I've created a user with the role readWrite using:
use reporting
db.createUser(
{
user: "reportsUser",
pwd: "12345678",
roles: [
{ role: "readWrite", db: "reporting" }
]
}
)
which I thought would give it access to listCollections as described on https://docs.mongodb.com/manual/reference/built-in-roles/ . However, as soon as I turned on security.authorization in my /etc/mongod.conf file, that command stopped working - with the error:
command listCollections requires authentication' on server x.x.x.x:27017. The full response is { "ok" : 0.0, "errmsg" : "command listCollections requires authentication", "code" : 13, "codeName" : "Unauthorized" }
Any ideas what permission / role I need to do to allow this command?
Got the same problem. It works for me when I add --authenticationDatabase admin with mongo -u admin -p password
Related
I have a MongoDB (Service Plan: small) and I would like to create an additional user but it seems I dont have the necessary privileges to do so.
db.createUser({ user: "whateverusername" , pwd: "whateverpassword", roles: ["userAdminAnyDatabase", "dbAdminAnyDatabase", "readWriteAnyDatabase"]})
Failed to execute script.
Error: couldn't add user: not authorized on XXXXXXX to execute
command { createUser: "whateverusername", pwd: "xxx", roles: [
"userAdminAnyDatabase", "dbAdminAnyDatabase", "readWriteAnyDatabase"
], digestPassword: false, writeConcern: { w: "majority", wtimeout:
600000.0 } } :
_getErrorWithCode#src/mongo/shell/utils.js:25:13 DB.prototype.createUser#src/mongo/shell/db.js:1290:15 #(shell):1:1
and I cant list the users:
db.system.users.find();
Error: error: { "ok" : 0, "errmsg" : "not authorized on XXXXXXX to
execute command { find: \"system.users\", filter: {} }", "code" : 13,
"codeName" : "Unauthorized" }
Is this restriction intended? Is there a way to get the readWriteAnyDatabase role? Am I doing something wrong?
I really appreciate any help you can provide!
You need to add users through CloudFoundry. Either bind the service to an app, which will create a user to be used by that app, or create a service key which is meant for all other purposes (mostly for the cases where a human needs to interact with the database).
Here's the docs on how to bind a service to an app: https://docs.developer.swisscom.com/devguide/services/application-binding.html
A tutorial for it: https://docs.developer.swisscom.com/tutorial-go/bind-service.html
And here's how to create service keys: https://docs.developer.swisscom.com/devguide/services/service-keys.html
Admin user permission:
db.getUsers()
[
{
"_id" : "admin.myself",
"user" : "myself",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "dbAdmin",
"db" : "reports"
},
{
"role" : "dbAdmin",
"db" : "places"
}
],
"customData" : {
}
}
]
I am able to authenticate into my remote mongo db like,
mongo --host <hostname> -u "myself" -p "myself" --authenticationDatabase "admin"
I am also able to do a dump remotely like
mongodump --host <hostname> --port 27017 --username "myslef" --password "myself" --out home/myself/mongodb-backup
But when I modify some collection on the db and try to restore it like the below code, it does not work and throws an auth error.
mongorestore --host <hostname> -u "myself" -p "myself" home/myself/mongodb-backup/
Error:
Failed: error getting auth version of server: not authorized on admin to execute command { getParameter: 1, authSchemaVersion: 1 }
You should add root role to your admin like this
db.grantRolesToUser( "myAdmin", [ "root" ])
And only after that you can restore from backup
Mongo backup docs recommend creating a specific user with the backup role and another with the restore role.
Presumably using a user with the restore role, or granting the restore role to the user you are using at the moment would solve your problem.
db.createUser({
user: "myself", pwd: "8eUEkdiKlP",
roles: [{role: "readWrite", db: "admin"}]
});
Although the first link does mention that some additional privileges are required if you are trying to restore the system.profile collection.
Currently I've got a siteUserAdmin authenticated on the admin database:
{
"_id" : "admin.siteUserAdmin",
"user" : "siteUserAdmin",
"db" : "admin",
"credentials" : {
"MONGODB-CR" : "...."
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
When I run:
use admin;
db.auth('siteUserAdmin', 'supersecret');
Everything authenticates just fine.
However when I then do:
use myotherdb
db.addUser({ user: 'chris', pwd: 'anothersecretpassword', roles: ['dbOwner']});
It doesn't add the user, I get the following:
couldn't add user: not authorized for insert on admin.system.users at src/mongo/shell/db.js:128
What am I doing wrong? This all looks nuts.
FYIL I'm using MongoDB version 2.6.10.
Random side note: weirdly createUser isn't a function, even though according to the MongoDB docs it was added in 2.6.
I was seeing this exact error in Robomongo 0.8.5. I copy/pasted the command to the the Mongo cli client and it worked fine.
Authenticated as siteUserAdmin to admin db on both clients.
Hopefully this helps someone else.
I'm starting with MongoDB and I would like to user/pass access to the dbs.
