When you first install mongodb, there is no root user. You simply start mongo with (if on mac osx) "mongod --dbpath='/usr/local/var/mongodb'", and then run mongo in the shell and it will connect you without any authentication.
I create the admin user in the admin database:
> db
admin
> db.createUser({
"user" : "test1",
"pwd" : "test1",
"roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ]
})
> db.getUsers()
[
{
"_id" : "admin.test1",
"user" : "test1",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
]
Now I connect to mongo shell as admin user:
> db
admin
> db.runCommand({connectionStatus : 1})
{
"authInfo" : {
"authenticatedUsers" : [
{
"user" : "test1",
"db" : "admin"
}
],
"authenticatedUserRoles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
},
"ok" : 1
}
I start mongod with access control:
$ sudo mongod --auth --port 27017 --dbpath=.
Password:
2020-04-16T20:28:40.656-0400 I CONTROL [main] Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'
2020-04-16T20:28:40.672-0400 I CONTROL [initandlisten] MongoDB starting : pid=8441 port=27017 dbpath=. 64-bit
I even turned on security:
$ cd /usr/local/etc/
$ vim mongod.conf
security:
authorization: "enabled"
Yet I can simply login with just "mongo":
$ mongo admin
MongoDB shell version v4.0.4
connecting to: mongodb://127.0.0.1:27017/admin
Implicit session: session { "id" : UUID("95879725-00ed-4cee-bd43-8ba093df1e19") }
MongoDB server version: 4.0.4
> db.runCommand({connectionStatus : 1})
{
"authInfo" : {
"authenticatedUsers" : [ ],
"authenticatedUserRoles" : [ ]
},
"ok" : 1
}
This is wild. What else must I do? Unless there is some type of automatic login when logged into the ip the server is running on?
Some commands do not require authentication. Try reading or writing to a collection.
Authentication itself is performed via a sequence of commands (you can read about those here) therefore some of the commands must by necessity not require authentication.
Some commands return different responses based on whether a connection is authenticated. For example, try {ismaster:1} with and without authentication.
Related
I installed Locally on mac. Created user superuser with root privledges as per MongoDB Docs:https://docs.mongodb.com/guides/server/auth/#procedure
> db.createUser({user:"superuser",pwd:"strongPassword",roles:["root"]})
Successfully added user: { "user" : "superuser", "roles" : [ "root" ] }
> show users
{
"_id" : "admin.superuser",
"userId" : UUID("f873bafd-8d9b-4d2d-95a2-95d9e05db25d"),
"user" : "superuser",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
launch it with
resulting in running mongodb instance:
"ctx":"listener","msg":"Waiting for connections","attr":{"port":27017,"ssl":"off"}}
then I mongo --port 27017
use admin
response: switched to db admin
here's the kicker:
I input
db.auth("superuser","strongPassword")
and then
0```
This is the output in the running mongod client:
```{"t":{"$date":"2021-03-15T14:41:11.167-05:00"},"s":"I", "c":"ACCESS", "id":20251, "ctx":"conn1","msg":"Supported SASL mechanisms requested for unknown user","attr":{"user":"superuser#admin"}}
{"t":{"$date":"2021-03-15T14:41:11.168-05:00"},"s":"I", "c":"ACCESS", "id":20249, "ctx":"conn1","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-1","principalName":"superuser","authenticationDatabase":"admin","client":"127.0.0.1:51532","result":"UserNotFound: Could not find user \"superuser\" for db \"admin\""}}
Please help me? Seems pretty straightforward what my problem is here. Followed the mongoDb docs exactly, and then just totally failing to see my user. What's the trick here?
I created databse named GSCADB in mongodb version 4.2.0, I want to allow access to this database with username and password only.
I tried to follow Enable Access Control.
