[BUG] Authorization Issue on MongoDB

[aeble]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Upon first time startup with mongo init file user and roles get created. However, unifi network application fails with the error message in the logs below.

docker-compose.yml has the ports commented out because I want to access it behind traefik; traefik labels are set in docker-compose.yml.

Trying to access https://unifi2.${DOMAINNAME} fails, however.

I'm not 100% sure the issue lies with the container, it might be a traefik issue, but the error messages keep repeating and it looks like the container is restarting time and time again.

Expected Behavior

server.log should not show any error; application should be accessible

Steps To Reproduce

1. podman-compose up
2. less /data/logs/server.log

Environment

- OS: arch linux
- How docker service was installed: podman installed with pacman

CPU architecture

x86-64

Docker creation

`podman pull lscr.io/linuxserver/unifi-network-application:latest`

`docker-compose.yaml:`

services:
  unifi-network-application:
    labels:
      - traefik.enable=true
[traefik labels omitted]
    image: lscr.io/linuxserver/unifi-network-application:latest
    container_name: unifi-network-application
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - MONGO_USER=unifi
      - MONGO_PASS=REDACTED
#      - MONGO_PASS=
      - MONGO_HOST=unifi-db
      - MONGO_PORT=27017
      - MONGO_DBNAME=unifi
      - MONGO_AUTHSOURCE=admin
      - MEM_LIMIT=1024 #optional
      - MEM_STARTUP=1024 #optional
#      - MONGO_TLS= #optional
    volumes:
      - /opt/unifi/data:/config
#    ports:
#      - 8443:8443
#      - 3478:3478/udp
#      - 10001:10001/udp
#      - 8080:8080
#      - 1900:1900/udp #optional
#      - 8843:8843 #optional
#      - 8880:8880 #optional
#      - 6789:6789 #optional
#      - 5514:5514/udp #optional
    restart: unless-stopped
  unifi-db:
    label: unifi-db
    labels:
      - "traefik.enable: false"
    image: docker.io/mongo:8.0.9
    container_name: unifi-db
    environment:
      - MONGO_INITDB_ROOT_USERNAME=root
      - MONGO_INITDB_ROOT_PASSWORD=REDACTED
      - MONGO_USER=unifi
      - MONGO_PASS=REDACTED
#      - MONGO_PASS=
      - MONGO_DBNAME=unifi
      - MONGO_AUTHSOURCE=admin
    volumes:
      - /opt/unifi/db:/data/db
      - /opt/unifi/init-mongo.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro
    restart: unless-stopped