The first thing I did was to create and admin user and start mongodb with auth activate, this is my created user:
db.getUser("admin")
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "dbAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
] }
}
After that, I try to create users with the following commands:
use newdb
db.createUser(
{
user: "newuser",
pwd: "12345678",
roles: [ { role: "readWrite", db: "newdb" } ]
}
)
But I got this error:
Error: couldn't add user: not authorized on newdb to execute command {
createUser: "newuser", pwd: "xxx", roles: [ { role: "readWrite", db:
"newdb" } ], digestPassword: false, writeConcern: { w: "majority",
wtimeout: 30000.0 } } at src/mongo/shell/db.js:1004
I have googled about it but there are only two results, one on Chinese and the other not related, so I'm a little lost. Any idea ? It looks like my admin user doesn't have privilege, I access to the mongodb with the following command:
$mongo --port 27017 -u adminUser -p adminPass --authenticationDatabase admin
Thanks in advance.
Stop the running instance of mongod
mongod --config /usr/local/etc/mongod.conf --auth
then start without --auth like
mongod --config /usr/local/etc/mongod.conf
then update your roles like
db.updateUser("admin",{roles :
["userAdminAnyDatabase","userAdmin","readWrite","dbAdmin","clusterAdmin","readWriteAnyDatabase","dbAdminAnyDatabase"]});
Now again start mongod with --auth and try.
The idea is you have to create user under "admin" database with all the ROLES mentioned above.
But this user is not part of other databases. So once you created the admin user,
then login as that admin user,
SERVER: mongod --config /usr/local/etc/mongod.conf --auth
CLIENT: ./mongodb/bin/mongo localhost:27017/admin -u adminUser -p
123456
use APPLICATION_DB
again create a new user (say APP_USER) for this APPLICATION_DB. This time for this application user you need only "dbOwner" role.
db.createUser({user:"test", pwd:"test", roles:['dbOwner']})
Now your application has to use this APP_USER and APP_DB.
I fixed the same problem just exit and login as admin
mongo -u admin
enter your admin user password
after login, create a user as usual you mentioned
use newdb
db.createUser(
{
user: "newuser",
pwd: "12345678",
roles: [ { role: "readWrite", db: "newdb" } ]
}
)
in my case:
1.stop mongodb :
$ service mongod stop
2.editing this /etc/mongod.conf:
security:
authorization: "disabled"
3.then I start again service:
$ service mongod start
4.Add user:
$ mongo mongodb://localhost:27017
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
5.comment lines from /etc/mongod.conf added in step 2
6.restart mongod
service mongod restart
You should exit the current mongod process and restart it again without parameter --auth.
On Terminal type: mongod
After the process of mongod gets started then you can open new terminal tab to run mongo shell command :
mongo --shell
use new_your_database
db.createUser(
{
user: "mongo_admin",
pwd: "mongo_admin",
roles: [ "readWrite", "dbAdmin" ]
}
)
it should be done successfully....
Below command says, you have created admin user and password.
db.getUser("admin")
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "dbAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
] }
}
Once you create the admin user and password, Mongo will not allow you to do any schema update as normal a admin user which you used to login previously.
Use newly created admin user and password to create new users or do any updates. It should work.
If you're here with the same issue & having a config file to trigger mongod instances- then go ahead and exit from the running process of mongod & in your config file make sure you make security.authorization : disabled, in addition if you've keyFile (i.e; path to a cert file), then comment that spec as well, now start you mongod process using that config file - you should be able to create an user using admin db.
If you work on replica set : Once if you're done with creating a primary node + a user, make sure you initiate & connect to replica set (which again internally connects to primary node),here you can do anything with earlier created user, but when you connect directly to primary node again to execute few commands like rs.initiate()/rs.status()/show dbs/show users, you would end-up getting errors like (there are no users authenticated).
security:
authorization: disabled
# keyFile: /opt/mongodb/keyfile
I have a mongo user with backup role, when running mongodump, I got the following error:
014-06-13T14:10:53.226-0400 test.system.profile to /backup/mongodb/06-13-2014/test/system.profile.bson
assertion: 11010 count fails:{ ok: 0.0, errmsg: "not authorized on test to execute command { count: "system.profile", query: {} }", code: 13 }
Here is the user setting:
"_id" : "admin.backupAdmin",
"user" : "backupAdmin",
"db" : "admin",
"roles" : [
{
"role" : "backup",
"db" : "admin"
}
]
any help is very appreciated.
In case someone still have problem with that. This is a bug in MongoDB bult-in roles: https://jira.mongodb.org/browse/SERVER-21724
If you don't want to update, here is an online fix without granting dbAdmin:
db.createRole({
role: "backup_fix",
privileges: [
{ resource: { db: "", collection: "system.profile" }, actions: [ "find"] },
],
roles: [
]
})
db.grantRolesToUser("YOUR_BACKUP_USER", [{"role": "backup_fix", "db": "admin"}]);
The backup role you are using provides sufficient privileges to use the MongoDB Management Service (MMS) backup agent to use mongodump or to back up an entire mongod instance.
To backup a given database, you must have read access on the database.To backup the system.profile collection in a database, you must have read access on certain system collections in the database.
So in case you have single instance its enough to have the following role:
db.grantRolesToUser("backupUser", [{role: "dbAdmin", db:"admin"}])
Incase you maintain any shard or replica you can have the below role:
db.grantRolesToUser("backupUser", [{role: "clusterAdmin", db:"admin"}])
I believe you need the dbAdmin role to backup system.profile.
It might not be the best approach, but the error can be fixed by granting the dbAdminAnyDatabase role for the backup user.
db.grantRolesToUser("backupUser", [{role: "dbAdminAnyDatabase", db:"admin"}])