System
Hi I am running mongodb on ubuntu 20.14.
Im running mongodb with systemctl
What I've done
I've tried to make it more secure by adding an admin user and enabled authentication.
Ive restarted the service multiple times.
config file:
security:
authorization: enabled
How I created user:
use admin
db.createUser({
user: "username",
pwd: "123456",
roles:["root"]
})
Problem
I am still able to connect through mongodb compass without any auth??? Im able to do everything even tho I enabled the authentication?
I am not able to login authenticated using these urls:
mongodb://username:password#localhost:27017/
mongodb://username:password#localhost:27017?authSource=admin
Im sure the config file is loading since authentication works in console and I can see the right config load in the mongod.log
It would be this one:
mongodb://username:password#localhost:27017?authSource=admin
See also: Authentication failure while trying to save to mongodb
Yes, even without authentication you can connect to Mongo database in any case. However, apart from harmless commands like db.help(), db.version(), db.getMongo(), etc. you cannot execute anything.
You can skip parameter enableLocalhostAuthBypass. The localhost exception applies only when there are no users created in the MongoDB instance.
Solution
I thought the issue was with mongodb compass.
So what I did was deleting the application and when I did that I saw that I had mongodb installed on my pc too.
I was never connecting to the mongodb that I have created on my ubuntu server but on my own pc.
Related
What I am trying to do:
I want to have my schema require a log in to order to gain access
From my understanding, you must first use the --auth flag to enable authorization. When I do this in the compass shell, it says auth is not recognized/defined
I want to be able to create new users with different sets of permissions
Neither of the create user commands listed below work for me
My suspicions on the issue:
I think the reason I am struggling might be because I am on a local host connection provided by the MongoDB compass. I am new to MongoDB and am just practicing. My connection URI is mongodb://localhost:27017
Things I have tried:
Using the advanced connection options in compass GUI
Running the below in test and admin
// running:
--auth
db.auth()
db.createUser({user: "max", pwd: "max", roles: ["userAdminAnyDatabase"]})
db.createUser({
user: "max",
pwd: "max",
roles: [{role: "userAdminAnyDatabase", db: "admin"}, {"readWriteAnyDatabase"}]
})
The create functions give this error:
clone(t={}){const r=t.loc||{};return e({loc:new Position("line"in r?r.line:this.loc.line,"column"in r?r.column:...<omitted>...)} could not be cloned.
I'm going to attempt an answer based on the discussion in the comments. There are definitely still some things that I am not clear on, so please do add additional details to help clarify.
the mongod terminal is something different. It used to be installed with MongoDB, but no longer is by default. All the videos I see are old and working in the mongod terminal not the MongoDB compass shell
You are correct that the earlier shell (mongo) that used to ship with the database no longer does. It has been replaced with a newer one (mongosh) which is still functionally mostly the same, but with some additional expanded capabilities. You can mostly still use the older shell to connect to MongoDB though there really shouldn't be any reason for doing so.
It is the newer mongosh utility that is now bundled with Compass.
You can see here that the db.createUser() method is included as one of the mongosh Methods in the navigation on the left side of the page. So that method and functionality should be present in this newer shell.
I believe it is all just stored locally.
This comment doesn't really make sense. It's true that MongoDB credentials are stored by the cluster itself so it is "local" in that regard. But nothing is going to be stored outside of that such as in Compass or on your local machine.
I do not believe it's connected to atlas
What are the actual connection settings you used when opening Compass to connect to a system?
To get back to the original request, what is the actual outcome that you are seeing when running those commands? Are you getting an error message or?
Knowing that would allow us to troubleshoot further. If you do happen to be running these commands against an Atlas cluster and seeing that the users don't exist shortly after doing so, then you will want to use the Atlas interface instead.
Edit
Based on the updated question, it seems part of the confusion is around what and where to run some commands.
Working backwards, the specific error that you mention is caused by a syntax error. In your array of roles the second entry should either just be a string or a fully-formed object. So try changing
roles: [{role: "userAdminAnyDatabase", db: "admin"}, {"readWriteAnyDatabase"}]
to
roles: [{role: "userAdminAnyDatabase", db: "admin"}, {role:"readWriteAnyDatabase",db:"admin"}]
Also I see now that you seem to be adding the --auth flag to the commands that are being run in the shell. This is incorrect. Rather that is a parameter that is included when you start the mongod process, see here. You can still create users without mongod enforcing authentication, but you'll want to restart the mongod process itself with the right configuration (eg with --auth) to actually prevent users from interacting with the data without properly authenticating.
I have created a user and added my IP to whitelist.
when trying to connect to a cluster through mongo shell, i am required to enter the following line: mongo "mongodb+srv://cluster0.****.mongodb.net/" --username --password
I have filled in credentials for username and password and replaced dbname with my database name(tried using non-existing one as well in case that was the problem). it connects to the shell, but then crashes with the following error:
Error while trying to show server startup warnings: user is not allowed to do action [getLog] on [admin.]
MongoDB Enterprise atlas-7cwf8s-shard-0:PRIMARY>
tried googling and youtubing the issue, but cannot find the match on how to fix it.
Many thanks
That message says that the shell is unable to show you server startup warnings. It's expected in Atlas environment.
Supposing that's your own cluster, then:
Check the user in Atlas > Database Access
Check the MongoDB Roles header in the table.
If it's not atlas Admin, you can't issue this command:
db.adminCommand({getLog:"startupWarnings"})
Or any admin command, which is issued or tested automatically in the connection, hence the error.
Edit MongoDB Roles to the highest privileges (atlas Admin)
But you can still work anyways.
