After migrating to MongoDB Atlas, no previous users can authenticate - mongodb

I assume I am doing something wrong, but the documentation has not pointed me in the right direction yet.
I am migrating a self-hosted MongoDB instance database to the MongoDB Atlas platform. I have successfully uploaded a dump using mongorestore, but now none of my users objects can authenticate. I want to say I read somewhere in the docs that you can't migrate pre-existing users or something?
This is the command I am using to restore from a dump
mongorestore --host <MY_CLUSTER>:27017 --nsExclude 'admin.system.*' --ssl --username <USER> --password <PASSWORD> --authenticationDatabase admin --gzip --db=<DB_NAME> .backups/12-23-2019/backup/

You cannot restore users to atlas structure as mentioned before
you have to configure a mongocli environment to mass create users in your Atlas cluster, unless you want to use the "Database Access" panel and create one by one (painful).
Not gonna go into details about how to configure mongocli, but once you've done with it, I made a simple script that retrieve all the users from you original server and script into the create users into mongocli, it uses mongo shell and jq.
mongo mongodb://youroriginalcluster --quiet --eval 'db.system.users.find({}, {"user" : 1, "db" : 1, "roles" : 1}).toArray();' | jq -r '.[] | " mongocli atlas dbuser create --username \(.user) --password PASSWORD --role \(.roles[].role)#\(.db)"'
Still needs some minor adjustments and it does not retrieve the password, but it should save you some time

mongorestore has a specific option for restoring users and roles: --restoreDbUsersAndRoles (note that it works only if you backed an entire instance or used the --dumpDbUsersAndRoles option with mongodump for a single --db).
Regardless of this, Atlas does not support migrating users from the source database since it manages users from the Atlas console rather than in the database itself. Users can be created in Atlas using the Database Access menu option.
From the Atlas Manual:
Atlas fully manages MongoDB database user creation. If the source cluster enforces authentication, use the mongorestore --nsExclude to exclude the admin.system.* namespace. You cannot migrate any existing user or role information to Atlas.

Related

MongoDB 2.6.12 - no collections in DB

I have a some problem with MongoDB (2.6.12). I have one database with collections and a lot of data. Then I created user with readWrite role, enabled auth=true in mongod.conf, restarted 'mongod' service.
Looks like auth works fine, but I can't see any data/collections in DB. I can't use 'find' query, in mongo shell it just returns nothing (empty line). I also can connect to DB without credentials and I see the same result.
I've tried a different roles and different users, but I can't get access to my data. What can be a problem?
OK!
When you login, you need to use --authenticationDatabase -parameter, normal value for that is 'admin'.
mongo host:port -u user -p password --authenticationDatabase admin
If authentication database is not same database where your collection is (your collection is not at admin-database) give that database name as last parameter at 'mongo'-command, to select that DB.
mongo host:port -u user -p password --authenticationDatabase admin myOwnDB
OR
after successful login, use command: 'use your_db_name', to change that database.
use myOwnDB
IF you don't know your database name.
When you have login successful, give command 'show dbs' to list all databases.
show dbs
After that you can use command 'use db_name' to change database. Then you can use command 'show collections' to list all collections on that database.
use myOwnDB
show collections

MongoDB Authentication Database Purpose

My question is about the mongo shell --authenticationDatabase option.
I was confused by it for a bit thinking that the the database I created the user in was the admin database since that is where the user is actually defined after reading this documentation here: https://docs.mongodb.com/manual/core/security-users/#user-management-interface
I understand I was wrong; the authentication database is the database the user has a role for. My question then is what is the purpose of the option "--authenicationDatabase?" See my scenarios below.
The command below will connect to the myapp database and also authenticate against the myapp database
mongo -u "bob" -p "bobspassword" --authenticationDatabase "myapp" myapp
The command below will connect to the myapp database and also authenticate against the myapp database by default. This seems to make the command above obsolete.
mongo -u "bob" -p "bobspassword" --authenticationDatabase "myapp" myapp
The command below will authenticate against the myapp database but not connect to it. Why? Is it simply to test credentials?
mongo -u "bob" -p "bobspassword" --authenticationDatabase "myapp"
This command would tell me "Error: Authentication failed." as well so I still wonder why I would need the previous command to find out my credentials are invalid.
mongo -u "bob" -p "bobspassword" myapp
Lastly, is there a situation where I need to authenticate against one database and connect to a different one like the command below? I can only connect to databases for which I have a role defined so why wouldn't I authenticate against the database I was trying to connect to?
mongo -u "bob" -p "bobspassword" --authenticationDatabase "myapp" myotherapp
Thank you for your insight!
In mongo you are connecting to a server not really to a database. You can change the database afterwards.
your code:
mongo -u "bob" -p "bobspassword" --authenticationDatabase "myapp"
will connect to mongod server and it will use a 'test' database if others not defined
The next one should work, since mongo takes the auth db from the connection string. Also it might be set different in a config file.
mongo -u "bob" -p "bobspassword" myapp
And final:
Lastly, is there a situation where I need to authenticate against one
database and connect to a different one..
No
When adding a user, you create the user in a specific database. This database is the authentication database for the user.
In most cases, you would want to create users in the admin database. This is a privileged database. However, you are allowed to create user in other databases. If two users have the same name but are created in different databases, they are two separate users. IMHO, this authentication database mechanism provides a sort of namespace so that users with same name are allowed (think about user management in a big organization).
But this is just how Mongo organize users and store then in authentication databases. The authentication database has nothing to do with to which databases this user has privilege (access).
Back to your case, you created a user in 'myapp' database and also grant it access to 'myapp' database. That's why you need to first authenticate against 'myapp', which serves as authentication database, and then connect to 'myapp' for accessing data.

