db: {{ rcConfig.mongodb.database }}

You may consider to add these to the example cr.