Container logs

[2025-05-07T10:54:13,200+02:00] <launcher> INFO  startup - Initiating startup
[2025-05-07T10:54:13,576+02:00] <launcher> INFO  system - *** Running for the first time, creating identity ***
[2025-05-07T10:54:13,576+02:00] <launcher> INFO  system - UUID: e1cb8310-370a-4d88-9cd4-f3a5d6c23bb8
[2025-05-07T10:54:13,581+02:00] <launcher> INFO  system - Reporter UUID: 98425530-710e-4dad-ae17-d667c78199d2
[2025-05-07T10:54:13,583+02:00] <launcher> INFO  system - ======================================================================
[2025-05-07T10:54:13,583+02:00] <launcher> INFO  system - UniFi 9.1.120 (build atag_9.1.120_29197 - release/release) is started
[2025-05-07T10:54:13,583+02:00] <launcher> INFO  system - Environment: UniFi-OS[false], UniFi-Cloud[false], UniFi-MongoService[false]
[2025-05-07T10:54:13,583+02:00] <launcher> INFO  system - ======================================================================
[2025-05-07T10:54:13,583+02:00] <launcher> INFO  system - BASE dir:/usr/lib/unifi
[2025-05-07T10:54:13,588+02:00] <launcher> INFO  system - Current System IP: <redacted>
[2025-05-07T10:54:13,588+02:00] <launcher> INFO  system - Hostname: 5bd548493d6f
[2025-05-07T10:54:13,588+02:00] <launcher> INFO  system - ubic.env: prod
[2025-05-07T10:54:13,589+02:00] <launcher> INFO  system - System loaded
[2025-05-07T10:54:13,730+02:00] <launcher> ERROR mongo  - Could not determine Mongo journaling state
com.mongodb.MongoSecurityException: Exception authenticating MongoCredential{mechanism=SCRAM-SHA-1, userName='unifi', source='admin', password=<hidden>, mechanismProperties=<hidden>}
        at com.mongodb.internal.connection.SaslAuthenticator.wrapException(SaslAuthenticator.java:270)
        at com.mongodb.internal.connection.SaslAuthenticator.getNextSaslResponse(SaslAuthenticator.java:133)
        at com.mongodb.internal.connection.SaslAuthenticator.lambda$authenticate$0(SaslAuthenticator.java:63)
        at com.mongodb.internal.connection.SaslAuthenticator.doAsSubject(SaslAuthenticator.java:277)
        at com.mongodb.internal.connection.SaslAuthenticator.authenticate(SaslAuthenticator.java:59)
        at com.mongodb.internal.connection.DefaultAuthenticator.authenticate(DefaultAuthenticator.java:57)
        at com.mongodb.internal.connection.InternalStreamConnectionInitializer.authenticate(InternalStreamConnectionInitializer.java:206)
        at com.mongodb.internal.connection.InternalStreamConnectionInitializer.finishHandshake(InternalStreamConnectionInitializer.java:86)
        at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:206)
        at com.mongodb.internal.connection.UsageTrackingInternalConnection.open(UsageTrackingInternalConnection.java:55)
        at com.mongodb.internal.connection.DefaultConnectionPool$PooledConnection.open(DefaultConnectionPool.java:625)
        at com.mongodb.internal.connection.DefaultConnectionPool$OpenConcurrencyLimiter.openWithConcurrencyLimit(DefaultConnectionPool.java:965)
        at com.mongodb.internal.connection.DefaultConnectionPool$OpenConcurrencyLimiter.openOrGetAvailable(DefaultConnectionPool.java:906)
        at com.mongodb.internal.connection.DefaultConnectionPool.get(DefaultConnectionPool.java:203)
        at com.mongodb.internal.connection.DefaultConnectionPool.get(DefaultConnectionPool.java:192)
        at com.mongodb.internal.connection.DefaultServer.getConnection(DefaultServer.java:96)
        at com.mongodb.internal.binding.ClusterBinding$ClusterBindingConnectionSource.getConnection(ClusterBinding.java:178)
        at com.mongodb.client.internal.ClientSessionBinding$SessionBindingConnectionSource.getConnection(ClientSessionBinding.java:196)
        at com.mongodb.internal.operation.SyncOperationHelper.withSuppliedResource(SyncOperationHelper.java:141)
        at com.mongodb.internal.operation.SyncOperationHelper.lambda$withSourceAndConnection$1(SyncOperationHelper.java:123)
        at com.mongodb.internal.operation.SyncOperationHelper.withSuppliedResource(SyncOperationHelper.java:149)
        at com.mongodb.internal.operation.SyncOperationHelper.withSourceAndConnection(SyncOperationHelper.java:122)
        at com.mongodb.internal.operation.SyncOperationHelper.lambda$executeRetryableRead$4(SyncOperationHelper.java:186)
        at com.mongodb.internal.operation.SyncOperationHelper.lambda$decorateReadWithRetries$12(SyncOperationHelper.java:289)
        at com.mongodb.internal.async.function.RetryingSyncSupplier.get(RetryingSyncSupplier.java:67)
        at com.mongodb.internal.operation.SyncOperationHelper.executeRetryableRead(SyncOperationHelper.java:191)
        at com.mongodb.internal.operation.SyncOperationHelper.executeRetryableRead(SyncOperationHelper.java:173)
        at com.mongodb.internal.operation.CommandReadOperation.execute(CommandReadOperation.java:48)
        at com.mongodb.client.internal.MongoClientDelegate$DelegateOperationExecutor.execute(MongoClientDelegate.java:153)
        at com.mongodb.client.internal.MongoDatabaseImpl.executeCommand(MongoDatabaseImpl.java:196)
        at com.mongodb.client.internal.MongoDatabaseImpl.runCommand(MongoDatabaseImpl.java:165)
        at com.mongodb.client.internal.MongoDatabaseImpl.runCommand(MongoDatabaseImpl.java:160)
        at com.mongodb.client.internal.MongoDatabaseImpl.runCommand(MongoDatabaseImpl.java:150)
[...]
Caused by: com.mongodb.MongoCommandException: Command failed with error 18 (AuthenticationFailed): 'Authentication failed.' on server unifi-db:27017. The full response is {"ok": 0.0, "errmsg": "Authentication failed.", "code": 18, "codeName": "AuthenticationFailed"}
        at com.mongodb.internal.connection.ProtocolHelper.getCommandFailureException(ProtocolHelper.java:205)
        at com.mongodb.internal.connection.InternalStreamConnection.receiveCommandMessageResponse(InternalStreamConnection.java:431)
        at com.mongodb.internal.connection.InternalStreamConnection.sendAndReceive(InternalStreamConnection.java:354)
        at com.mongodb.internal.connection.CommandHelper.sendAndReceive(CommandHelper.java:92)
        at com.mongodb.internal.connection.CommandHelper.executeCommand(CommandHelper.java:48)
        at com.mongodb.internal.connection.SaslAuthenticator.sendSaslStart(SaslAuthenticator.java:224)
        at com.mongodb.internal.connection.SaslAuthenticator.getNextSaslResponse(SaslAuthenticator.java:131)
        ... 54 common frames omitted
[2025-05-07T10:54:14,251+02:00] <launcher> WARN  AnnotationConfigApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'mongoRuntimeService' defined in com.ubnt.service.db.CoreDatabaseSpringContext: Exception authenticating MongoCredential{mechanism=SCRAM-SHA-1, userName='unifi', source='admin', password=<hidden>, mechanismProperties=<hidden>}
[2025-05-07T10:54:14,251+02:00] <launcher> INFO  db     - Closing MongoClient
[2025-05-07T10:54:16,537+02:00] <launcher> INFO  startup - Initiating startup
[2025-05-07T10:54:16,917+02:00] <launcher> INFO  system - ======================================================================
[2025-05-07T10:54:16,917+02:00] <launcher> INFO  system - UniFi 9.1.120 (build atag_9.1.120_29197 - release/release) is started
[2025-05-07T10:54:16,918+02:00] <launcher> INFO  system - Environment: UniFi-OS[false], UniFi-Cloud[false], UniFi-MongoService[false]
[2025-05-07T10:54:16,918+02:00] <launcher> INFO  system - ======================================================================

