I have replica set of MongoDB v4.2 with 3 servers running. In my mongod.conf file, until now I have below options configured for security config section. Authorization is not enabled as per config file, but if I want to access mongo shell then I need to authenticate myself using username and password, not sure how if authorization is not enabled.
security:
keyFile: /var/lib/mongo/mongokey
Now, I want to include below 2 new fields into config file under security section. So what is difference between mongokey file provided in keyFile section and below clusterAuth keyFile or sendKeyFile values. If I use keyFile or sendKeyFile under clusterAuth, what will happen ? Mongodb documentation is not clear enough to find difference for these options.
security:
keyFile: /var/lib/mongo/mongokey
authorization: enabled
clusterAuthMode: keyFile or sendKeyFile
Declaring a keyFile enables user authentication.
Enforcing internal authentication also enforces user access control.
Update Replica Set to Keyfile Authentication
Related
I created some mongodb users and when I tried to enable Authorization I added this directive
security:
authorization: "enabled"
to /etc/mongod.config file, and when I restarted mongod it won't start and it exited with error.
My mongodb is version 5.x as a replicaset of three nodes.
Any thoughts?
I installed MongoDB using homebrew on my mac.
And I created admin account on my local mongodb.
Then, I added below code to my 'mongod.conf' to use authentication mode.
The code is 'security: authorization: enabled'.
systemLog:
destination: file
path: /usr/local/var/log/mongodb/mongo.log
logAppend: true
storage:
dbPath: /usr/local/var/mongodb
net:
bindIp: 127.0.0.1
security:
authorization: enabled
And I restarted MongoDB. 'brew services restart mongodb'
But whenever I start mongo shell, it still print
WARNING: Access control is not enabled for the database.
Read and write access to data and configuration is unrestricted.
And naturally it can be used without user connection.
How can I resolve this problem?
If I type
db.auth("username", "password")
It print '1'. <- authenticated.
Is it impossible to authenticate mongoDB if I use homebrew?
I don't know what I have to do anymore.
Please, Help me.
Thank you.
+ It's full log
MongoDB shell version v4.0.3
connecting to: mongodb://127.0.0.1:27017
Implicit session: session { "id" : UUID("573560e4-0a3a-472e-a94a-79b1cecab4fd") }
MongoDB server version: 4.0.3
Server has startup warnings:
2019-08-27T19:02:40.847+0900 I CONTROL [initandlisten]
2019-08-27T19:02:40.847+0900 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2019-08-27T19:02:40.847+0900 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2019-08-27T19:02:40.847+0900 I CONTROL [initandlisten]
---
Enable MongoDB's free cloud-based monitoring service, which will then receive and display
metrics about your deployment (disk utilization, CPU, operation statistics, etc).
The monitoring data will be available on a MongoDB website with a unique URL accessible to you
and anyone you share the URL with. MongoDB may use this information to make product
improvements and to suggest MongoDB products and deployment options to you.
To enable free monitoring, run the following command: db.enableFreeMonitoring()
To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
try removing the current service
enable authorization first in the config file and then run mongod daemon for the very first time.
mongo allows "localhost exception". Read about it in the documentation
then create first account with required privileges on the admin database. Make sure to include privileges of creating other users.
restart mongod daemon.
check if error goes away..
point is to enable authorization before creating any user, even before admin.
I don't see you have specified the Authentication Mechanism in config file. Please add it to your mongod config file
security:
authorization: enabled
setParameter:
authenticationMechanisms: SCRAM-SHA-1
Once the above is done, restart your mongo instance and that should work
We installed MongoDB on windows(development) version 3.4, and enabled authentication, after running the command mongod --auth, the authentication was successfully implemented.
Now on the production server that is Ubuntu 16, with MongoDb version 4.0, we made changes to the mongod.conf file as seen below and then restated the mongod service with command sudo service mongod start, but now we are not able to connect to our MongoDB Ubuntu server.
security:
authorization: "enabled"
Where did we go wrong in implementing authentication for MongoDB on Ubuntu server.
security:
authorization: "enabled"
2 possible issues here : reading the doc, i'm not sure you need to quote the enabled word.
Moreover, yaml format need to increment sub part of conf, so your conf file have to look like :
security:
authorization: enabled
But cannot really test, since i don't have any running local instance
I am trying to get MongoDB authentication working on my AWS Linux server. I have run authentication using MongoDB running on windows with no issues,
>mongod --auth
On my AWS server I am trying to run MongoDB using the service command,
$ sudo service mongod start
However, mogod does not start. I believe the problem is with my /etc/mongod.conf file. Here is the /etc/mongod.conf with authentication enabled,
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# Where and how to store data.
storage:
dbPath: /var/lib/mongo
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# how the process runs
processManagement:
fork: true # fork and run in background
pidFilePath: /var/run/mongodb/mongod.pid # location of pidfile
# network interfaces
net:
port: 27017
# bindIp: 127.0.0.1 # Listen to local interface only, comment to listen on all interfaces.
security:
authorization: enabled
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options
#auditLog:
#snmp:
The problem is with the security tag.
security:
authorization: enabled
If I include it, MongoDB will not start. If I take it out, MongoDB starts fine but has no security. What I am doing wrong?
Ok, my bad...The file is of type YAML. I originally entered,
security:
authorization: enabled
Because it's YAML, I needed a couple of spaces. The correct entry is,
security:
authorization: enabled
Works fine now.
By the way, If you are using MongoDB and have a public IP/port exposed I would highly recommend that you enable security. I got an email last week from AWS saying that if you are using MongoDB that has a port that is publicly available you should implement security. I am still in development so I ignored the AWS recommendation. Well, 3 days later, someone accessed my databases, copied them, deleted them, and left me a ransomware note in a new database. They wanted one bitcoin for the return of my existing databases. I did not pay the ransom. Fortunately, this was not a problem for me. All of the data was limited test data. To avoid potential malware bombs, I deleted the AWS instance, created a new instance and installed a fresh MongoDB release with authorization enabled.
This episode could have been a disaster with real customer data. If you are using MongoDB with public access make sure you enable authorization.
I'm building a MongoDB cluster using shards of replica sets and have the first replica set setup and three config servers running (all on Linux servers) with a mongos instance running pointing to the three config servers, but when connecting to the mongos instance on the application server (on Windows Server 2012 Standard x64) via the mongo shell and issuing the sh.addShard() command as per the docs, I get the following response:
> sh.addShard("rs1/xxx:xxx")
{
"note" : "not authorized for command: addShard on database admin",
"ok" : 0,
"errmsg" : "unauthorized"
}
Does anyone know what I'm doing wrong? I'm running all Mongo instances using a keyfile for security. The keyfile is a Windows compatible one as per these docs.
My results:
If your data nodes use keyfile based authentication, all the mongod and mongos instances (data, config, etc) need to use --keyFile as well and point to an exact copy of the keyfile.
Secondly, make sure you "use admin" after connecting to config servers using mongos. If this doesn't get you there then add an admin user at the mongos prompt, authenticate with those credentials and try again.
I've since solved this. It was because authentication was enabled by virtue of the keyfile and using the localhost connection wasn't enough to authenticate. After disabling keyfile usage across the cluster, creating an admin account and using that to connect, it worked.
in addition to bisharkha's answer, here is one more clue to use keyfile.
after use admin command, also make sure you have authenticated with:
db.auth("user", "passwd")
It also can happen when you specify wrong name of your collection.