I do not use MongoDB before, after set everything up, my mongoDB has been hacked for 1 second, please help me answer my question: "how to secure my mongoDB?"
To Secure MongoDB you need to :
enable security (in mongod.conf file),
create database user for authentication ,
you can change port 27001 (default) to any port like 27000 (in mongod.conf file)
you can add specific ip address to allow to connect and access your database (in mongod.conf file).
you need to find out mongod.conf and open it . (google it out where is mongod.conf is stored in your pc windows/mac/ubuntu)
security:
authorization: enabled
Shutdown the MongoDB instance on port 27001
mongo admin --port 27001 --eval 'db.shutdownServer()'
Restart the MongoDB instance with the new configuration
mongod -f mongod.conf
Create the first user on the admin database with the following
mongo
>use admin
db.createUser({
user: "USER_NAME_HERE",
pwd: "PASSWORD_HERE",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
});
example :
db.createUser({
user: "AdminUser",
pwd: "57d49$4%0beqwe#adb4d",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
});
after that run following to check user is authenticated
Syntax : db.auth( "USER_NAME_HERE", "PASSWORD_HERE" )
db.auth( "AdminUser", "57d49$4%0beqwe#adb4d" )
To Check Users :
db.getUsers()
It will return :
[
{
"_id" : "admin.AdminUser",
"userId" : UUID("31ccb892-d3ef-46b6-8ac1-2e9b5be11892"),
"user" : "globalAdminUser",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
]
Now your database is secured and only authenticated user can access it .
you can connect mongo with folowing :
mongo admin --port 27001 --username 'AdminUser' --password '57d49$4%0beqwe#adb4d'
Related
I have a database called flowers in which I have the collection named flower. When I first created it in MongoDB, I had no authentication set to it (I would just connect to it using the default port:27017 and localhost).
Then I wanted to restrict the access to this database, in order to be accessed only with a set of username & password. First, I created an admin in the admin database:
> use admin
switched to db admin
> db.createUser(
... {
... user: "myUserAdmin",
... pwd: "abc123",
... roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
... }
... )
Successfully added user: {
"user" : "myUserAdmin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
> show users
{
"_id" : "admin.myUserAdmin",
"user" : "myUserAdmin",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
Then I exited mongo, I restarted the service. Then I created a user for my database:
> use flowers
switched to db flowers
> db.createUser(
... {
... user: "adminfl",
... pwd: "flower1",
... roles: [ "dbOwner", "readWrite"]
... }
... )
Successfully added user: { "user" : "adminfl", "roles" : [ "dbOwner", "readWrite" ] }
After this I exited mongo once again, restarted the service.... from Compass I tried to connect to database flowers using the username and password and specify the authentication database: flowers. Everything went well to this point.
My problem is: when I connect to mongo using the authentication I can see all the databases, and when I connect without authentication, I have the same result.
How can I make my database flowers visible only when I connect with a username & password?
Update: This is my mongod.cfg:
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: C:\Program Files\MongoDB\Server\4.0\data
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: C:\Program Files\MongoDB\Server\4.0\log\mongod.log
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
#processManagement:
#security:
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
Try adding below line if not added in your mongod.conf =>
security:
authorization: enabled
Then restart mongodb and you are good to go.
Ok looking at your mongo conf we can see there is space in your db and log path viz "Program Files" which can create issue.
Workaround is:
1) Make data, log and conf directory like C:\data\db, C:\data\log and C:\data\mongod.conf.
2) Make path changes in mongod.conf for dbpath and logpath.
3) Add security authorization: enabled in mongod.conf as suggested.
4) Remove mongod service if already installed and install service again.
5) Restart service. Hope this helps.
There's another answer here: Can't connect to MongoDB with authentication enabled. I tried that but still can;t figure out what's wrong why my configuration.
