Skip to content

fix(data-warehouse): Allow database users with reduced privileges to list mongo collections#43004

Merged
estefaniarabadan merged 3 commits intoPostHog:masterfrom
zhou-quickli:mongo-fix-list-collections
Dec 11, 2025
Merged

fix(data-warehouse): Allow database users with reduced privileges to list mongo collections#43004
estefaniarabadan merged 3 commits intoPostHog:masterfrom
zhou-quickli:mongo-fix-list-collections

Conversation

@zhou-quickli
Copy link
Contributor

@zhou-quickli zhou-quickli commented Dec 9, 2025

Problem

When adding MongoDB as a data warehouse source, if the connection string's permissions grant read-only access to specific collections rather than the entire database, it throws an authentication error.

MongoDB authentication failed: not authorized on db to execute command { listCollections: 1, cursor: {}, nameOnly: true, ...}

This is important to us because our database contains many collections, and enabling read permissions for the entire database causes the process to time out when linking a new data source. The workaround of setting up a federated database is also not suitable, because it only supports full syncs, as indexes cannot be added to federated databases.

Changes

Passed in authorizedCollections=True when querying collection names.

Relevant docs:

Note that this option does nothing if they already have the necessary permissions.

Optional. A flag, when set to true and used with nameOnly: true, that allows a user without the required privilege (i.e. listCollections action on the database) to run the command when access control is enforced.

When both authorizedCollections and nameOnly options are set to true, the command returns only those collections for which the user has privileges. For example, if a user has find action on specific collections, the command returns only those collections; or, if a user has find or any other action, on the database resource, the command lists all collections in the database.

The default value is false. That is, the user must have listCollections action on the database to run the command.

For a user who has listCollections action on the database, this option has no effect since the user has privileges to list the collections in the database.

When used without nameOnly: true, this option has no effect. That is, the user must have the required privileges to run the command when access control is enforced. Otherwise, the user is unauthorized to run the command.

How did you test this code?

  • Spun up PostHog locally
  • Created a new database user in MongoDB with specific privileges: read access to a specific database + collection
  • Attempted to add a new MongoDB data source using the above database user, which errored out with the message "MongoDB authentication failed..."
  • Added the authorizedCollections option
  • Successfully added mongodb as a source
  • Synced successfully.

greptile-apps[bot]
greptile-apps bot reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, no comments

Edit Code Review Agent Settings | Greptile

@estefaniarabadan estefaniarabadan merged commit 38738e8 into PostHog:master Dec 11, 2025
184 of 185 checks passed
@zhou-quickli zhou-quickli mentioned this pull request Dec 25, 2025
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@estefaniarabadan estefaniarabadan estefaniarabadan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zhou-quickli @estefaniarabadan