How to use authentication in Mongodb docker container? Create user and use that user authentication in Mongodb containers
While using Mongodb and Python flask application, we want to secure mongodb container with perticular username and password.
As written in the documentation on docker hub, you need to run the image with the --auth flag, and then add the initial admin user. Summary of the steps:
Start the Database
docker run --name some-mongo -d mongo --auth
Add the Initial Admin User
$ docker exec -it some-mongo mongo admin
connecting to: admin
> db.createUser({ user: 'jsmith', pwd: 'some-initial-password', roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] });
Successfully added user: {
"user" : "jsmith",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
Related
From the documentation:
The localhost exception allows you to enable access control and then
create the first user in the system. With the localhost exception,
after you enable access control, connect to the localhost interface
and create the first user in the admin database. The first user must
have privileges to create other users, such as a user with the
userAdmin or userAdminAnyDatabase role.
So I run the latest mongo with enabled access control (--auth):
docker run -p 27017:27017 mongo --auth
connect with my shell and try to create the admin user:
mongo
MongoDB shell version v4.0.2
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 4.0.2
> use admin
switched to db admin
> db.createUser(
... {
... user: "admin",
... pwd: "password",
... roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
... }
... )
2018-10-03T15:29:30.234+0200 E QUERY [js] Error: couldn't add user: command createUser requires authentication :
_getErrorWithCode#src/mongo/shell/utils.js:25:13
DB.prototype.createUser#src/mongo/shell/db.js:1491:15
#(shell):1:1
What am I doing wrong?
You are not connecting to localhost but to the exported port.
For the exception to work you need to connect to localhost from within the container.
E.g.:
docker exec -it `docker ps --filter ancestor=mongo --format "{{.ID}}"` mongo
I have set up a docker with MongoDB Image. By default it has no password set up. I made a user and assigned it roles, which works perfectly well. But the issue is that the connection is still possible without authentication.
Connect with Authentication > Right Username, Right Password -> CONNECTED
Connect with Authentication > Right Username, Wrong Password -> CONNECTION FAILED
Connection without Authentication > CONNECTED
I want the 3rd point to stop working.
Steps:-
1) Run a docker instance without authentication
$ docker run --name container-name -d -p 27017:27017 -v ~/mongodb:/data/db mongo
2) Create a main administrator user with admin roles
$ mongo --port 27017
$ use admin;
$ db.createUser({user: "adminUserName",pwd: "adminPassword",roles: [{ role: "userAdminAnyDatabase", db: "admin" }})
This will create a user in the admin database with roles "userAdminAnyDatabase". This is like a superuser.
3) Create User for a particular database
$ use
$ db.createUser({user: "dev-read-username",pwd: "dev-read-password",roles:["read"]})
-- User with "read" role
$ db.createUser({user: "dev-write-username",pwd: "dev-write-password",roles:["readWrite"]})
-- User with "readWrite" role
For list of roles available or how to create custom roles, please check https://docs.mongodb.com/manual/reference/built-in-roles/
4) Remove the docker container
$ docker ps -a
$ docker stop container_id
$ docker rm container_id
5) Run the docker instance with authentication enabled
$ docker run --name container-name -d -p 27017:27017 -v ~/mongodb:/data/db mongo --auth
I assume you might not have started the docker container with --auth enabled. Once you start with --auth enabled, then you will not be able to connect without credentials.
Run with auth option to add authorizations docker run --name some-mongo -d mongo --auth
You should create an admin user. You can check if admin user exists using db.getSiblingDB('admin').system.users.find() or create one like : db.createUser({ user: 'jsmith', pwd: 'some-initial-password', roles: [{ role: "userAdminAnyDatabase", db: "admin" } ] });
Source : https://hub.docker.com/r/library/mongo/
I know this has been asked many times before but trust me i have used that,
I just want to know the step to step procudure to authenticate the mongodb 3.0+ on linux aws server.
