I've an instance of MongoDB 4 running on server with replica set on same machine with differente ports.
I've created a super user using these commands:
use admin
db.createUser({user: "mongo_admin",pwd: "password",roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]);
then I've created a dedicated user for my new db database1
use database1
db.createUser({
user: "user1",
pwd: "password",
roles: ["readWrite", "dbAdmin"]
});
after this, I've enabled auth an so I user db.auth to working with my database1 (using "user1").
That's good and it works.
Now, my problem is: I need to create other database and then create a dedicated user for admin this database but, with auth enabled I can't do anything on the new created database database2. If I try, using my mongo_admin superuser to connect to the new database2 and trying to create a dbAdmin for this database using this command:
mongo
db.auth("mongo_admin", "password")
use database2
db.createUser({user: "user2, pwd: "password",roles: ["readWrite", "dbAdmin"]});
I recive this error:
E QUERY [js] Error: couldn't add user: not authorized on database2 to execute command
So, now I know that I can disable auth and work free on every database but, I don't want to do this because database is on production and I prefer to avoid this.
Any suggestion?
Related
I'm trying to add an admin user in Mongo, but I'm having trouble.
I already have auth = true commented out inside /etc/mongodb.conf.
When I run Mongo, I run these commands in order:
mongo
use admin
db.createUser({user:"admin",pwd:"password",roles:["root"]});
When I do so, I encounter the following error:
2020-10-11T04:50:50.714+0000 E QUERY [thread1] Error: couldn't add user: there are
no users authenticated :
_getErrorWithCode#src/mongo/shell/utils.js:25:13
DB.prototype.createUser#src/mongo/shell/db.js:1437:15
#(shell):1:1
I'm not sure exactly how to create an admin user if I have to log in as an admin user to do so. Any help is appreciated!
You don't have to disable authentication. With authentication enabled you can still logon to your MonogDB without username/password. However, as soon as you create the first user with userAdmin or userAdminAnyDatabase role the access control becomes active and you have to authenticate.
This behavior is called Localhost Exception
Is this the first user to try to create? Perhaps another admin user already exist. See also How do I create a the first mongodb user with authorization enabled?
I just gave up and started over with a new database, after exporting the old one as a backup.
For creating a user you will have to have a user in admin database first. So while creating user you need to provide db name and role both. Try creating user with below syntax.
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "password"
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
Reference-
https://docs.mongodb.com/manual/tutorial/enable-authentication/
I have an ec2 instance with mongodb 3.2.0 installed. I have a user with admin access. I can connect with user and perform operation remotely. But any one can connect the database test from remote if he knows the ip like mongo 11.11.11.11. Although he will not able to make any operations, but I want to restrict this access so that only user with credentials can connect to server.
first you need to create users and grant roles to those users, for example:
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
then you need to start your server with the --auth parameter
mongod --auth
More Information here
My MongoDB is hosted on compose.io and is called ScroungeBA.
I try to create a user with some built-in roles which by the documentary only work in the admin database:
MongoDB provides all other built-in roles only on the admin database
So my question: What is that admin db about? Is it the standard db which always exists?
Furthermore I have trouble with (using MongoDB shell version: 3.0.5):
$ use admin
switched to db admin
$ db.auth("user", "secret")
Error: 18 Authentication failed.
I guess my user does exist in the ScroungeBA db but not in the admin db? How can I create a user in the admin db since
db.createUser({user:"hello", pwd:"world", roles:[{role: "userAdmin", db: "admin"}]})
results in the error:
Error: couldn't add user: not authorized on admin to execute command { createUser: "hello", pwd: "xxx", roles: [ { role: "userAdmin", db: "admin" } ], digestPassword: false, writeConcern: { w: "majority", wtimeout: 30000.0 } }
at Error (<anonymous>)
at DB.createUser (src/mongo/shell/db.js:1101:11)
at (shell):1:4 at src/mongo/shell/db.js:1101
The admin database is a special database that you automatically have with a MongoDB instance. It contains things like the users of your databases, with roles, custom data, etc.
To create a user in the admin database, you have to temporarily disable auth on your MongoDB instance. I don't know how compose.io works specifically, but I usually modify the mongod.conf file, and comment the line auth=true.