I use Ubuntu 14.04, Mongo 3.4.1(latest) installed as a service
First after installation I run this command, just like its documentation here:
mongo --port 27017
use admin
db.createUser({user: "adminUser",pwd: "abc123",roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]})
it returns Successfully added user. Then I reconfigure the /etc/mongod.conf
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
net:
port: 27017
bindIp: 127.0.0.1
security:
authorization: enabled
Save and restarted the mongod server : sudo service mongod restart
try to connect with: mongo -u "adminUser" -p "abc123" --authenticationDatabase "admin"
which is successfull, then if I change to another database with command use testDatabase, I cant make any operation to it.
use testDatabase
db.createCollection("people")
results:
{
"ok" : 0,
"errmsg" : "not authorized on testDatabase to execute command { create: \"people\" }",
"code" : 13,
"codeName" : "Unauthorized"
}
Here is registered users in my database
use admin
db.system.users.find()
{ "_id" : "admin.adminUser",
"user" : "adminUser",
"db" : "admin",
"credentials" : { "SCRAM-SHA-1" : {....} },
"roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ]
}
It seems that userAdminAnyDatabase role doesn't work anymore or is there anything wrong with my setup?
Built in roles UserAdmin & UserAdminAnyDatabase role allows you to create user and roles in database.
For read/ readWrite operations on database you have to create user with read/ readWrite role for that database.
Other option will be to add the role to the current user you have.
Something like this for example.
use test
db.createUser(
{
user: "myTester",
pwd: "xyz123",
roles: [ { role: "readWrite", db: "test" },
{ role: "read", db: "reporting" } ]
}
)
Admin user permission:
db.getUsers()
[
{
"_id" : "admin.myself",
"user" : "myself",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "dbAdmin",
"db" : "reports"
},
{
"role" : "dbAdmin",
"db" : "places"
}
],
"customData" : {
}
}
]
I am able to authenticate into my remote mongo db like,
mongo --host <hostname> -u "myself" -p "myself" --authenticationDatabase "admin"
I am also able to do a dump remotely like
mongodump --host <hostname> --port 27017 --username "myslef" --password "myself" --out home/myself/mongodb-backup
But when I modify some collection on the db and try to restore it like the below code, it does not work and throws an auth error.
mongorestore --host <hostname> -u "myself" -p "myself" home/myself/mongodb-backup/
Error:
Failed: error getting auth version of server: not authorized on admin to execute command { getParameter: 1, authSchemaVersion: 1 }
You should add root role to your admin like this
db.grantRolesToUser( "myAdmin", [ "root" ])
And only after that you can restore from backup
Mongo backup docs recommend creating a specific user with the backup role and another with the restore role.
Presumably using a user with the restore role, or granting the restore role to the user you are using at the moment would solve your problem.
db.createUser({
user: "myself", pwd: "8eUEkdiKlP",
roles: [{role: "readWrite", db: "admin"}]
});
Although the first link does mention that some additional privileges are required if you are trying to restore the system.profile collection.
I'm starting with MongoDB and I would like to user/pass access to the dbs.
The first thing I did was to create and admin user and start mongodb with auth activate, this is my created user:
db.getUser("admin")
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "dbAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
] }
}
After that, I try to create users with the following commands:
use newdb
db.createUser(
{
user: "newuser",
pwd: "12345678",
roles: [ { role: "readWrite", db: "newdb" } ]
}
)
But I got this error:
Error: couldn't add user: not authorized on newdb to execute command {
createUser: "newuser", pwd: "xxx", roles: [ { role: "readWrite", db:
"newdb" } ], digestPassword: false, writeConcern: { w: "majority",
wtimeout: 30000.0 } } at src/mongo/shell/db.js:1004
I have googled about it but there are only two results, one on Chinese and the other not related, so I'm a little lost. Any idea ? It looks like my admin user doesn't have privilege, I access to the mongodb with the following command:
$mongo --port 27017 -u adminUser -p adminPass --authenticationDatabase admin
Thanks in advance.