mongodb backup role - mongodump

We have a development team that will periodically take a mongodump out of DEV and then restore it back to their local host for work. We have recently implemented authentication in mongodb and i would like to be able to allow our development team do a mongodump on one DB only so they can restore it to their local host.
I have a role that inherits the backup role from Admin, but that is for our DBA to backup the whole system.
My question, how do I allow for this backup role to be used by a specific user (lets call them "webdev") for a specific DB (lets call it "products")?
You can create an user in the products database with read permissions:
> use products
> db.createUser( {
user: "webdev",
pwd: "password",
roles: [ "read" ]
} )
Just remember to call mongodump with --excludeCollectionsWithPrefix=system
mongodump --excludeCollectionsWithPrefix=system
In order to avoid permission errors (assuming you are using Mongo 3)
I am using MongoDB3.4 version, First of all you want one root access for admin database and connect mongo shell,
$ mongo -u username -p xxxxxx --authenticationDatabase admin
After connecting mongoshell, change the database,
use products
After change the DB create the new user,
db.createUser(
{
user: "webdev",
pwd: "xxxxx",
roles: [
{ role: "read", db: "products" },
{ role: "backup", db: "products"}
]
}
)
Above I mentioned, webdev user can be able to read the all collections and take backup access also.
db.auth('webdev', 'xxxxx')
after successfully authenticate, you can able to read and take backup from DEV server.
Below I mentioned mongodump query with new webdev user.
mongodump --host hostname --port 27017 --username webdev --password xxxxx --authenticationDatabase products --db products --collection collection_name --out mongodump_outpath
Refer: https://docs.mongodb.com/manual/reference/built-in-roles/#backup
Note:
Don't take mongodump frequently in production. It will impacts the
performance issue.
Don't give backup and restore access to any other teams like developer,
tester,..etc
Admin or DBA only do every time Backup/Restore.
Thank You. Please revert for any concern.

What is the default dbuser and dbpassword for a MongoDB database provisioned by Heroku and MongoLab?

I am new to Heroku and MongoDB. I created a Heroku app which has an added-on MongoDB by MongoLab.
Everything was set up automatically by Heroku. When I navigated to MongoLab database manager page (SSO protected) it showed a standard MongoDB URL as:
mongodb://<dbuser>:<dbpassword>#dsxxxxxx.mongolab.com:39674/heroku_xxxxxxxx
Those "x" letters represents numbers.
I didn't bother to specify a dbuser and dbpassword at all. So what is the dbuser and dbpassword?
None of these answers are correct, if you want to know your URI to your database go to your project in heroku and look at settings, reveal config vars and you find all the URI
In your terminal, navigate to your project folder and type $ heroku config:get MONGODB_URI to get your Heroku provisioned username and password.
Mongolab provides you with database hosting services using MongoDB as the database engine. This means you have to have a subscription to their services, in order to have access to a MongoDB database. Once you sign up for one of their plans you will have your own database username and database password to authenticate database connections with.
So dbuser will be your MongoDb username and dbpassword will be your MongoDB password. You use these elements to gain access to your own databases and collections.
https://mongolab.com/plans/pricing/
When you create a MongoLab add-on for your Heroku app, a MONGOLAB_URI environment variable is automatically created with connection info for your database add-on:
https://devcenter.heroku.com/articles/mongolab#getting-your-connection-uri

Global admin connection user MongoDB 2.6

I have mongodb server with auth=true and many databases. I'm trying to connect to it remotely using admin database:
mongo --host xxx admin --username admin --password secretPassword
(WORK)
mongo --host xxx products --username admin --password secretPassword
(DOESN'T WORK)
I can connect to admin database and switch to products. But developers using connection string to connect to specific database using same username and password.
I can create admin user for each database but databases are pretty dynamic some added some removed. I've read thread about global admin but set up user role doesn't help
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
and
--authenticationDatabase
Is not an option because a lot of code has to be rewritten.
Is there a way to setup one global admin that anyone can connect to remote database with username and password?
If you are using MongoDB 3.0+, the default location for users is the admin database. You will have to use --authenticationDatabase in this case going forward anyway.
With centralized users, you can define roles with access to all databases as necessary:
https://docs.mongodb.org/manual/reference/built-in-roles/
It sounds like you may want to refactor the database connection code, especially if "a lot of code" has to be rewritten, that sounds like you haven't been following DRY--"don't repeat yourself" principles.