I'm new in MongoDB and I just can not understand how the database works to the end. For a start, I'll explain what I want to do. It is necessary to make a form on the site through which new users will be added for the client program on WPF.NET in which the connection to the server will occur.
It is not clear to me where the user should be in the database in admin or in my database, what is it local, config dbs?
I watched the video and read for the authentification. Okay, I created the user, but it connects to the whole database, and so can read the data of another user. I mean that if someone wants to go to the server and hack into or overwrite the data of another client. Is it possible to give the client access to only a specific document?
Example:
Users: ClientUser1, ClientUser2, ClientUser3
Collection ClientCollection: Document1ForUser1Only, Document2ForUser2Only, Document3ForUser3Only
C# WPF .NET Client I Call
new MongoClient("mongodb://127.0.0.1:27017/?db=custom&user=ClientUser1&password=1234"
Access only for Document1ForUser1Only, because is it correct user account data.
Update1
It seems to me that all this can be done through roles. I did my part and pointed it to the user. But when I do a search for my collections, it shows me a mistake. And in the program Studio 3T I do not see any collection.
db.createRole({ role: "User",
privileges: [
{ resource: { db: "testdb", collection: "UserCollection" }, actions: [ "find", "update", "insert", "remove" ]}
],
roles: []
})
> show collections
2018-05-13T20:38:09.463+0300 E QUERY [thread1] Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on testdb to execute command {
listCollections: 1.0, filter: {}, $db: \"testdb\" }",
"code" : 13,
"codeName" : "Unauthorized"
} :
_getErrorWithCode#src/mongo/shell/utils.js:25:13
DB.prototype._getCollectionInfosCommand#src/mongo/shell/db.js:941:1
DB.prototype.getCollectionInfos#src/mongo/shell/db.js:953:19
DB.prototype.getCollectionNames#src/mongo/shell/db.js:964:16
shellHelper.show#src/mongo/shell/utils.js:813:9
shellHelper#src/mongo/shell/utils.js:710:15
#(shellhelp2):1:1
Related
I have a MongoDB v5.0.8 running with multiple databases. I switched to the required database (leaderboard-db) and added in a new user using the following commands from mongo shell:
Switched to the required DB:
use leaderboard-db
and
Created new user:
db.createUser({ user: "aa", pwd: "leaderboardadmin##!", roles: [ { role: "read", db: "leaderboard-db" } ], mechanisms: [ "SCRAM-SHA-256" ]})
Got success in user creation and can verify it by command
show users
Response:
{
"_id" : "leaderboard-db.aa",
"userId" : UUID("f571db84-cae4-4aac-b2f9-83b57094dd1b"),
"user" : "aa",
"db" : "leaderboard-db",
"roles" : [
{
"role" : "read",
"db" : "leaderboard-db"
}
],
"mechanisms" : [
"SCRAM-SHA-256"
]
}
I then use Studio 3T to connect to MongoDB with the user "aa". I should only be able to read the documents in the (leaderboard-db); however, I can also modify the document.
Screenshot of updating
Can anyone help resolve this, please?
I want to only allow the reading of documents for the user "aa". User "aa" should not have write access.
Thanks
Jack
As per recommendations from #WernfriedDomscheit, I was required to enable Authentication. I did that by updating the /etc/mongod.conf file, uncommented the Security section, added Authorization: enabled and restarting MongoDB by service mongod restart
That sorted it all and I was able to create users with different role-based access.
Life is good again.
I want to enable free monitoring on my MongoDB standalone instance running on AWS. I had performed before enabling access control. After enabling, when I tried
db.enableFreeMonitoring()
it returns following error.
uncaught exception: Error: command failed: {
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { setFreeMonitoring: 1.0, action: "enable", lsid: { id: UUID("0483e6c8-4d96-4eae-9967-608838f07f42") }, $db: "admin" }",
"code" : 13,
"codeName" : "Unauthorized"
} :
As per the documentation, I have granted the admin clusterMonitor role. Still same error. Is there any other way?
I enabled monitoring by giving the user the role root
use admin;
db.grantRolesToUser('admin', [{ role: 'root', db: 'admin' }]);
You may want to think this through before assigning the user with 'root' privileges.
I believe dbOwner and adminUser roles could also accomplish the same task, although I have not tried them.
Here's the link to the documentation Role-Aased Access Control
I have a Mean stack instance deployed on Google Cloud Platform, App Engine. I'm able to open an ssh tunnel and view rockmongo from a webbrowser:
http://127.0.0.1:8888/rockmongo/index.php?action=admin.index&host=0
I can login with root and default password from App Engine. When I go to add a new database it says it was successful but doesn't show the new database in the list. I create a new user and it shows that user. When I login through the command to mongo I can switch to my new database but when I try to find all items in a collection I get an error that the user isn't authorized to perform that action.
db.getCollection('users').find({})
Error: error: {
"ok" : 0,
"errmsg" : "not authorized on newdatabase to execute command { find: \"users\", filter: {} }",
"code" : 13
}
I added the readWrite role to the user and tried again, no luck. when I do a db.getUser("username") it returns "null".
What am I missing...
