In Mongo, I've created a database and created a user specifically for that database. When I type "show users" I get this:
rs0:PRIMARY> show users;
{
"_id" : "sampleuser.sampleuser",
"user" : "sampleuser",
"db" : "sampledb",
"roles" : [
{
"role" : "readWrite",
"db" : "sampledb"
},
{
"role" : "dbAdmin",
"db" : "sampledb"
}
]
}
But when I try to execute a command with that user, I get the following:
not authorized on sampledb to execute command { find: "social_posts", filter: { customer_id: "123", 0: { posted: { $ne: 1 } } } }
What permissions are setup wrong?
You have to use db.auth() to authenticate to the database before executing any query.
From db.auth() doc
db.auth()
Allows a user to authenticate to the database from within the shell.
The db.auth() method can accept:
the username and password.
db.auth( <username>, <password> )
a user document that contains the username and password, and optionally, the authentication mechanism and a digest password flag.
db.auth( {
user: <username>,
pwd: <password>,
mechanism: <authentication mechanism>,
digestPassword: <boolean>
}
Returns: db.auth() returns 0 when authentication is not successful, and 1 when the operation is successful.
Related
This is the query i am running:
db.surveyquestion.copyTo('surveyquestionV2')
Error I am getting:
{
"message" : "MongoError: not authorized on GenericSurveyTool to execute command { $eval: function (collName, newName) {\r" +
"var from = db[collName];\r" +
"..., args: [ 'surveyquestion', 'surveyquestionV2' ], $db: 'GenericSurveyTool' }",
"stack" : "script:1:19",
"code" : 13
}
My user in admin db that i am using to run this query:
query: db.getUsers();
/* 2 */
{
"_id" : "admin.moiz",
"user" : "moiz",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
I have this user with the root role but still i am unable to copy collection. Please help!!
To the people who has the same problem, the solution is in the documentation of db.eval() : just right here
If authorization is enabled, you must have access to all actions on all resources in order to run eval. Providing such access is not recommended, but if your organization requires a user to run eval, create a role that grants anyAction on anyResource. Do not assign this role to any other user.
I added an 'admin' user in the admin db, with roles on admin db and another db :
[admin] user: yves>db.auth("isabelle", "abc123")
1
[admin] user: isabelle>db.getUser("isabelle")
{
"_id" : "admin.isabelle",
"user" : "isabelle",
"db" : "admin",
"roles" : [
{
"role" : "userAdmin",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "cockpit"
}
]
}
I am testing that this user cannot admin the 'test' database ( updating a tester user email )
[admin] user: isabelle>use test
switched to db test
[test] user: isabelle>db.updateUser(
... "myTester",
... {
... customData: {email: "mytester#example.com"}
... }
... )
As 'isabelle' has no roles on 'test' db , she should not be allowed to update any user on this db ... (?)
but it is ...
[test] user: isabelle>db.getUser("myTester")
{
"_id" : "test.myTester",
"user" : "myTester",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "read",
"db" : "reporting"
}
],
"customData" : {
"email" : "mytester#example.com"
}
}
what am I missing ?
do the isabelle' role 'userAdmin' on 'admin' db allow it ?
I tried to remove it, but it deosn(t change anything ...
I also tried to move isabelle in the cockpit database, with dbOwner role, it doesn't change anything... isabelle is still able to update myTester user in the test database...
how can I restrict isabelle to admin only the 'cockpit' db ( managing users and roles for this db ..?
thanks for enlightment ...
Add to your mongod.conf
security:
authorization: enabled
Also check this mongodb link.
I would like to create a mongo user who can read local database. I try to use command on local database:
db.createUser(
{ user: "readonlyuser", pwd: "loh8Ephi",
roles: [ { role: "read", db: "local" } ]
})
But - it doesn't work. I receive:
connecting to: local
2015-12-21T14:08:07.904+0100 Error: couldn't add user: Cannot create users in the local database at src/mongo/shell/db.js:1054
I've tried to create that user against admin database:
> use admin
switched to db admin
> db.createUser(
... { user: "readonlyuser", pwd: "loh8Ephi", roles: [ { role: "read", db: "local" } ] })
Successfully added user: {
"user" : "readonlyuser",
"roles" : [
{
"role" : "read",
"db" : "local"
}
]
And now i try to connect:
undefine#machine:~$ mongo -u readonlyuser -p loh8Ephi local
MongoDB shell version: 2.6.11
connecting to: local
2015-12-21T15:35:19.190+0100 Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 } at src/mongo/shell/db.js:1292
exception: login failed
How to create readonly user who have access only to local database?
According the documentation, you cannot create users on the local database. Instead you can run your createUser query against the admin database:
use admin
db.createUser(
{ user: "readonlyuser", pwd: "loh8Ephi",
roles: [ { role: "read", db: "local" } ]
})
Please note that you will have to authenticate against the admin database when connecting.
I would do it like below
use admin
db.getSiblingDB("local").runCommand( { "createUser" : "mongoread", "pwd": "read0nly", "customData" : { "description": "mongo readonly user" }, "roles" : [ {"role" : "read","db" : "local"}] },{ w: "majority" , wtimeout: 5000 } );
I have a user in admin.system.users:
{
"_id" : "admin.reports",
"user" : "reports",
"db" : "admin",
"credentials" : {
"MONGODB-CR" : "hash"
},
"roles" : [
{
"role" : "read",
"db" : "mydb"
}
]
}
And I am attempting to execute this from a bash script:
mongo --quiet mongodb.production.internal/admin -ureports -p"password" <<< "
var conn = connect('localhost/mydb');
db.auth('reports', 'password');
db.Collection.aggregate([
{
\$group: {
_id: '\$itemId',
count: { \$sum: 1 }
}
},
{
\$sort: {
count: 1
}
}
], {cursor: {}}).forEach(function(line) {
print(line._id+','+line.count);
});
"
And I am getting this response from the mongodb instance:
not authorized on admin to execute command { aggregate: (amongst other very verbose but pointless output).
What permission do I need to enable the use of the aggregation command for this user? Can it not be done without enabling write access?
The issue was not with permissions, read is indeed sufficient, but with correctly switching to the right database.
I was using connect() to silently (no output) switch to the working db because the use command throws output. This is incorrect, and the workaround is in how you specify the connection on the command line, ie:
mongo --quiet mongodb.production.internal/mydb --authenticationDatabase admin -ureports -p"password"
Currently I've got a siteUserAdmin authenticated on the admin database:
{
"_id" : "admin.siteUserAdmin",
"user" : "siteUserAdmin",
"db" : "admin",
"credentials" : {
"MONGODB-CR" : "...."
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
When I run:
use admin;
db.auth('siteUserAdmin', 'supersecret');
Everything authenticates just fine.
However when I then do:
use myotherdb
db.addUser({ user: 'chris', pwd: 'anothersecretpassword', roles: ['dbOwner']});
It doesn't add the user, I get the following:
couldn't add user: not authorized for insert on admin.system.users at src/mongo/shell/db.js:128
What am I doing wrong? This all looks nuts.
FYIL I'm using MongoDB version 2.6.10.
Random side note: weirdly createUser isn't a function, even though according to the MongoDB docs it was added in 2.6.
I was seeing this exact error in Robomongo 0.8.5. I copy/pasted the command to the the Mongo cli client and it worked fine.
Authenticated as siteUserAdmin to admin db on both clients.
Hopefully this helps someone else.