Stop the running instance of mongod
mongod --config /usr/local/etc/mongod.conf --auth
then start without --auth like
mongod --config /usr/local/etc/mongod.conf
then update your roles like
db.updateUser("admin",{roles :
["userAdminAnyDatabase","userAdmin","readWrite","dbAdmin","clusterAdmin","readWriteAnyDatabase","dbAdminAnyDatabase"]});
Now again start mongod with --auth and try.
The idea is you have to create user under "admin" database with all the ROLES mentioned above.
But this user is not part of other databases. So once you created the admin user,
then login as that admin user,
SERVER: mongod --config /usr/local/etc/mongod.conf --auth
CLIENT: ./mongodb/bin/mongo localhost:27017/admin -u adminUser -p
123456
use APPLICATION_DB
again create a new user (say APP_USER) for this APPLICATION_DB. This time for this application user you need only "dbOwner" role.
db.createUser({user:"test", pwd:"test", roles:['dbOwner']})
Now your application has to use this APP_USER and APP_DB.
I fixed the same problem just exit and login as admin
mongo -u admin
enter your admin user password
after login, create a user as usual you mentioned
use newdb
db.createUser(
{
user: "newuser",
pwd: "12345678",
roles: [ { role: "readWrite", db: "newdb" } ]
}
)
in my case:
1.stop mongodb :
$ service mongod stop
2.editing this /etc/mongod.conf:
security:
authorization: "disabled"
3.then I start again service:
$ service mongod start
4.Add user:
$ mongo mongodb://localhost:27017
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
5.comment lines from /etc/mongod.conf added in step 2
6.restart mongod
service mongod restart
You should exit the current mongod process and restart it again without parameter --auth.
On Terminal type: mongod
After the process of mongod gets started then you can open new terminal tab to run mongo shell command :
mongo --shell
use new_your_database
db.createUser(
{
user: "mongo_admin",
pwd: "mongo_admin",
roles: [ "readWrite", "dbAdmin" ]
}
)
it should be done successfully....
Below command says, you have created admin user and password.
db.getUser("admin")
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "dbAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
] }
}
Once you create the admin user and password, Mongo will not allow you to do any schema update as normal a admin user which you used to login previously.
Use newly created admin user and password to create new users or do any updates. It should work.
If you're here with the same issue & having a config file to trigger mongod instances- then go ahead and exit from the running process of mongod & in your config file make sure you make security.authorization : disabled, in addition if you've keyFile (i.e; path to a cert file), then comment that spec as well, now start you mongod process using that config file - you should be able to create an user using admin db.
If you work on replica set : Once if you're done with creating a primary node + a user, make sure you initiate & connect to replica set (which again internally connects to primary node),here you can do anything with earlier created user, but when you connect directly to primary node again to execute few commands like rs.initiate()/rs.status()/show dbs/show users, you would end-up getting errors like (there are no users authenticated).
security:
authorization: disabled
# keyFile: /opt/mongodb/keyfile
I am trying to add authentication to my local MongoDB.
In the configuration I have:
auth = true
setParameter = enableLocalhostAuthBypass=0
I execute the mongod server using:
/opt/local/bin/mongod --config /Users/gabriel/databases/mongo_data/conf/mongod.conf --setParameter enableLocalhostAuthBypass=0
and following these instructions, using the local exception I try to add the user:
db.addUser({
user: "username",
pwd: "password",
roles: [ "userAdminAnyDatabase" ]
})
The result is n error:
{
"user" : "username",
"pwd" : "aa5469a39788b6c3988537cd409887a1",
"roles" : [
"userAdminAnyDatabase"
],
"_id" : ObjectId("52a07b1ee11cb128a47b2a1b")
}
Thu Dec 5 14:09:50.373 couldn't add user: not authorized for insert on admin.system.users at src/mongo/shell/db.js:128
What am I doing wrong?
You explicitly forbid localhost authentication when you set enableLocalhostAuthBypass = 0. Remove setParameter = enableLocalhostAuthBypass=0 from configuration and start mongod without --setParameter enableLocalhostAuthBypass=0 and all should work as expected.