If you're accessing someone else's cluster, then there isn't much to do.
I am running a local MongoDB service on Windows using WAMP64.
I want to access the db using Adminer. I cannot get thru the login page.
It keeps saying that Database does not support password, which it does as proven by me logging into the db using MongoDB Compass with the created auth uid and pw.
I have tried Adminer 4.6.3 and 4.7.6 (lastest v)
Anyone know how to get past this? Thanks.
The code that produces this message seems to be here.
What it appears to do is:
Connect with the provided username and password.
Connect with the provided username with an empty password.
If the second connection succeeds, return the "does not support password" error.
Otherwise, presumably return the first connection.
If I try to login without a password, even if mongod was not started with --auth parameter, my login fails. So I'm not sure what setup is needed to reproduce this behavior, but I suggest:
Ensuring your mongod invocation has --auth parameter.
Ensuring you are not able to connect to your server without specifying the password (i.e., unauthenticated connection fails).
The thing you need to do is to add a user. You don't have to run mongo with authentication enabled; if you add a user adminer will accept the auth and just work. Just run mongo:
db.createUser({
... user: "admin",
... pwd: "PASSWORD",
... roles: ["readWrite","dbAdmin"]
... })
and then you'll be able to log in with adminer
I have a mongodb sharded cluster, with mongos machines, mongo nodes in replicate sets and config servers. MongoDB version is 3.02
The guy that set this up left the company a while ago and now I cant do simple things like show dbs or show collections
I have OS root in all these Debian machines, so I want to know how to reset mongo's root password so I can admin the database.
The apps that access this db seem to be working fine, using a user that has low privileges. I know the password for this particular user.
This is a production setup, so I can't afford to keep it down for more than a few seconds, tops minutes.
It depends on the types of users. For example, if you are using SCRAM, the basic steps to reset password would be:
Stop the mongod nodes
Disable authorization in mongod.conf
Restart the Replica set nodes
Connect to the replica set primary node using the mongo shell
Reset the your password by db.changePassword
I think this may work:
Stop your MongoDB instance
Remove the --auth and/or --keyfile options from your MongoDB config to disable authentication
Start the instance without authentication
Edit the users as needed
Restart the instance with authentication enabled
https://dba.stackexchange.com/questions/62976/how-can-i-enter-mongo-as-a-superuser-or-reset-users
This may not be the perfect answer, because I cannot test it. The base problem is of course that, that you cannot put your system into maintenance mode, where you can change admin password... But there is config file parameter security.transitionToAuth what you can add with rolling matter to your config file(s).
A mongod or mongos running with security.transitionToAuth does not enforce user access controls. Users may connect to your deployment without any access control checks and perform read, write, and administrative operations.
There are two options here
If you plan to upgrade to 3.4 this can be done without downtime:
MongoDB 3.4 allows Enforce Keyfile Access Control in a Replica Set without Downtime
You need to start all your members with --transitionToAuth(This will allow both authenticated and non-authenticated traffic for some duration)
Login to mongo shell on primary and create a userAdmin
Logout and login again using userAdmin
Create rootAdmin
Store the password in password manager
Disable transitionToAuth (Allow only authenticated traffic to replica set)
If you need to do this with existing MongoDB without upgrade:
Stop a secondaries in the replica set in a rolling manner. Disable authentication using keyFile options
Stepdown a primary and update its configuration to disable authentication.
Update you're the application to remove username and password from application config
Restart application
Create useradmin and rootAdmin in admin DB
Save passwords in the password manager
Enable authentication in the replica set
Start your application with the old config that includes username and password
Steps
Connect to the machine hosting your MongoDB instance
Open the MongoDB configuration file found in /etc/ folder using: sudo nano mongod.conf
Comment out the following code like so:
# security:
# authorization: enabled
Stop the MongoDB service: sudo service mongod stop
Start the MongoDB service: sudo service mongod start
Connect to the database using Robo3T or equivalent. With a connection to the admin collection, create a new admin superuser:
db.createUser({ user:"admin", pwd:"password", roles:[{role:"root", db:"admin"}] });
Go back and uncomment the lines from step 3. Then repeat steps 4 and 5.
You should now be able to authenticate with the new user you created in step 6 and have full access to the database.
Troubleshooting
If for whatever reason, after trying to restart your mongo service, you cannot connect to it, you can make sure the service properly started with: systemctl --type=service --state=active. If it has started, it will be in the list as mongod.service.
Mongo logs can also be found at /var/log/mongodb/mongodb.log but this is less likely to be helpful in this situation.
This question already has answers here:
MongoDB server can still be accessed without credentials
(2 answers)
Closed 8 years ago.
I'm a beginner to mongodb,I have a installed mongodb 2.6 on windows. Now, I want to prevent any login without authentication. I read localhost exception manual from docs.mongodb.org. after reading that manual, I created a userAdminAnyDatabase with
use admin
db.createUser
(
{
user: "adminDB",
pwd: "password",
roles: [ "userAdminAnyDatabase","readWriteAnyDatabase","root" ]
}
)
localhost exception must disable automatically. I use this command to start mongodb server.
mongod --auth --setParameter enableLocalhostAuthBypass=0 --setParameter enableTestCommands=0 --dbpath "D:\data"
I still can login with mongo.exe and can see databases name. but I can't change,update or drop anything. Is there anyway to prevent any login ? and prevent anyone to read databases names?
That's the expected behavior of having the MongoDB auth enabled.
You establish a connection with the MongoDB server
you specify against which database you need to authenticate
you validate your credentials
For anyone to be able to authenticate, you actually need to allow them to reach point 3.