Role on mongodb - can insert even the user is not authorized - mongodb

I create 2 db, and one user per db, but user 2 can insert in db1?
use shop
db.createUser({user: "appdev",pwd:"appdev", roles:["readWrite"]})
db.auth("appdev","appdev")
show collections
db.products.insertOne({name: "A book for appdev"})
db.logout()
use shop2
db.createUser({user: "appdev2",pwd:"appdev2", roles:["readWrite"]})
db.auth("appdev2","appdev2")
show collections
db.products.insertOne({name: "A book for appdev2"})
Here, I still logged as appdev2 and can insert on db shop.
use shop
db.products.insertOne({name:"i-am-appdev2"})
{
"acknowledged" : true,
"insertedId" : ObjectId("5d8fdba878f7555a2060f1ec")
}

If your transcript is accurate, it looks like like either:
You haven't enabled access control by setting security.authorization to true in your mongod config or starting mongod with --auth.
You are logged in as a more privileged user (since you are able to run db.createUser() in the same session).
To investigate these possibilities in the mongo shell:
Make sure authorization is enabled via the output of db.serverCmdLineOpts(). If access control is enabled, the output of the parsed server configuration options should include a section like:
"security" : {
"authorization" : "enabled"
},
Check users & roles for the current session via db.runCommand({connectionStatus:1}). As noted in Authenticate a User:
Authenticating multiple times as different users does not drop the credentials of previously-authenticated users. This may lead to a connection having more permissions than intended by the user, and causes operations within a logical session to raise an error.
Access control is a separate option from configuring Role-Based Access Control (RBAC) to allow for scenarios like resetting admin access. Multiple concurrent logins provide additive permissions, but are mostly a legacy carryover from more simplistic versions of access control in earlier versions of MongoDB.
For more information on available security measures, see the Security Checklist in the MongoDB manual.

Related

KeyCloak bulk update through PSQL db

I've updated all my users to email_verified = true. The PSQL database gets updated, but the admin console continues to have the users as not having their emails verified. I'm doing the changes through the CLI on Rancher.
The command I am using is:
UPDATE user_entity SET email_verified = true WHERE email_verified = false
The only help I was able to see on here was from Bulk update of users in KeyCloak.
Is there more complexity to updating users in bulk?
Is there other ways to mass updating users?
My guess is that the old data is still around in Keycloak's cache. Some options are:
Restart Keycloak
Clear the cache
Turn off caching permanently
For #2, you can clear the user or realm caches at runtime on the "Realm Settings -> Cache" section of the keycloak admin page:
For #3, you can read the below source for instructions: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.0/html/server_installation_and_configuration_guide/server_cache_configuration
8.3. Disabling Caching
To disable the realm or user cache, you must edit the keycloak-server.json file in your distribution. Where this file lives depends on your operating mode Here’s what the config looks like initially.
"userCache": {
"default" : {
"enabled": true
}
},
"realmCache": {
"default" : {
"enabled": true
}
},
To disable the cache set the enabled field to false for the cache you want to disable. You must reboot your server for this change to take effect.
8.4. Clearing Caches at Runtime
To clear the realm or user cache, go to the Red Hat Single Sign-On admin console Realm Settings→Cache Config page. On this page you can clear the realm cache or the user cache. This will clear the caches for all realms and not only the selected realm.

Is it possibe to have multiple kerberos tickets on same machine?