After that, you can connect to your MongoDB shell and create a user in the admin database.
Give the user the role userAdminAnyDatabase instead of just useAdmin.
use admin
db.createUser({ user:"admin", pwd: "pass", roles: [{role: "userAdminAnyDatabase", db: "admin"}] })
An user with the role userAdminAnyDatabase can manage the users of all the databases.
Now enable auth again and restart the service.
As I said, I'm not sure how compose.io actually works and how much control it gives to you. If you don't have an admin account, this should be the way to go.
By the way, I've published an article on Medium about MongoDB 3.0 auth.
This solved my problem:
I finally got it to work on compose.io! So here it what my oplog url ended up looking like:
"MONGO_OPLOG_URL": "mongodb://username:password#single.18.mongolayerhost.com:1111/local?authSource=myDB"
I keep the MONGO_URL exactly the same as the URL compose.io provides with ?replicaSet
But for the OPLOG_URL you can only use a single host, not multiple. So you have to edit the URL compose.io gives you to only have one host. And you can't end the oplog with ?replicaSet. you can only have the ?replicaSet in the MONGO_URL.
source
Flow to set authentication :
Start MongoDB without access control.
mongod --port 27017 --dbpath /data/db1
Connect to the instance.
mongo --port 27017
Create the user administrator.
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Re-start the MongoDB instance with access control.
mongod --auth --port 27017 --dbpath /data/db1
Authenticate as the user administrator.
Start a mongo shell with the -u , -p , and the --authenticationDatabase command line options:
mongo --port 27017 -u "myUserAdmin" -p "abc123"
--authenticationDatabase "admin"
An user with the role userAdminAnyDatabase can manage the users of all the databases.
For routine user creation, you must possess the following permissions:
To create a new user in a database, you must have the createUser action on that database resource.
To grant roles to a user, you must have the grantRole action on the role’s database.
MongoDB stores all user information, including name, password, and the user's authentication database, in the system.users collection in the admin database.
More Details : https://docs.mongodb.com/manual/tutorial/enable-authentication/
You can try this:
use admin
db.createUser( { user: "user", pwd: "password", roles: [
"readWriteAnyDatabase","dbAdminAnyDatabase","clusterAdmin" ] } )
I've an annoying problem with my mongo db (v2.6). I've added a root user to it, with role:
{role: "root", db: "admin"}
My problem is, that I wanted to set authentication for other databases, but I can add user, without command line. I've used this in command line:
db.createUser({user: "dbuser", pwd: "dbpass", roles: ["dbAdmin"]})
It's ok. But I'm not a true command-line-lover, so I like AdminUIs. I'm using MongoHUB for it. I can login, add/remove collections on any database, but I can't create user for databases. I get this error:
not authorized on admin to execute command
I've read this on the manual:
"root does not include the ability to insert data directly into the system.users and system.roles collections in the admin database."
So what is the correct role for me?
Thanks for the help.
Mongo newb here. I have a mongo installation with four databases and would like to create a user that can read and write to all the databases. I tried:
use admin;
db.addUser({user: "foo" , pwd: "bar", roles: [ "readWriteAnyDatabase" ]})
but when I try to do
mongo someotherdb -u foo -p
and authenticate with the correct password it gives me an authentication error.
I also tried manually adding the users to the other databases by doing this
use someotherdb
db.addUser({user: "foo", roles: ['readWrite'], userSource: "admin"});
and still no dice trying to log in via the mongo shell or using the auth command in the target db.
Am I doing something wrong? How do you go about making a user who can globally read and write to any db? Do you have to add said user to each db's system.users collection or is that not necessary if they have the "readWriteAnyDatabase" role?
I'm using mongo 2.4 on ubuntu.
So, I've finally figured this out. Note, this fix only works for Mongo 2.4.
In 2.4 you can specify a database to authenticate yourself with in the connection string or on the command line
So to create the initial user
use admin
db.createUser({user: "foo" , pwd: "bar", roles: [ "userAdminAnyDatabase","readWriteAnyDatabase" ]})
and to authenticate use
mongo -u foo --authenticationDatabase admin -p
Now you should be able to do whatever you want to any DB