Not authorized on database to execute command ...

[Olegt0rr]

Desctription

Seems that inserting via engine requires some additional permissions.
Please describe it in the docs or (better) decrease permissions level similar to the motor way.

My code

async def save_via_motor(tree: Model):
    client = AsyncIOMotorClient(MONGO_URI)
    db = client.get_database('forest')
    collection = db.get_collection('trees')
    await collection.insert_one(tree.dict())

async def save_via_odmantic(tree: Model):
    client = AsyncIOMotorClient(MONGO_URI)
    engine = AIOEngine(motor_client=client , database='forest')
    await engine.save(tree)

Expected behavior

Bot functions works the same way

In fact

Saving via engine occurs exception:

 pymongo.errors.OperationFailure: not authorized on forest to execute command { update: "trees", ordered: true, writeConcern: { w: "majority" }, bypassDocumentValidation: true, lsid: { id: UUID("ea4686c2-7ae0-47da-a484-09b9d9c51ae9") }, txnNumber: 1, $clusterTime: { clusterTime: Timestamp(1607689696, 16), signature: { hash: BinData(0, A637C05EC63A4FB3EF374716F3FB175FDA5CDA30), keyId: 6866034364808007110 } }, $db: "trees", $readPreference: { mode: "primary" } }, full error: {'operationTime': Timestamp(1607689695, 32), 'ok': 0.0, 'errmsg': 'not authorized on trees to execute command { update: "trees", ordered: true, writeConcern: { w: "majority" }, bypassDocumentValidation: true, lsid: { id: UUID("ea4686c2-7ae0-47da-a484-09b9d9c51ae9") }, txnNumber: 1, $clusterTime: { clusterTime: Timestamp(1607689695, 16), signature: { hash: BinData(0, A637C05EC63A4FB3EF374716F3FB175FDA5CDA40), keyId: 6866037364809007110 } }, $db: "trees", $readPreference: { mode: "primary" } }', 'code': 13, 'codeName': 'Unauthorized', '$clusterTime': {'clusterTime': Timestamp(1607689695, 32), 'signature': {'hash': b'\xa67\xc0^\xc6:O\xb3\xef7G\x16\xf3\xfb\x17_\xda\\\xda@', 'keyId': 6866034364808007110}}}

[art049]

Do you have a bit more details about your connection string ?

I tried to reproduce in a test but it seemed to work.

async def test_custom_motor_database(motor_client):
    engine = AIOEngine(motor_client, database="forest")

    class Tree(Model):
        f: str

    await engine.save(Tree(f="aaa"))

[Olegt0rr]

@art049,

I use cloud-hosted Replica set with mongodb.com (on AWS servers).

My connection string looks like:
mongodb+srv://{login}:{password}@{host}.mongodb.net/test?retryWrites=true&w=majority

Could you try to reproduce the issue with readWrite role? (revoke other permissions)

[gusmith]

The issue is actually linked to the user role you are using @Olegt0rr (I'm facing the same one with the readWrite role).
Under the hood, the save method uses the collection update_one with the attribute by_pass_document_validation set to True (https://github.com/art049/odmantic/blob/master/odmantic/engine.py#L319).

From mongodb's documentation about bypassing the document validation:

the authenticated user must have bypassDocumentValidation action. The built-in roles dbAdmin and restore provide this action.

@art049 any reason to bypass the document validation?

[Olegt0rr]

@gusmith, thanks for an answer!

In my opinion, bypass_document_validation parameter is redundant in model's .save() method.
For those not using schema validation, it adds the need for an additional role, although it is not useful at all.
And for those who use validation in collections, it destroys their expectations for validation (disabling of validation is not clear in this case).

@art049,
what do you think about removing this parameter or making it's optional, as a passed parameter?

[art049]

Well you're right @gusmith, it's useless right now actually. We can totally remove it.
@Olegt0rr i'm not sure people are using really using it actually. We can still add it but it will be necessary to add it in the doc as well.