Related
I have 3 databases in my MongoDB server. I am using pymongo to do some scripting with Python3.
I want to use the latest versions and practices. Once I open the client and pick the database, the API for pymongo.MongoClient.['mydatabase'].authenticate is deprecated.
https://api.mongodb.com/python/current/api/pymongo/database.html
Authentication prior to picking the database (while dialing the client) doesn't seem to flow down toward the database. Not just for pymongo, but also when I use mongo shell. So I have a feeling this is the issue.
script.py
import pymongo
from pymongo import MongoClient
u = getUser() # function which prompts for username
p = getPassword() # getpass.getpass('Password')
uri = formatUri(u, p) # formats 'mongodb://%s:%s#%s'.format(user, password, host)
client = MongoClient(uri)
db = client['mydb']
col = db.mycollection
for doc in col.find():
print(doc)
I get the error that I am not authorized for the database. I know my account works in shell but I have to dial the client first then use the db and then auth.
Here's a mongo shell example:
$ mongo
MongoDB shell version: v3.4.10
Connecting to: mongodb://127.0.0.1:port
MongoDB server version: v3.4.10
> use mydb
switched to mydb
> db.auth("user", "pass")
1
Any idea how I can either auth after picking the database or once I use the db it remembers the context I dialed with?
You seem to be missing some concepts here so I'll basically answer as a "guide" to what you should be doing instead. So "authentication' is not really something you do "after" connection, but rather you need to be "looking in the right place" when you actually attempt to authenticate.
We can start this by essentially following the process outlined in Enable Auth from the core documentation, but specifically altered because you want to be running this "test" under your own user account and local directory.
Revision Steps - Straight from Documentation
So first would would want to pick a local working directory and make a path for the database storage files underneath that. On *nix based systems you can do something like:
mkdir -p scratch/data/db
cd scratch
Then we want to startup a separate MongoDB instance without any other options. Making sure the port does not conflict with any other running instance:
mongod --port 37017 --dbpath data/db
In a new terminal or command line window, you can then connect to the shell:
mongo --port 37017
You always want at least one account with administrative privileges to at least "create accounts" and alter them in case you get in trouble, so create one:
use admin
db.createUser(
{
user: "admin",
pwd: "admin",
roles: [{ role: "userAdminAnyDatabase", db: "admin" }]
}
)
Now exit the shell and close the existing mongod instance running in the other terminal or command prompt and then start it again using --auth:
mongod --auth --port 37017 --dbpath data/db
Specific User - Make sure you follow these
Now you actually want to create a user that will be "used by your application". So these steps are important to ensure you get it right.
Log into a shell using your "adminstrative user":
mongo -u admin -p admin --port 37017 --authenticationDatabase 'admin'
You can alternately do the db.auth() method as shown in the question, but as noted this must be authorised on the "admin" namespace.
The next thing you want to do is create a user with access to "mydb" as a namespace with the readWrite role. For kicks, we are also going to let this user have the readAnyDatabase allowing them to "list" all databases namespaces, if not actually being able to do anything else with them.
IMPORTANT: You create ALL your users in the "admin" namespace. And this will be very important in future releases:
use admin
db.createUser(
{
"user": "myuser",
"pwd": "password",
"roles": [
{ "role": "readWrite", "db": "mydb" },
"readAnyDatabase"
]
}
)
Just for additional output, let's look at the current created users:
db.getUsers()
[
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
},
{
"_id" : "admin.myuser",
"user" : "myuser",
"db" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "mydb"
},
{
"role" : "readAnyDatabase",
"db" : "admin"
}
]
}
]
See how these have expanded in naming, and particularly the values assigned to the various "db" keys on each user. This should give you a little more insight into how MongoDB looks this up and why.