For now there are two users:
> show users
{
"_id" : "GSCADB.codey",
"userId" : UUID("e010fed4-382d-4bb5-8687-71eb8516b01b"),
"user" : "codey",
"db" : "GSCADB",
"roles" : [
{
"role" : "readWrite",
"db" : "GSCADB"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
{
"_id" : "GSCADB.user1",
"userId" : UUID("c6d3de16-bbac-4cee-9bb9-99d1bc9cafeb"),
"user" : "user1",
"db" : "GSCADB",
"roles" : [ ],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
but now I'm able to access the data withot username and password, like:
C:\>cd C:\Program Files\MongoDB\Server\4.2\bin
C:\Program Files\MongoDB\Server\4.2\bin>mongo
MongoDB shell version v4.2.0
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("508b0faa-8e47-43a4-8552-0ad54570a13c") }
MongoDB server version: 4.2.0
Server has startup warnings:
2019-09-08T15:30:29.337+0300 I CONTROL [initandlisten]
2019-09-08T15:30:29.337+0300 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2019-09-08T15:30:29.337+0300 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2019-09-08T15:30:29.337+0300 I CONTROL [initandlisten]
> show dbs
GSCADB 0.000GB
admin 0.000GB
config 0.000GB
local 0.000GB
> use GSCADB
switched to db GSCADB
> show collections
GSCALogs
> db.GSCALogs.find()
{ "_id" : ObjectId("5d6fade919038b3530015c30"), "SHA-256" : "67072c7ccfbc0797aad8614b6d089b323b50da0e6552345431d75fdd1b9864db", "New File SHA-256" : "", "File Name" : "eicar.vbs", "File Name (GUID)" : "3297F0F2-35D3-4231-919D-1CFCF4035975", "New File Name" : "eicar.vbs", "File Size (Bytes)" : "915", "Result" : "Drop", "File type" : "vbs", "True File type" : "", "Start Job Date" : "20190904152759" }
Please add the security parameters in you mongod.conf file:
security:
authorization: enabled
setParameter:
authenticationMechanisms: SCRAM-SHA-1
With MongoDB Compass is it possible to see users for a database or create new ones?
Ive managed it on the command line with:
mongo
use (my database name)
db.createUser( { user: "myuser", pwd: "password", roles: ["readWrite"] })
However I would still much prefer a GUI to do this.
No, it isn't (at least until version 1.20.4 of Compass)
If you're trying to create a new DB with a user that "owns" that DB (i.e. has read/write and admin commands for that DB), here's how to do that using only MongoDB Compass:
Open up MongoDB Compass and connect with your admin user.
Create a new DB with the "+" button at bottom of the DB list.
Click the MONGOSH shelf/tab at the bottom of the screen and paste this:
use NAME_OF_NEW_DB
db.createUser(
{
user: "NAME_OF_NEW_USER",
pwd: "NEW_USER_PASSWORD",
roles: [ { role: "dbOwner", db: "NAME_OF_NEW_DB" } ]
}
)
Other roles are explained in the MongoDB docs.
If I run a command in CLI after made up a user. I can see that by using this command.
db.system.users.find().pretty()
{
"_id" : "admin.admin",
"userId" : UUID("****"),
"user" : "admin",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "***",
"storedKey" : "***",
"serverKey" : "***"
},
"SCRAM-SHA-256" : {
"iterationCount" : 15000,
"salt" : "***",
"storedKey" : "***",
"serverKey" : "***"
}
},
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
But I can't see the 'system.users' collection in the Compass client.
I think, the Compass does not support this the listing and creating user features.
But, if you use other client (eg. TablePlus), You can see those hidden documents
I'm using MongoDB 3.0.7. I have a database called bravegoat and a read-only user called bravegoat-r.
I connect via shell:
mongo localhost:27017/bravegoat -u bravegoat-r -p mypassword
I switch to my database:
use bravegoat;
And I run:
db.runCommand({connectionStatus : 1})
Which outputs:
{
"authInfo" : {
"authenticatedUsers" : [
{
"user" : "bravegoat-r",
"db" : "bravegoat"
}
],
"authenticatedUserRoles" : [
{
"role" : "read",
"db" : "bravegoat"
}
]
},
"ok" : 1
}
Only read role, so it looks fine, but when I invoke .save(), my user can insert data. I've read few pages about creating read-only users and I'm not able to see my problem. I'm starting to think it might be a bug in my version.
You have to enable client access control by doing the following:
Edit the /etc/mongod.conf file
Add the following lines
security:
authorization: enabled
Restart MongoDB:
sudo service mongodb restart
I'm tryin to login as user "overnet" on db "overnet" in mongodb;
I'm logged in the mongo shell as follow;
mongo -u root -p (password) --authenticationDatabase admin
and then typed:
use overnet
switched to db overnet
show users
{
"_id" : "overnet.overnet",
"user" : "overnet",
"db" : "overnet",
"roles" : [
{
"role" : "readWrite",
"db" : "overnet"
},
{
"role" : "dbOwner",
"db" : "overnet"
}
]
}
> db.auth(overnet, password)
2014-12-07T08:05:43.907+0100 ReferenceError: overnet is not defined
how can it say that "overnet" is not defined???
overnet not defined because not quoted. Try the following: db.auth("overnet", password)