Figured it out, I had to:
Login as the root bitnami user
use admin
db.createUser( { user: "newusername",
pwd: "newpassword",
roles: [ "userAdminAnyDatabase","readWriteAnyDatabase" ]})
then
use newdatabase
db.createUser(
{
user: "newuser",
pwd: "newpassword",
roles: [ { role: "readWrite", db: "newdatabase" } ]
}
)
then the error went away. So more of an issue with mongo roles and permissions than bitnami and rockmongo. Still not sure why rockmongo never showed the new database from the php admin screen (all of this was done through the mongo command line).
I created a user and password for a database called student.:
db.createUser({user:'Catalin',pwd:'Catalin',roles:[{role:'userAdmin',db:'student'}]});
So I restarted MongoDB Server with this command:
mongod --auth --dbpath C:\data\db
in another terminal, I connected to the sever with:
mongo
then queried the server with :
> db.getUsers()
[
{
"_id" : "student.Catalin",
"user" : "Catalin",
"db" : "student",
"roles" : [
{
"role" : "userAdmin",
"db" : "student"
}
]
}
]
went to the student database:
> use student
switched to db student
Entered my username and password succesfully via this command:
> db.auth('Catalin','Catalin');
1
and when I want to view my collections I get an error, WHY?:
> show collections
2016-03-07T15:54:41.166+0300 E QUERY [thread1] Error: listCollections failed:
{
"ok" : 0,
**"errmsg" : "not authorized on student to execute command { listCollectio
ns: 1.0, filter: {} }",**
"code" : 13
} :
_getErrorWithCode#src/mongo/shell/utils.js:23:13
DB.prototype._getCollectionInfosCommand#src/mongo/shell/db.js:746:1
DB.prototype.getCollectionInfos#src/mongo/shell/db.js:758:15
DB.prototype.getCollectionNames#src/mongo/shell/db.js:769:12
shellHelper.show#src/mongo/shell/utils.js:695:9
shellHelper#src/mongo/shell/utils.js:594:15
#(shellhelp2):1:1
"errmsg" : "not authorized on student to execute command { listCollectio
ns: 1.0, filter: {} }",
P.S. : I'm using mongoDB 3.2
The userAdmin built-in role only provides the ability to create and modify roles and users on a database. If you need access to the database, you would need to either assign database roles, or other roles that has database access such as dbOwner.
Please see Built-in Roles for more detailed information.
You may also find these useful:
Manage users and roles.
Enable client access control.
If you are using version 5 or befor DataBase MongoDB, pay attention to this point. You should not write anything in the mongod.conf file in the /etc/mongod.conf path. Use the following two commands to update the dependencies.
install dependencies :
sudo apt install libgconf-2-4
sudo add-apt-repository universe
In MongoDB 2.6.1 I've setup a user with dbAdmin rights:
{
"_id" : "mydbname.myusername",
"user" : "myusername",
"db" : "mydbname",
"credentials" : {
"MONGODB-CR" : "<some credentials>"
},
"roles" : [
{
"role" : "dbAdmin",
"db" : "mydbname"
}
]
}
When I use the mongo shell to connect to the database (using -u and -p on command line) and run a query like this:
db.mycollectionname.find()
I get this error:
error: { "$err" : "not authorized for query on mydbname.request", "code" : 13 }
Any ideas what can be happening?
So far I've tried adding every role I can find to the user but that hasn't helped.
You need to assign the read role to the user in question.
The dbAdmin role does not include read access on non-system collections.
For anybody running into this problem against Mongo 3.0.6, I fixed by adding
?authMode=scram-sha1
at the end of my mongodb uri.
Here are some docs explaining the purpose of scram-sha1
In addition to #Sebastian's answer, that means explicitely:
Grant a Role
Grant a role using the db.grantRolesToUser() method. For example, the
following operation grants the reportsUser user the read role on the
accounts database:
db.grantRolesToUser(
"your_user",
[
{ role: "read", db: "your_db" }
]
)
I’m posting this because I had trouble finding this solution online. The problem is embarrassing but the error message and scenario make it somewhat difficult to figure out so I'm hoping to save someone some pain.
My application was able to establish a database connection, start and serve static pages but every time it tried to execute a query I got this error.
MongoError: not authorized on mydb to execute command { count: "urls", query: {} }
This error was caused by a userid and password with the wrong separator
mongodb://myuserid/mypassword#ds112345.mlab.com:12345/mydb [wrong]
mongodb://myuserid:mypassword#ds112345.mlab.com:12345/mydb [right]
While the node application was able to successfully connect to MongoDB, the incorrectly formatted URI caused the driver to skip authentication prior to issuing database commands.
Thanks and a hat tip to the people at mLab support.
In my case helped to add ?authSource=admin to uri.
So the uri looked like this:
spring.data.mongodb.uri=mongodb://user:password#host:port/database?authSource=admin
I was getting error like
err { MongoError: not authorized on XXXX to execute command { $eval: function(){ return db.tbl_user.find( {
For me role executeFunctions worked. Once you give role your user should look like following...
{
"_id" : "XXXXX",
"user" : "USERXXX",
"db" : "DBXXXX",
"roles" : [
{
"role" : "executeFunctions",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "fryendsapp"
}
]
}
I had the same problem, after a lot of trial and error I solved it by adding the role "read" to my user but indicating the database as well:
db.grantRolesToUser("myUserName",
[{ role: "read", db: "myDataBaseName"}] );
Greetings
I was having the same problem until I realized I made a mistake. I was inheriting a mongo client pointing to a different database from a parent Perl class without realizing it. Maybe something you can check.