I'd like to get how to provide a default user on mongo.
Up to now, we've been able to provide a mongo instance using chef. It's working with this configuration file (mongod.conf):
---
systemLog:
path: "/var/log/mongodb/mongod.log"
logAppend: true
destination: file
processManagement:
fork: true
pidFilePath: "/var/run/mongodb/mongod.pid"
net:
port: 30158
bindIp: localhost
security:
authorization: enabled
storage:
dbPath: "/var/lib/mongo"
journal:
enabled: true
As you can see mongo is running with authorization. So, I'd like to provide a default user - passwd values in order to allow to access to the mongo instance.
So, I want to get it wihout having to interact with mongo command client. Is there any way to perform an script?
I don't know if I've explained so well.
You can create a administrator user in the following manner:
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
You can then login using the credentials:
mongo --port 27017 -u "myUserAdmin" -p "abc123" \
--authenticationDatabase "admin"
You can create a user and assign role to it,
use myDb;
db.createUser({user : 'myUser',pwd:'myPassword',roles:[{role : 'readWrite',db : 'myDb'}]});
Your db connection string,
'mongodb://myUser:myPassword#localhost:27017/myDb',
From terminal,
mongo --port 27017 -u "myUser" -p "myPassword" --authenticationDatabase "myDb"
Related
I still don`t can prevent to anonymous access to Mongo DB after do below steps.
1- Create admin user with this command
mongod --port 27017 --logpath D:\Files\Sessions\log\mongo.log --dbpath D:\Files\Sessions\data\db
2- Create mongod.conf file with this config
systemLog:
destination: file
path: "D:/Files/Sessions/log/mongo.log"
storage:
dbPath: "D:/Files/Sessions/data/db"
net:
bindIp: 127.0.0.1, localhost
port: 27017
3- Execute mongod --config "D:\Files\Sessions\mongod.conf"
4- Create admin user with
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: passwordPrompt(), // or cleartext password
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
5- Update mongod.conf with add this config to that
security:
authorization: enabled
6- Execute mongod --config "D:\Files\Sessions\mongod.conf"
I also in between steps, many times execute this command
mongod --port 27017 --logpath D:\Files\Sessions\log\mongo.log --dbpath D:\Files\Sessions\data\db --auth
In final, I can create new admin user and authenticate with that but still i can also authenticate as anonymous user without credential!
Just in case =>
mongo version: 4.2, windows 10
What`s wrong?
This is my mongo.conf
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
net:
port: 27017
bindIp: 0.0.0.0
security:
authorization: enabled
And I'm starting it via systemctl which does this:
/usr/bin/mongod --quiet --auth --config /etc/mongod.conf
Created an admin user like so:
mongo
> use admin
> db.createUser({ user:"user001", pwd:"pwd001", roles:[{role:"root", db:"admin"}]})
I can access mongo on EC2 via:
mongo -u user001 -p pwd001 --authenticationDatabase admin
However, when I try to access it on my local via:
mongo -u user001 -p pwd001 --authenticationDatabase admin --host 58.17.53.6
I get this error:
MongoDB shell version: 3.0.4
connecting to: 58.17.53.6:27017/test
2017-10-30T19:42:33.302-0700 W NETWORK Failed to connect to 58.17.53.6:27017 after 5000 milliseconds, giving up.
2017-10-30T19:42:33.304-0700 E QUERY Error: couldn't connect to server 58.17.53.6:27017 (58.17.53.6), connection attempt failed
at connect (src/mongo/shell/mongo.js:181:14)
at (connect):1:6 at src/mongo/shell/mongo.js:181
exception: connect failed
Also, my security group for instance looks like this:
Any help would be appreciated!
In my mongod.log is a huge number of those errors:
2017-07-05T11:12:23.211+0200 I ACCESS [conn788] SCRAM-SHA-1 authentication failed for admin on admin from client 123.123.123.123 ; AuthenticationFailed: SCRAM-SHA-1 authentication failed, storedKey mismatch
I'm running a three member replica-set in
mongod-db.version()
3.2.11
I already added a admin-user by
MongoDB shell version: 3.2.11
connecting to: 127.0.0.1/test
clustername:PRIMARY> use admin
switched to db admin
clustername:PRIMARY> db.createUser( { user: "admin",
... pwd: "password",
... roles: [ "root",
... "userAdminAnyDatabase",
... "dbAdminAnyDatabase",
... "readWriteAnyDatabase"
...