Python Connection
Finally we just want to connect from python. So presuming you have python and pymongo installed already, then it's just a simple listing to verify:
import pymongo
from pymongo import MongoClient
client = MongoClient('mongodb://myuser:password#localhost:37017');
db = client['mydb']
col = db.test
col.remove()
col.insert_one({ "a": 1 })
for doc in col.find():
print(doc)
Which shows the document created and listed without problem:
{u'a': 1, u'_id': ObjectId('5a08e5e0760108251722a737')}
Note that we don't actually need to make any mention of "admin" here, because this is the default where the driver "expects the accounts to be" and where you really "should" be doing it.
But I did it the wrong way
So let's say you originally got all confused and created the user under "mydb" instead:
use mydb
db.createUser({ "user": "bert", "pwd": "password", "roles": ["readWrite"] })
If you go look in "admin" that user is not there. But if you look on "mydb":
use mydb
db.getUsers()
[
{
"_id" : "mydb.bert",
"user" : "bert",
"db" : "mydb",
"roles" : [
{
"role" : "readWrite",
"db" : "mydb"
}
]
}
]
So you can see where the actual user data is now kept and how it has been recorded.
The simple case here is you "must" tell MongoDB where to obtain the authentication from for this user:
client = MongoClient('mongodb://bert:password#localhost:37017/mydb');
See how we add "mydb" on to the connection string. This is how it's done.
This is actually "in progress" to be made consistent with ALL drivers in how connections are made and where authentication happens as well as where you select the database. But there are basic rules:
If no other database namespace is provided with connection details for authentication credentials, then "admin" is taken to be the default.
Where there is a database namespace provided on the connection string, this will be used for authentication and this is the actual intent of the database namespace on the connection string.
Though other drivers "presently" differ in the role of the database namespace on the connection string, the usage is being changed to be consistent with all drivers that "using" a database namespace is in fact an API call, rather than being assigned from the connection string.
So where you need to authenticate depends on "where you created the user". But you should really be noting that "admin" is the place where you "should" be doing this instead of anywhere else.
Deprecation of Authenticate after connect
Whilst all drivers actually do have a similar method to authenticate(), which is used much like the shell example in the question, this method is now considered DEPRECATED as is mentioned throughout the content of the answer it is "intended" that you actually store your users in the "admin" namespace:
"Changed in version 3.5: Deprecated. Authenticating multiple users conflicts with support for logical sessions in MongoDB 3.6. To authenticate as multiple users, create multiple instances of MongoClient."
This is why the whole answer here is based on NOT using that method as you are meant to creating new connection instances, or using the "sessions" functionality available from MongoDB 3.6 instead.
I have 3 databases in my MongoDB server. I am using pymongo to do some scripting with Python3.
I want to use the latest versions and practices. Once I open the client and pick the database, the API for pymongo.MongoClient.['mydatabase'].authenticate is deprecated.
https://api.mongodb.com/python/current/api/pymongo/database.html
Authentication prior to picking the database (while dialing the client) doesn't seem to flow down toward the database. Not just for pymongo, but also when I use mongo shell. So I have a feeling this is the issue.
script.py
import pymongo
from pymongo import MongoClient
u = getUser() # function which prompts for username
p = getPassword() # getpass.getpass('Password')
uri = formatUri(u, p) # formats 'mongodb://%s:%s#%s'.format(user, password, host)
client = MongoClient(uri)
db = client['mydb']
col = db.mycollection
for doc in col.find():
print(doc)
I get the error that I am not authorized for the database. I know my account works in shell but I have to dial the client first then use the db and then auth.
Here's a mongo shell example:
$ mongo
MongoDB shell version: v3.4.10
Connecting to: mongodb://127.0.0.1:port
MongoDB server version: v3.4.10
> use mydb
switched to mydb
> db.auth("user", "pass")
1
Any idea how I can either auth after picking the database or once I use the db it remembers the context I dialed with?
You seem to be missing some concepts here so I'll basically answer as a "guide" to what you should be doing instead. So "authentication' is not really something you do "after" connection, but rather you need to be "looking in the right place" when you actually attempt to authenticate.
