Not authorized to execute command find in local mongo database - mongodb

I have an application scenario where 3 meteor applications are using a mongo database replication set. A machine is allocated to run each meteor application. A single mongo database is running on each machine. Each application (the server) is supposed to access a collection in the local mongo database.
The server creates a connection to the local database collection as follows:
const url = "myUser:myPass#localhost:27017/local?authSource=admin"
const MyCollection = new Mongo.Collection('myCollection', { _driver: new MongoInternals.RemoteCollectionDriver(url) });
2 of the 3 meteor applications, i.e. the application connected to the primary database and secondary database are able to read/write from/to the collection.
However, the meteor application connected to the arbiter database runs into issues when it tries to execute the following code in the meteor startup function:
MyCollection.update({}, { $unset: { myData1: '', myData2: '' }}, { upsert: true });
It produces the following exception:
not authorized on local to execute command { find: "myCollection", filter: {}, limit: 1 }
I can use the URL declared in the url variable to connect to a mongo shell and perform reads and writes on the same collection in the local database.
When I checked the user permissions this is what I see in the mongo shell:
{
"_id" : "admin.myUser",
"user" : "myUser",
"db" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "meteorDB"
},
{
"role" : "readWrite",
"db" : "local"
},
{
"role" : "read",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
]
}
Therefore, it appears as if the user has the correct permissions.
Also, if I disable mongo DB security then the meteor application does not throw any exceptions.
I was wondering if someone could point out if I’m doing something wrong. Any help is much appreciated.

Related

mongodb: how to list all users across all authentication databases

I'm pretty new to Mongo, so this may be a silly question, but I have not found a way to list all users (and their privileges) across all (authentication) databases. Similarly, I have not found a way to list all (authentication) databases. The "show users", "show databases" and their "db.adminCommand(...) versions all seem to run against the current database (the one specified with the "use" command), but what I need is a list of all(!) users and/or all(!) databases, regardless of those users' authentication databases.
Why do I (think) I need this? Well, I periodically must set up Mongo accounts for large groups of users, with each user having his/her/their own database. A few months later, I have to drop those users and their databases. I have a Python program that creates/drops these users and their databases. It all seems to work just fine. When creating a user, I give them their own authenticationDatabase (rather than adding them to "admin") with ReadWrite privileges on that database. As said, all of that seems to work just fine.
However... I need a way to see if, after the program runs (create or drop), users have indeed be created or databases have indeed be dropped by the Python program. Similarly, I need, from time to time, to see who all the users are and what databases I might still have around. Hence, a command for listing all users across all (authentication) databases and for listing all databases across all authentication databases would be welcome.
Hope someone can help (sorry for the long read).
R.
There is no built-in command that does that as far as I know but it is straightforward to implement this functionality:
Obtain the list of databases.
For each database, obtain the list of users.
I have not found a way to list all users (and their privileges) across
all (authentication) databases.
I have not found a way to list all
(authentication) databases.
... what I need is a list of all(!) users
and/or all(!) databases, regardless of those users' authentication
databases.
Here is a way to get the info you are looking for. Assuming you have the privilege to read other user's information (viewUser action), from the mongo shell you can query as follows:
> db.getUsers( { usersInfo: { forAllDBs: true } } )
This returns an array of all users and authentication databases and other related information. You are interested in "user" and "db fields, mostly. For example:
[
{
"_id" : "admin.user1",
"userId" : UUID("4f7369f6-bffa-45d9-bbdc-5bf50c196ea3"),
"user" : "user1",
"db" : "admin",
"roles" : [ { "role" : "read", "db" : "test" } ],
"mechanisms" : [ "SCRAM-SHA-1", ... ]
},
{
"_id" : "test.user2",
"userId" : UUID("1e36faaf-0667-4ec5-bbe9-3f703712cd9a"),
"user" : "user2",
"db" : "test",
"roles" : [ { "role" : "readWrite", "db" : "test" } ],
...
},
{
"_id" : "admin.super1",
"userId" : UUID("bcb2f424-7367-4686-82d8-115748fab951"),
"user" : "super1",
"db" : "admin",
"roles" : [ { "role" : "root", "db" : "admin" } ],
...
}
]
Since you need specific info, the query is customized as follows:
(1) To list all authentication databases, you can query like this:
var dbs = new Set()
db.getUsers( { usersInfo: { forAllDBs: true } } ).forEach(doc => dbs.add(doc.db))
print([...dbs])
The output is a list of unique authentication database names:
admin
test
(2) To list all authentication databases and users:
var dbUsers = [ ]
db.getUsers( { usersInfo: { forAllDBs: true } } ).forEach(doc => dbUsers.push(doc.db + ", " + doc.user))
dbUsers.sort()
dbUsers.forEach(printjson)
This get the ouput sorted by the authentication database and the user:
"admin, user1"
"admin, super1"
"test, user2"
(3) There are other ways to query too. For example, you can add a filter to get users with authentication database "admin":
db.getUsers( { usersInfo: { forAllDBs: true }, filter: { db: "admin" } } ).forEach(doc => print(doc.user))
This prints users only for "admin":
super1
user1
NOTES:
For more details see the User Management command usersInfo. The mongo shell provides the db.getUser() helper for this command, and this is used in the above examples.
The server version I tried with is the MongoDB version 4.2.