You can use following procedure to enable auth on stand-alone mongodb deployment:
Create an administrator user
use admin
db.createUser(
{
user: "userAdmin",
pwd: "xxxxx",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Modify mongod.conf file to enable auth
security:
authorization: enabled
Restart mongod service:
sudo service mongod restart
Connect and authenticate as the user administrator
mongo
use admin
db.auth("userAdmin", "xxxxx")
Create additional users as needed for your deployment:
use yourdb
db.createUser(
{
user: "testuser",
pwd: "xxxxxx",
roles: [ { role: "readWrite", db: "yourdb" }
]
}
)
Try logging in using mongo shell
mongo
Reference doc
I am using the same connection string on local and production.
When the connection string is mongodb://localhost/mydb
What is the username and password?
Is it secure to keep it this way?
By default mongodb has no enabled access control, so there is no default user or password.
To enable access control, use either the command line option --auth or security.authorization configuration file setting.
You can use the following procedure or refer to Enabling Auth in the MongoDB docs.
Procedure
Start MongoDB without access control.
mongod --port 27017 --dbpath /data/db1
Connect to the instance.
mongosh --port 27017
Create the user administrator.
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: passwordPrompt(), // or cleartext password
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" }
]
}
)
Re-start the MongoDB instance with access control.
mongod --auth --port 27017 --dbpath /data/db1
Authenticate as the user administrator.
mongosh --port 27017 --authenticationDatabase "admin"\
-u "myUserAdmin" -p
In addition with what #Camilo Silva already mentioned, if you want to give free access to create databases, read, write databases, etc, but you don't want to create a root role, you can change the 3rd step with the following:
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" } ]
}
)
If you have already created the user, you can update the user as follows:
First log on:
mongo --port 27017 -u "myUserAdmin" -p "abc123" \
--authenticationDatabase "admin"
The add permissions:
use admin
db.grantRolesToUser(
"myUserAdmin",
[ { role: "userAdminAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" } ]
)
For MongoDB earlier than 2.6, the command to add a root user is addUser (e.g.)
db.addUser({user:'admin',pwd:'<password>',roles:["root"]})
In addition to previously provided answers, one option is to follow the 'localhost exception' approach to create the first user if your db is already started with access control (--auth switch). In order to do that, you need to have localhost access to the server and then run:
mongo
use admin
db.createUser(
{
user: "user_name",
pwd: "user_pass",
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" }
]
})
As stated in MongoDB documentation:
The localhost exception allows you to enable access control and then create the first user in the system. With the localhost exception, after you enable access control, connect to the localhost interface and create the first user in the admin database. The first user must have privileges to create other users, such as a user with the userAdmin or userAdminAnyDatabase role. Connections using the localhost exception only have access to create the first user on the admin database.
Here is the link to that section of the docs.
Go to mongo in your instance
mongo
use admin
db.createUser({user:"Username", pwd:"Password", roles:[{role:"root", db:"admin"}]})
mongod --bind_ip_all --auth
use this command after modifying the .conf file:
network interfaces
net:
port: 27017
bindIp: 127.0.0.1,mongodb_server_ip
I'm rather new with MongoDB and I'm trying to add a admin account into my MongoDB whithout any users at this point.
Using this command: mongo --port 27017 -u manager -p 123456 --authenticationDatabase admin
I receive this error:
Kind regards.
Let me explain the reason why its not working. mongo db refers to users collection to validate the login user.
By default mongodb doesnt provide any user login like manager, using which your were trying to login
Thus the below command is not working
mongo --port 27017 -u manager -p 123456 --authenticationDatabase admin
To make the below command to work. You need to add user "manager" to mongodb user collection.
To create user run the below command:
db.addUser( { user: "manager",
pwd: "123456",
roles: [ "userAdminAnyDatabase",
"dbAdminAnyDatabase",
"readWriteAnyDatabase"
] } )
Once you have the user created, below command work.
mongo --port 27017 -u manager -p 123456 --authenticationDatabase admin