We can start this by essentially following the process outlined in Enable Auth from the core documentation, but specifically altered because you want to be running this "test" under your own user account and local directory.
Revision Steps - Straight from Documentation
So first would would want to pick a local working directory and make a path for the database storage files underneath that. On *nix based systems you can do something like:
mkdir -p scratch/data/db
cd scratch
Then we want to startup a separate MongoDB instance without any other options. Making sure the port does not conflict with any other running instance:
mongod --port 37017 --dbpath data/db
In a new terminal or command line window, you can then connect to the shell:
mongo --port 37017
You always want at least one account with administrative privileges to at least "create accounts" and alter them in case you get in trouble, so create one:
use admin
db.createUser(
{
user: "admin",
pwd: "admin",
roles: [{ role: "userAdminAnyDatabase", db: "admin" }]
}
)
Now exit the shell and close the existing mongod instance running in the other terminal or command prompt and then start it again using --auth:
mongod --auth --port 37017 --dbpath data/db
Specific User - Make sure you follow these
Now you actually want to create a user that will be "used by your application". So these steps are important to ensure you get it right.
Log into a shell using your "adminstrative user":
mongo -u admin -p admin --port 37017 --authenticationDatabase 'admin'
You can alternately do the db.auth() method as shown in the question, but as noted this must be authorised on the "admin" namespace.
The next thing you want to do is create a user with access to "mydb" as a namespace with the readWrite role. For kicks, we are also going to let this user have the readAnyDatabase allowing them to "list" all databases namespaces, if not actually being able to do anything else with them.
IMPORTANT: You create ALL your users in the "admin" namespace. And this will be very important in future releases:
use admin
db.createUser(
{
"user": "myuser",
"pwd": "password",
"roles": [
{ "role": "readWrite", "db": "mydb" },
"readAnyDatabase"
]
}
)
Just for additional output, let's look at the current created users:
db.getUsers()
[
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
},
{
"_id" : "admin.myuser",
"user" : "myuser",
"db" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "mydb"
},
{
"role" : "readAnyDatabase",
"db" : "admin"
}
]
}
]
See how these have expanded in naming, and particularly the values assigned to the various "db" keys on each user. This should give you a little more insight into how MongoDB looks this up and why.
Python Connection
Finally we just want to connect from python. So presuming you have python and pymongo installed already, then it's just a simple listing to verify:
import pymongo
from pymongo import MongoClient
client = MongoClient('mongodb://myuser:password#localhost:37017');
db = client['mydb']
col = db.test
col.remove()
col.insert_one({ "a": 1 })
for doc in col.find():
print(doc)
Which shows the document created and listed without problem:
{u'a': 1, u'_id': ObjectId('5a08e5e0760108251722a737')}
Note that we don't actually need to make any mention of "admin" here, because this is the default where the driver "expects the accounts to be" and where you really "should" be doing it.
But I did it the wrong way
So let's say you originally got all confused and created the user under "mydb" instead:
use mydb
db.createUser({ "user": "bert", "pwd": "password", "roles": ["readWrite"] })
If you go look in "admin" that user is not there. But if you look on "mydb":
use mydb
db.getUsers()
[
{
"_id" : "mydb.bert",
"user" : "bert",
"db" : "mydb",
"roles" : [
{
"role" : "readWrite",
"db" : "mydb"
}
]
}
]
So you can see where the actual user data is now kept and how it has been recorded.
The simple case here is you "must" tell MongoDB where to obtain the authentication from for this user:
client = MongoClient('mongodb://bert:password#localhost:37017/mydb');
See how we add "mydb" on to the connection string. This is how it's done.
This is actually "in progress" to be made consistent with ALL drivers in how connections are made and where authentication happens as well as where you select the database. But there are basic rules:
If no other database namespace is provided with connection details for authentication credentials, then "admin" is taken to be the default.
Where there is a database namespace provided on the connection string, this will be used for authentication and this is the actual intent of the database namespace on the connection string.