I have a use case where I need to connect to 2 different DBS using 2 different accounts. And I am using Kerberos for authentication.
Is it possible to create multiple Kerberos tickets on same machine?
kinit account1#DOMAIN.COM (first ticket)
kinit account2#DOMAIN.COM (second ticket)
Whenever I do klist, I only see most recent ticket created. It doesn't show all the tickets.
Next, I have a job that needs to first use ticket for account1 (for connection to DB1) and then use ticket for account2 (for DB2).
Is that possible? How do I tell in DB connection what ticket to use?
I'm assuming MIT Kerberos and linking to those docs.
Try klist -A to show all tickets in the ticket cache. If there is only one try switching your ccache type to DIR as described here:
DIR points to the storage location of the collection of the credential caches in FILE: format. It is most useful when dealing with multiple Kerberos realms and KDCs. For release 1.10 the directory must already exist. In post-1.10 releases the requirement is for parent directory to exist and the current process must have permissions to create the directory if it does not exist. See Collections of caches for details. New in release 1.10. The following residual forms are supported:
DIR:dirname
DIR::dirpath/filename - a single cache within the directory
Switching to a ccache of the latter type causes it to become the primary for the directory.
You do this by specifying the default ccache name as DIR:/path/to/cache on one of the ways described here.
The default credential cache name is determined by the following, in descending order of priority:
The KRB5CCNAME environment variable. For example, KRB5CCNAME=DIR:/mydir/.
The default_ccache_name profile variable in [libdefaults].
The hardcoded default, DEFCCNAME.

MarkLogic CORB - What're permissions to run corb

What're permissions allow developers to run corb for selecting/updating nodes in MarkLogic.
roles: hadoop-user-read
hadoop-user-write
The exact permissions will depend upon your environment.
At a minimum you will need to be able to login to the XDBC server and eval code and/or invoke modules, read URIs, and write documents.
I'd start by giving the user the rest-evaluator role, which will give them rest-reader and rest-writer roles, plus the following execute permissions:
xdbc:eval
xdbc:eval-in
xdbc:invoke
xdbc:invoke-in

Connecting to access controlled MongoDB replicaSet from Python Eve

I have an Eve application that I want to connect to a mongodb replicaset. I was able to do thisby setting the MONGO_URI parameter in settings.py to mongodb://host/dbName?replicaSet=replicaSetname
however, now that I have enabled access control on the replica set, I can't seem to pass the user credentials in.
I am using a uri of the form:
mongodb://user:password#host/dbName?replicaSet=replicaSetName&authSource=admin
Most infuriatingly of all, when I serve this URI directly to the database, it connects and logs in without issue. But if I try to access something through eve I get the following error:
pymongo.errors.OperationFailure: Authentication failed.
I have tried several variations, including settings the MONGO_USERNAME and MONGO_PASSWORD parameters in eve. The only possible issue I can think of is that the user I created for eve has limited permissions (readWrite on one database).
After much effort I managed to figure out how to do it on eve, it involved a few settings that were not mentioned in the eve documentation:
MONGO_HOST = 'mypod-1.mongo,mypod-2.mongo,mypod-3.mongo;
MONGO_USERNAME = 'user'
MONGO_PASSWORD = 'pass'
MONGO_DBNAME = 'mydb'
MONGO_AUTH_SOURCE = 'admin'
MONGO_REPLICA_SET = 'mySet'
And also, because this tripped me up, don't have MONGO_URI set to anything in your settings, not even None, as eve will attempt to use the URI over any other setting if it finds that variable declared.

MongoDB user lost

We have a Mongo Database for testing purposes on a cloud server.
Recently, this server almost run out of space (97% disk used), and that resulted in Mongo writes failing. I decided to resize the server to have more free space.
Important detailed that i set the auth parameter in the config to true, so each clients had to auth before using the db. I thought this is normal. I created a user with the following command, which worked:
db.addUser( { user: "username",pwd: "password",roles: [ "userAdminAnyDatabase" ] } );
Now, what happened, that when the resize happened and mongo restarted, i cannot get any reads / writes to the database, only if i set the auth = false parameter in the config. I couldn't even add a user from localhost.
The other interesting thing was that i switched off auth and recreated the same user - it succeeeded, which means the user got lost!
Ok, i have lost the user after a restart. That's bad. What's worse that still, i can't get this user to auth from the remote clients.
I have no idea why is this happening, what went wrong.
The data, which is originally intended to create still exists, count() returns 111090914, which about what is expected. I can also do find(), so that data is OK.