We have a cluster in AWS, with a Document DB up and running. I wanted to grant some extra privileges, so I connected to the database as an user with the root role granted, and did the usual MongoDB thing:
db.grantRolesToUser("nameOfTheUser", ["readWrite"])
Instead of just granting the privileges, it gave me:
2020-05-04T15:26:42.053+0000 E QUERY [js] uncaught exception: Error: Cannot update system managed users' roles :_getErrorWithCode#src/mongo/shell/utils.js:25:13
DB.prototype.grantRolesToUser#src/mongo/shell/db.js:1592:15
#(shell):1:1
This is the first time I hear about any system managed users. I searched both MongoDB and AWS DocumentDB docs, but didn't find it anywhere. What are they? How an user ends up being system managed? And how can I change their privileges?
The serviceadmin user is created implicitly when the cluster is created. Every Amazon DocumentDB cluster has a serviceadmin user that provides AWS the ability to manage your cluster. You cannot log in as, drop, rename, change the password, or change the permissions for serviceadmin. Any attempt to do so results in an error.
Please see the following for more information: https://docs.aws.amazon.com/documentdb/latest/developerguide/security.managing-users.html
Related
I created an AWS Document DB in the same region as my EC2. When I try to connect to it using the command provided by AWS the terminal seems to get stuck.
The ec2 and Document DB are in the same region.
Document DB's security group allows 27017 access.
Both are in the same VPC.
I don't understand why it says connected but then doesn't allow me to enter commands
asds_asds
You can check your working process from here https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-ec2.html to see if you missed something.
I have created a user and added my IP to whitelist.
when trying to connect to a cluster through mongo shell, i am required to enter the following line: mongo "mongodb+srv://cluster0.****.mongodb.net/" --username --password
I have filled in credentials for username and password and replaced dbname with my database name(tried using non-existing one as well in case that was the problem). it connects to the shell, but then crashes with the following error:
Error while trying to show server startup warnings: user is not allowed to do action [getLog] on [admin.]
MongoDB Enterprise atlas-7cwf8s-shard-0:PRIMARY>
tried googling and youtubing the issue, but cannot find the match on how to fix it.
Many thanks
That message says that the shell is unable to show you server startup warnings. It's expected in Atlas environment.
Supposing that's your own cluster, then:
Check the user in Atlas > Database Access
Check the MongoDB Roles header in the table.
If it's not atlas Admin, you can't issue this command:
db.adminCommand({getLog:"startupWarnings"})
Or any admin command, which is issued or tested automatically in the connection, hence the error.
Edit MongoDB Roles to the highest privileges (atlas Admin)
But you can still work anyways.
If you're accessing someone else's cluster, then there isn't much to do.
I forgot the credentials of my admin user.
Hence i am not able to connect to cluster mongo shell.
Now i want to delete all users and and credentials or even if reset of mongodb is possible then it will be a lot help.
I tried following commands but got "authentication required error".
db.createUser(), db.dropDatabase().
I expect to create new admin user with credentials.
you can do it by logging in to your Atlas Cluster here: https://www.mongodb.com. Then, on the left sidebar, you click on 'Database Access'. There you can manage the users and you can even delete them and create new ones.
I have a mongodb replica-set of 3 members (version 2.4) in which the administrator user for the 'admin' db does not have the 'userAdminAnyDatabase' role.
This role is required for managing the users on all databases.
The roles I currently have are: [ "readWriteAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin" ]
I tried updating roles for myself or creating a new user, however I have no permission to access db.system.users in the admin db.
I tried setting noauth=true but that did not help. When removing the keyFile as well, the db was not able to sync with the other members (obviously) and got stuck in RECOVERY state.
I found a similar question that refers to a stand alone db (no replica set) so it doesn't really help in this case.
What would be the best way to add this role while having minimal system downtime?
I would use mongodump and mongorestore to backup the data then rebuild node with right permissions and restore the data.
However this approach should work:
If you have locked yourself out then you need to do the following:
Stop your MongoDB instance
Remove the --auth and/or --keyfile options from your MongoDB config
to disable authentication
Start the instance without authentication
Edit the users as needed
Restart the instance with authentication enabled
As you are using mongo 2.4, that means you have MMAP as a storage engine.
my proposal will be:
create similar replica set on each host but different port, and set database directory on same media as current one.
configure all auth stuff same as running ones
stop old replica set members
MOVE database files to new directory excluding local
change port on new replica set
start it
As moving files to other directory is just a pointer change this will take some seconds.
Please test before implementation.
Any comments welcome!
I am trying to connect to my mongodb deployed in jelastic cloud
If i try to use the test database already provided in the mongodb node in jelastic..it works fine.But if i create my own database and try to access the collections created in it ..i get the following exception
com.mongodb.MongoException: unauthorized db:appdb lock type:-1 client:192.168.1.53
Why is this happening?how can i resolve it?
I am reading the configuration from a file mydb.cfg
host=mongodb-***.jelastic.servint.net
dbname=appdb
user=admin
password=*****
When in Rock Mongo web interface pick the targeted db and go for 'More' in config panel.
This has to show you the list of users having rights for DB.
Did you set the user and rights for your custom collection?
Try to check the configuration under 'Authentication' section?
Anyway, supposedly admin user should have rights to all DBs. You can try to figure this issue out at Jelastic community
I had the same issue when connection to mongodb custom named database.
In order to succeed with the connection, I have created an user for my custom named database.
(I added the provided admin user with its password to the authorized users as the image shown).