Though other drivers "presently" differ in the role of the database namespace on the connection string, the usage is being changed to be consistent with all drivers that "using" a database namespace is in fact an API call, rather than being assigned from the connection string.
So where you need to authenticate depends on "where you created the user". But you should really be noting that "admin" is the place where you "should" be doing this instead of anywhere else.
Deprecation of Authenticate after connect
Whilst all drivers actually do have a similar method to authenticate(), which is used much like the shell example in the question, this method is now considered DEPRECATED as is mentioned throughout the content of the answer it is "intended" that you actually store your users in the "admin" namespace:
"Changed in version 3.5: Deprecated. Authenticating multiple users conflicts with support for logical sessions in MongoDB 3.6. To authenticate as multiple users, create multiple instances of MongoClient."
This is why the whole answer here is based on NOT using that method as you are meant to creating new connection instances, or using the "sessions" functionality available from MongoDB 3.6 instead.
I recently opened up a free mLab account, and I'm trying to access the number of open connections in my database through the shell.
I never had problems with the command line when I was running mongodb locally, but now nothing works.
To connect I do this:
mongo ds127044.mlab.com:27044/db_name -u db_user -p db_password
And it show I'm successfully connected.
After that I run:
db.serverStatus()
And get:
{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { serverStatus: 1.0 }",
"code" : 13,
"codeName" : "Unauthorized"
}
But according to my console I'm listed as the owner of the db:
{
"_id": "db_name.db_user",
"user": "db_user",
"db": "db_name",
"roles": [
{
"role": "dbOwner",
"db": "db_name"
}
]
}
Is there something I'm doing wrong in the command line or is it something particular to my account with mLab?
Seems to be something related with your user's roles.
All documentation here: https://docs.mongodb.com/manual/reference/built-in-roles/#cluster-admin-roles/ (specifically cluesterMonitor information)
Say:
...The admin database includes the following roles for administering the
whole system rather than just a single database...
And in this Doc https://docs.mongodb.com/manual/core/security-built-in-roles/
Say:
Every database includes: Database Administration Roles... The
admin database includes the following roles for administering the
whole system: Cluster Administration Roles
'serverStatus' is realted to clusterMonitor role so..
Try to change it:
roles: [ { role: "clusterMonitor", db: "admin" },
{ role: "dbOwner", db: "db_name" }]
Good luck!
Not a mongodb expert, but here's what I found in the docs.
db.serverStatus() shares instance info in its output. For example:
host
The system’s hostname. In Unix/Linux systems, this should be the same as the output of the hostname command.
mLab wouldn't expose host info to end users, who should only have access to the dbs they're creating--specifically, the db you logged into.
Similarly, you'll run into issues with other calls like show dbs, since that would expose all the dbs (including dbs for other users!) existing alongside your own.
I imagine that the only commands that will work are ones that expose info completely related to only your db. I suggest hitting up a more export mongodb admin perhaps in a separate question for that definitive list, if necessary.
I fixed this exact issue by changing my mac settings to allow remote login.
System Preferences -> Sharing -> Remote Login: On
I am trying to add authorization to my MongoDB.
I am doing all this on Linux with MongoDB 2.6.1.
My mongod.conf file is in the old compatibility format
(this is how it came with the installation).
1) I created admin user as described here in (3)
http://docs.mongodb.org/manual/tutorial/add-user-administrator/
2) I then edited mongod.conf by uncommenting this line
auth = true
3) Finally I rebooted the mongod service and I tried to login with:
/usr/bin/mongo localhost:27017/admin -u sa -p pwd
4) I can connect but it says this upon connect.
MongoDB shell version: 2.6.1
connecting to: localhost:27017/admin
Welcome to the MongoDB shell!
The current date/time is: Thu May 29 2014 17:47:16 GMT-0400 (EDT)
Error while trying to show server startup warnings: not authorized on admin to execute command { getLog: "startupWarnings" }
5) Now it seems this sa user I created has no permissions at all.
root#test02:~# mc
MongoDB shell version: 2.6.1
connecting to: localhost:27017/admin
Welcome to the MongoDB shell!