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[MaartenUreel]

It seems that the new version of the container uses a database called unifi_audit too, which you will need to grant access to.

[aeble]

That would explain this issue, but adding { db: "${MONGO_DBNAME}", role: "clusterMonitor" , db: "${MONGO_AUTHSOURCE}" } didn't solve my issue.
Checking the mongodb container-logs I see the following:
{"t":{"$date":"2025-05-07T11:00:30.979+00:00"},"s":"I", "c":"ACCESS", "id":5286307, "ctx":"conn85","msg":"Failed to authenticate","attr":{"client":"REDACTED_IP:34506","isSpeculative":false,"isClusterMember":false,"mechanism":"SCRAM-SHA-1","user":"unifi","db":"admin","error":"UserNotFound: Could not find user \"unifi\" for db \"admin\"","result":11,"metrics":{"conversation_duration":{"micros":638,"summary":{"0":{"step":1,"step_total":2,"duration_micros":616}}}},"extraInfo":{}}}

It looks like I need to add the unifi user to the admin DB as well? Or at least allow it to read the admin DB?

[rybacki78]

Acc. to what @MaartenUreel mentioned.

I have added to docker-compose.yml:
- MONGO_DBNAME2=unifi_audit

and to init-mongo.sh:

    { db: "${MONGO_DBNAME2}", role: "dbOwner" },
    { db: "${MONGO_DBNAME2}_stat", role: "dbOwner" }

then I could start the stack from scratch.

[aeble]

@rybacki78 - you don't need to use a separate variable, it's enough to use

{ db: "${MONGO_DBNAME}_audit", role: "dbOwner"  },
{ db: "{MONGO_DBNAME}_audit_stat", role: "dbOwner" }

Doesn't solve my problem, though, I'm still getting the missing user issue and I'm not quite sure why. I'm currently trying to understand mongodb syntax to find out how user authorization works.

[MaartenUreel]

It is mongo_stat and mongo_audit. Like this:

#!/bin/bash

if which mongosh > /dev/null 2>&1; then
  mongo_init_bin='mongosh'
else
  mongo_init_bin='mongo'
fi
"${mongo_init_bin}" <<EOF
use ${MONGO_AUTHSOURCE}
db.auth("${MONGO_INITDB_ROOT_USERNAME}", "${MONGO_INITDB_ROOT_PASSWORD}")
db.createUser({
  user: "${MONGO_USER}",
  pwd: "${MONGO_PASS}",
  roles: [
    { db: "${MONGO_DBNAME}", role: "dbOwner" },
    { db: "${MONGO_DBNAME}_stat", role: "dbOwner" },
    { db: "${MONGO_DBNAME}_audit", role: "dbOwner" }
  ]
})
EOF

[MaartenUreel]

If you have an existing database, you can use something like

#!/bin/bash

if which mongosh > /dev/null 2>&1; then
  mongo_init_bin='mongosh'
else
  mongo_init_bin='mongo'
fi
"${mongo_init_bin}" <<EOF
use ${MONGO_AUTHSOURCE}
db.auth("${MONGO_INITDB_ROOT_USERNAME}", "${MONGO_INITDB_ROOT_PASSWORD}")
db.updateUser("${MONGO_USER}", {
  roles: [
    { db: "${MONGO_DBNAME}", role: "dbOwner" },
    { db: "${MONGO_DBNAME}_stat", role: "dbOwner" },
    { db: "${MONGO_DBNAME}_audit", role: "dbOwner" }
  ]
})
EOF

[aeble]

turns out I'm too dumb for IT. I've omitted the comma after the second line so MongoDB never got around to create the user. puts dunce's cap on and sits in the corner