[jira] [Created] (NIFI-12475) Bypass Validation property set to True returns Authorization error.

Tue, 05 Dec 2023 16:21:05 -0800 

Patrick A. Mol created NIFI-12475:
-------------------------------------

             Summary: Bypass Validation property set to True returns 
Authorization error.
                 Key: NIFI-12475
                 URL: https://issues.apache.org/jira/browse/NIFI-12475
             Project: Apache NiFi
          Issue Type: Bug
    Affects Versions: 1.16.1
         Environment: based on standard container apache/nifi from docker hub
no customer processors.
            Reporter: Patrick A. Mol


Across a few versions of NiFi and Mongo,
the use of PutMongoRecord suddenly stopped working and returned an error.
Using a flowfile with one valid record, and on PutMongoRecord failure, sending 
the flowfile to SplitRecord and feeding it to PutMongo, using the same standard 
mongodb controller service, the insert would work without error.
Turns out that the default setting for the PutMongoRecord property Bypass 
Validation isĀ  {_}True{_}, which requires elevated privileges in Mongo.
Changing the property to False allows insert without error.

The error text is
{noformat}
PutMongoRecord[id=018b1026-a670-1590-7941-b6978c972dc6] PutMongoRecord failed 
with error:: com.mongodb.MongoCommandException: Command failed with error 13 
(Unauthorized): 'not authorized on MONGO_DATABASE_NAME to execute command { 
insert: "COLLECTION_NAME", ordered: false, bypassDocumentValidation: true, 
txnNumber: 1, $db: "MONGO_DATABASE_NAME", $clusterTime: { clusterTime: 
Timestamp(1701736623, 1), signature: { hash: BinData(0, 
62B24A36869A7FAF07C7798019F072CC764E8A9D), keyId: 7264286828646105928 } }, 
lsid: { id: UUID("722347df-2349-4ec5-88f2-867a946d9614") } }' on server 
MONGODB_URI_WITH_PORTNUMBER. The full response is {"ok": 0.0, "errmsg": "not 
authorized on MONGO_DATABASE_NAME to execute command { insert: 
\"COLLECTION_NAME\", ordered: false, bypassDocumentValidation: true, txnNumber: 
1, $db: \"MONGO_DATABASE_NAME\", $clusterTime: { clusterTime: 
Timestamp(1701736623, 1), signature: { hash: BinData(0, 
62B24A36869A7FAF07C7798019F072CC764E8A9D), keyId: 7264286828646105928 } }, 
lsid: { id: UUID(\"722347df-2349-4ec5-88f2-867a946d9614\") } }", "code": 13, 
"codeName": "Unauthorized", "$clusterTime": {"clusterTime": {"$timestamp": 
{"t": 1701736623, "i": 1}}, "signature": {"hash": {"$binary": {"base64": 
"YrJKNoaaf68Hx3mAGfByzHZOip0=", "subType": "00"}}, "keyId": 
7264286828646105928}}, "operationTime": {"$timestamp": {"t": 1701736623, "i": 
1}}}

{noformat}

Apparently, PutMongo does not use the same setting for the bypass document 
validation flag, so there is an inconsistency.
Other libraries/tools, e.g. pymongo insert_many(), also default to False.

Details regarding the privilege in MongoDB are here
https://www.mongodb.com/docs/manual/reference/privilege-actions/#mongodb-authaction-bypassDocumentValidation

With the privilege requiring a custom role in MongoDB, it is debatable whether 
the default setting to True is a bug or changing it to False is an improvement.
At least the error and resolution is recorded.




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to