The current date/time is: Thu May 29 2014 17:57:03 GMT-0400 (EDT)
Error while trying to show server startup warnings: not authorized on admin to execute command { getLog: "startupWarnings" }
[admin] 2014-05-29 17:57:03.011 >>> use admin
switched to db admin
[admin] 2014-05-29 17:57:07.889 >>> show collections
2014-05-29T17:57:10.377-0400 error: {
"$err" : "not authorized for query on admin.system.namespaces",
"code" : 13
} at src/mongo/shell/query.js:131
[admin] 2014-05-29 17:57:10.378 >>> use test
switched to db test
[test] 2014-05-29 17:57:13.466 >>> show collections
2014-05-29T17:57:15.930-0400 error: {
"$err" : "not authorized for query on test.system.namespaces",
"code" : 13
} at src/mongo/shell/query.js:131
[test] 2014-05-29 17:57:15.931 >>>
What is the problem? I repeated this whole procedure 3 times and
I think I did it all as specified in the MongoDB docs. But it doesn't work.
I was expecting this sa user to be authorized to do anything so that
he can then create other users and give them more specific permissions.
I was also scratching my head around the same issue, and everything worked after I set the role to be root when adding the first admin user.
use admin
db.createUser(
{
user: 'admin',
pwd: 'password',
roles: [ { role: 'root', db: 'admin' } ]
}
);
exit;
If you have already created the admin user, you can change the role like this:
use admin;
db.grantRolesToUser('admin', [{ role: 'root', db: 'admin' }])
For a complete authentication setting reference, see the steps I've compiled after hours of research over the internet.
It's a bit confusing - I believe you will need to grant yourself readWrite to query a database. A user with dbadmin or useradmin can admin the database (including granting yourself additional rights) but cannot perform queries or write data.
so grant yourself readWrite and you should be fine -
http://docs.mongodb.org/manual/reference/built-in-roles/#readWrite
Perhaps a quick example of how to change a current user will be helpful to somebody. This is what I was actually looking for.
Following advice of #JohnPetrone I added readWrite role to my admin user with grantRolesToUser
> use admin
> db.grantRolesToUser("admin",["readWrite"])
> show collections
system.users
system.version
You can try: Using the --authenticationDatabase flag helps.
mongo --port 27017 -u "admin" -p "password" --authenticationDatabase "admin"
I know this answer is coming really late on in this thread but I hope you check it out.
The reason you get that error is based on the specific role that you granted to the user, which you have gathered by now, and yes giving that user the role root will solve your problem but you must first understand what these roles do exactly before granting them to users.
In tutorial you granted the user the userAdminAnyDatabase role which basically give the user the ability to manage users of all your databases.
What you were trying to do with your user was outside its role definition.
The root role has this role included in it definition as well as the readWriteAnyDatabase, dbAdminAnyDatabase and other roles making it a superuser (basically because you can do anything with it).
You can check out the role definitions to see which roles you will need to give you users to complete certain tasks.
https://docs.mongodb.com/manual/reference/built-in-roles/
Its not advisable to make all your users super ones :)
It's a simple question.
It's important that you must switch the target db NOT admin.
use yourDB
check your db authentication by
show users
If you get a {} empty object that is the question. You just need to type
db.createUser(
{
user: "yourUser",
pwd: "password",
roles: [ "readWrite", "dbAdmin" ]
} )
or
db.grantRolesToUser('yourUser',[{ role: "dbAdmin", db: "yourDB" }])
I had this problem because of the hostname in my MongoDB Compass was pointing to admin instead for my project. Fixed by adding the /projectname after the hostname :)
Try this:
Choose your project in the MongoDB atlas website
Connect/Connect with MongoDB Compass
Download Compass/Choose your OS
I used Compass 1.12 or later
Copy the connection string under the Compass 1.12 or later.