My read-only user is able to write

I'm using MongoDB 3.0.7. I have a database called bravegoat and a read-only user called bravegoat-r.
I connect via shell:
mongo localhost:27017/bravegoat -u bravegoat-r -p mypassword
I switch to my database:
use bravegoat;
And I run:
db.runCommand({connectionStatus : 1})
Which outputs:
{
"authInfo" : {
"authenticatedUsers" : [
{
"user" : "bravegoat-r",
"db" : "bravegoat"
}
],
"authenticatedUserRoles" : [
{
"role" : "read",
"db" : "bravegoat"
}
]
},
"ok" : 1
}
Only read role, so it looks fine, but when I invoke .save(), my user can insert data. I've read few pages about creating read-only users and I'm not able to see my problem. I'm starting to think it might be a bug in my version.
You have to enable client access control by doing the following:
Edit the /etc/mongod.conf file
Add the following lines
security:
authorization: enabled
Restart MongoDB:
sudo service mongodb restart

Reactive mongo Authorization issue

I am running mongd with Auth enabled
mongod --auth
I have a read write user on a DB.
db.system.users.find()
Logs -
{ "_id" : "products_development.user_rw", "user" : "user_rw", "db" : "products_development", "credentials" : { "MONGODB-CR" : "0e857eaebba13dca9b53eb4440ab1657" }, "roles" : [ { "role" : "readWrite", "db" : "products_development" } ] }
I am able to login with the above user credentials using mongo client - Authentication works fine
mongo -uuser_rw -p123456 --authenticationDatabase products_development
Reading the tables inside the collection works as well
use products_development
db.table1.find()
So the user is getting Authorised.
But when i try to Read from Reactivemongo i am getting the below error.
assertion 13 not authorized for query on products_development.table1 ns:products_development.table1 query:{ _id: ObjectId('5564ba210b00009900150c72') }
Authentication is working fine connection is getting setup.
I am using 0.10.5.0.akka23 version, mongodb 2.6.8.

MongoDB - userAdminAnyDatabase can't create users

Currently I've got a siteUserAdmin authenticated on the admin database:
{
"_id" : "admin.siteUserAdmin",
"user" : "siteUserAdmin",
"db" : "admin",
"credentials" : {
"MONGODB-CR" : "...."
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
When I run:
use admin;
db.auth('siteUserAdmin', 'supersecret');
Everything authenticates just fine.
However when I then do:
use myotherdb
db.addUser({ user: 'chris', pwd: 'anothersecretpassword', roles: ['dbOwner']});
It doesn't add the user, I get the following:
couldn't add user: not authorized for insert on admin.system.users at src/mongo/shell/db.js:128
What am I doing wrong? This all looks nuts.
FYIL I'm using MongoDB version 2.6.10.
Random side note: weirdly createUser isn't a function, even though according to the MongoDB docs it was added in 2.6.
I was seeing this exact error in Robomongo 0.8.5. I copy/pasted the command to the the Mongo cli client and it worked fine.
Authenticated as siteUserAdmin to admin db on both clients.
Hopefully this helps someone else.

Able query only admin database

I just upgraded to 2.6. I run the authSchemaUpgrade. But after that, I managed to remove all users from the database (Its a private small database, so that is nothing too bad). Now I have created a new user admin:
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
After I have db.auth("admin","..") on the admin database I should be able to query any other databases too, but after I do:
user otherDatabase
show collections
I get:
2014-06-09T09:33:36.853+0000 error: {
"$err" : "not authorized for query on otherDatabase.system.namespaces",
"code" : 13
} at src/mongo/shell/query.js:131
What am I missing?
You need to give your admin user the role readWriteAnyDatabase in order to allow that user to query other databases.
You may want to also consider giving your admin user dbAdminAnyDatabase and clusterAdmin roles.