Open MongoDB Compass/Connect(top left)/Connect To
Connection String detected/Yes/
Append your project name after the hostname: cluster9-foodie.mongodb.net/projectname
Connect & Tested the API with POSTMAN.
Succeed.
Use the same connection string in your code too:
Before:
mongodb+srv://projectname:password#cluster9-foodie.mongodb.net/admin
After:
mongodb+srv://projectname:password#cluster9-foodie.mongodb.net/projectname
Good luck.
Use Admin :
use admin
Create a super user :
db.createUser(
{
user: "master",
pwd: "test#123",
roles: [
{
role: "readWriteAnyDatabase",
db: "admin"
},
{
"role" : "dbAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
},
"userAdminAnyDatabase"
]
}
)
If you're using Atlas, note that you can't create users through the mongo shell.
I was banging my head against the wall for a while till I came across this:
https://www.mongodb.com/community/forums/t/cant-create-a-root-user-from-mongo-shell/101369
I came across this thread with a similar issue, but my problem was that I used the collection name instead of the database name.
I had a similar problem here on a Windows environment: I have installed Bitnami DreamFactory and it also installs another MongoDb that is started on system boot. I was running my MongoDbService (that was started without any error) but I noticed after losing a lot of time that I was in fact connecting on Bitnami's MongoDb Service. Please, take a look if there is not another instance of mongoDB running on your server.
Good Luck!
In addition, notice that if your mongo shell client fails to connect correctly to the mongod instance, you can receive such "Permission Denied" errors.
Make sure that your client opens a connection by checking the connection port, but also that the port you are using in mongod is not in use. You can set a different port by using the --port <port> parameter in both the shell and the process.
use mydb
db.createUser( { user: "test", pwd: "secret", roles: [ "readWrite", "dbAdmin"],passwordDigestor:"server" } )
Agreed that you've to get authenticated to admin db and needs at least a role with correct privileges which would avoid 'local host exception' from DB(this is for mongoDB's hosted on-premises), though you've everything in place & still getting not authorized exceptions on almost every command, while accessing mongoDB which got created using Mongo Atlas, then here is the place where you might know the reason, why :
https://dba.stackexchange.com/questions/219003/not-authorized-on-admin-to-execute-command-mongodb-atlas-m0-free-tier-cluster?newreg=471a9a26108243d78d4ca74a87e7a115
and also check this if you've hosted mongoDB on mongo Atlas:
https://docs.atlas.mongodb.com/unsupported-commands/
I followed these steps on Centos 7 for MongoDB 4.2. (Remote user)
Update mongod.conf file
vi /etc/mongod.conf
net:
port: 27017
bindIp: 0.0.0.0
security:
authorization: enabled
Start MongoDB service demon
systemctl start mongod
Open MongoDB shell
mongo
Execute this command on the shell
use admin
db.createUser(
{
user: 'admin',
pwd: 'YouPassforUser',
roles: [ { role: 'root', db: 'admin' } ]
}
);
Remote root user has been created. Now you can test this database connection by using any MongoDB GUI tool from your dev machine. Like Robo 3T
For MongoDB shell version v4.2.8 I've tried different ways to back-up my database with auth, my winner solution is
mongodump -h <your_hostname> -d <your_db_name> -u <your_db_username> -p <your_db_password> --authenticationDatabase admin -o /path/to/where/i/want
This may be because you havent set noAuth=true in mongodb.conf
# Turn on/off security. Off is currently the default
noauth = true
#auth = true
After setting this restart the service using
service mongod restart
I am trying to add authorization to my MongoDB.
I am doing all this on Linux with MongoDB 2.6.1.
My mongod.conf file is in the old compatibility format
(this is how it came with the installation).
1) I created admin user as described here in (3)
http://docs.mongodb.org/manual/tutorial/add-user-administrator/
2) I then edited mongod.conf by uncommenting this line
auth = true
3) Finally I rebooted the mongod service and I tried to login with:
/usr/bin/mongo localhost:27017/admin -u sa -p pwd
4) I can connect but it says this upon connect.
MongoDB shell version: 2.6.1
connecting to: localhost:27017/admin
Welcome to the MongoDB shell!
The current date/time is: Thu May 29 2014 17:47:16 GMT-0400 (EDT)
Error while trying to show server startup warnings: not authorized on admin to execute command { getLog: "startupWarnings" }
5) Now it seems this sa user I created has no permissions at all.
root#test02:~# mc
MongoDB shell version: 2.6.1
connecting to: localhost:27017/admin
Welcome to the MongoDB shell!
The current date/time is: Thu May 29 2014 17:57:03 GMT-0400 (EDT)
Error while trying to show server startup warnings: not authorized on admin to execute command { getLog: "startupWarnings" }
[admin] 2014-05-29 17:57:03.011 >>> use admin
switched to db admin
[admin] 2014-05-29 17:57:07.889 >>> show collections
2014-05-29T17:57:10.377-0400 error: {
"$err" : "not authorized for query on admin.system.namespaces",
"code" : 13
} at src/mongo/shell/query.js:131
[admin] 2014-05-29 17:57:10.378 >>> use test
switched to db test
[test] 2014-05-29 17:57:13.466 >>> show collections
2014-05-29T17:57:15.930-0400 error: {
"$err" : "not authorized for query on test.system.namespaces",
"code" : 13
} at src/mongo/shell/query.js:131
[test] 2014-05-29 17:57:15.931 >>>
What is the problem? I repeated this whole procedure 3 times and
I think I did it all as specified in the MongoDB docs. But it doesn't work.
I was expecting this sa user to be authorized to do anything so that
he can then create other users and give them more specific permissions.
I was also scratching my head around the same issue, and everything worked after I set the role to be root when adding the first admin user.
use admin
db.createUser(
{
user: 'admin',
pwd: 'password',
roles: [ { role: 'root', db: 'admin' } ]
}
);
exit;
If you have already created the admin user, you can change the role like this:
use admin;
db.grantRolesToUser('admin', [{ role: 'root', db: 'admin' }])
For a complete authentication setting reference, see the steps I've compiled after hours of research over the internet.
It's a bit confusing - I believe you will need to grant yourself readWrite to query a database. A user with dbadmin or useradmin can admin the database (including granting yourself additional rights) but cannot perform queries or write data.
so grant yourself readWrite and you should be fine -
http://docs.mongodb.org/manual/reference/built-in-roles/#readWrite
Perhaps a quick example of how to change a current user will be helpful to somebody. This is what I was actually looking for.
Following advice of #JohnPetrone I added readWrite role to my admin user with grantRolesToUser
> use admin
> db.grantRolesToUser("admin",["readWrite"])
> show collections
system.users
system.version
You can try: Using the --authenticationDatabase flag helps.
mongo --port 27017 -u "admin" -p "password" --authenticationDatabase "admin"
I know this answer is coming really late on in this thread but I hope you check it out.
The reason you get that error is based on the specific role that you granted to the user, which you have gathered by now, and yes giving that user the role root will solve your problem but you must first understand what these roles do exactly before granting them to users.
In tutorial you granted the user the userAdminAnyDatabase role which basically give the user the ability to manage users of all your databases.
What you were trying to do with your user was outside its role definition.
The root role has this role included in it definition as well as the readWriteAnyDatabase, dbAdminAnyDatabase and other roles making it a superuser (basically because you can do anything with it).
You can check out the role definitions to see which roles you will need to give you users to complete certain tasks.
https://docs.mongodb.com/manual/reference/built-in-roles/
Its not advisable to make all your users super ones :)
It's a simple question.
It's important that you must switch the target db NOT admin.
use yourDB
check your db authentication by
show users
If you get a {} empty object that is the question. You just need to type
db.createUser(
{
user: "yourUser",
pwd: "password",
roles: [ "readWrite", "dbAdmin" ]
} )
or
db.grantRolesToUser('yourUser',[{ role: "dbAdmin", db: "yourDB" }])
If you're using Atlas, note that you can't create users through the mongo shell.
I was banging my head against the wall for a while till I came across this:
https://www.mongodb.com/community/forums/t/cant-create-a-root-user-from-mongo-shell/101369
I had this problem because of the hostname in my MongoDB Compass was pointing to admin instead for my project. Fixed by adding the /projectname after the hostname :)
Try this:
Choose your project in the MongoDB atlas website
Connect/Connect with MongoDB Compass
Download Compass/Choose your OS
I used Compass 1.12 or later
Copy the connection string under the Compass 1.12 or later.
Open MongoDB Compass/Connect(top left)/Connect To
Connection String detected/Yes/
Append your project name after the hostname: cluster9-foodie.mongodb.net/projectname
Connect & Tested the API with POSTMAN.
Succeed.
Use the same connection string in your code too:
Before:
mongodb+srv://projectname:password#cluster9-foodie.mongodb.net/admin
After:
mongodb+srv://projectname:password#cluster9-foodie.mongodb.net/projectname
Good luck.
Use Admin :
use admin
Create a super user :
db.createUser(
{
user: "master",
pwd: "test#123",
roles: [
{
role: "readWriteAnyDatabase",
db: "admin"
},
{
"role" : "dbAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
},
"userAdminAnyDatabase"
]
}
)
I came across this thread with a similar issue, but my problem was that I used the collection name instead of the database name.
I had a similar problem here on a Windows environment: I have installed Bitnami DreamFactory and it also installs another MongoDb that is started on system boot. I was running my MongoDbService (that was started without any error) but I noticed after losing a lot of time that I was in fact connecting on Bitnami's MongoDb Service. Please, take a look if there is not another instance of mongoDB running on your server.
Good Luck!
In addition, notice that if your mongo shell client fails to connect correctly to the mongod instance, you can receive such "Permission Denied" errors.
Make sure that your client opens a connection by checking the connection port, but also that the port you are using in mongod is not in use. You can set a different port by using the --port <port> parameter in both the shell and the process.
use mydb
db.createUser( { user: "test", pwd: "secret", roles: [ "readWrite", "dbAdmin"],passwordDigestor:"server" } )
Agreed that you've to get authenticated to admin db and needs at least a role with correct privileges which would avoid 'local host exception' from DB(this is for mongoDB's hosted on-premises), though you've everything in place & still getting not authorized exceptions on almost every command, while accessing mongoDB which got created using Mongo Atlas, then here is the place where you might know the reason, why :
https://dba.stackexchange.com/questions/219003/not-authorized-on-admin-to-execute-command-mongodb-atlas-m0-free-tier-cluster?newreg=471a9a26108243d78d4ca74a87e7a115
and also check this if you've hosted mongoDB on mongo Atlas:
https://docs.atlas.mongodb.com/unsupported-commands/
I followed these steps on Centos 7 for MongoDB 4.2. (Remote user)
Update mongod.conf file
vi /etc/mongod.conf
net:
port: 27017
bindIp: 0.0.0.0
security:
authorization: enabled
Start MongoDB service demon
systemctl start mongod
Open MongoDB shell
mongo
Execute this command on the shell
use admin
db.createUser(
{
user: 'admin',
pwd: 'YouPassforUser',
roles: [ { role: 'root', db: 'admin' } ]
}
);
Remote root user has been created. Now you can test this database connection by using any MongoDB GUI tool from your dev machine. Like Robo 3T
For MongoDB shell version v4.2.8 I've tried different ways to back-up my database with auth, my winner solution is
mongodump -h <your_hostname> -d <your_db_name> -u <your_db_username> -p <your_db_password> --authenticationDatabase admin -o /path/to/where/i/want
This may be because you havent set noAuth=true in mongodb.conf
# Turn on/off security. Off is currently the default
noauth = true
#auth = true
After setting this restart the service using
service mongod restart