... ] } )
Successfully added user: {
"user" : "admin",
"roles" : [
"root",
"userAdminAnyDatabase",
"dbAdminAnyDatabase",
"readWriteAnyDatabase"
]
}
On each replica-member I can enter the mongo shell as admin an perform
clustername:PRIMARY> db.auth("admin","password")
1
The replica-nodes config only differs in the bind-section for the external interface.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
net:
port: 27017
bindIp: 123.123.123.123,127.0.0.1
security:
keyFile: /etc/ssl/mongo_keyfile
authorization: enabled
replication:
replSetName: clustername
The keyfile is accessible for the mongo-user. Permissions and ownership are identical on every node. md5shum is identical too.
Any idea what might go wrong?
I am trying to setup a 3 node MongoDB cluster.
1) Started mongodb in all 3 nodes with the below config file.
net:
bindIp: 0.0.0.0
port: 10901
setParameter:
enableLocalhostAuthBypass: false
systemLog:
destination: file
path: "<LOG_PATH>"
logAppend: true
processManagement:
fork: true
storage:
dbPath: "<DB_PATH>/data"
journal:
enabled: true
security:
keyFile : "<KEY_FILE_PATH>"
sharding:
clusterRole: "configsvr"
replication:
replSetName: "configReplSet"
2) Created Admin user in one of the config node and able to login with the admin user.
mongo --port 10901 -u "admin" -p "adminpwd" --authenticationDatabase "admin" --host <IP>
now the console says, user:PRIMARY>
3) Created replica set using the below command.
rs.initiate(
{
_id: "configReplSet",
configsvr: true,
members: [
{ _id : 0, host : "<IP1>:10901" },
{ _id : 1, host : "<IP2>:10901" },
{ _id : 2, host : "<IP3>:10901" }
]
}
)
4) Executed rs.status() and got the proper output.
5) Started Mongo shards with the below config in all 3 instances.
net:
bindIp: 0.0.0.0
port: 10903
setParameter:
enableLocalhostAuthBypass: false
systemLog:
destination: file
path: "<LOG_PATH>"
logAppend: true
processManagement:
fork: true
storage:
dbPath: "<DB_PATH>/shard_data/"
journal:
enabled: true
security:
keyFile : "<KEY_FILE>"
sharding:
clusterRole: "shardsvr"
replication:
replSetName: "shardReplSet"
6) Created Admin user in one of the shard node also and able to login with the admin user.
mongo --port 10903 -u "admin" -p "adminpwd" --authenticationDatabase "admin" --host <IP>
7) Created shard replica set using the below command.
rs.initiate(
{
_id: "shardReplSet",
members: [
{ _id : 0, host : "<IP1>:10903" },
{ _id : 1, host : "<IP2>:10903" },
{ _id : 2, host : "<IP3>:10903" }
]
}
)
8) Started the router with the below config
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: <LOG_PATH_FOR_MONGOS>
# network interfaces
net:
port: 10902
security:
keyFile: <KEY_FILE>
processManagement:
fork: true
sharding:
configDB: configReplSet/<IP1>:10901,<IP2>:10901,<IP3>:10901
6) Connected to mongos using mongo
mongo --port 10902 -u "admin" -p "adminpwd" --authenticationDatabase "admin" --host <IP>
Now, I see the below in my command.
MongoDB server version: 3.4.2
mongos>
7) Now added each shard in the mongos interface.
Since, I have configured replica set,
sh.addShard("shardReplSet/:10903, :10903, :10903")
Issues :-
1) Unable to connect to mongodb from the remote machine
I am able to connect to the other node within these 3 nodes.
From Node1,
mongo --port 10902 -u "user" -p "password" --authenticationDatabase "admin" --host
mongo --port 10902 -u "user" -p "password" --authenticationDatabase "admin" --host
mongo --port 10902 -u "user" -p "password" --authenticationDatabase "admin" --host
All the above 3 connections are working from Node1 and Node2 and Node3.
But If I try from my localhost to connect to these instances, i get timeout error.
I am able to ssh to these servers.
2) I am running config on port 10901, shard on port 10903 and router on port 10902. Running, config, shard and router on each node. Is this ok?
DB path for config and shard are different. Have to create admin user on each service(config, shard, router). Is this correct?
Created replica set for config and shard server, but not for router? Is this ok?
4) Unable to connect to these instances from a remote mongo chef tool. I use the router port to connect to these instances? Is this correct? If so, Do I need to run router on each node?
5) Do we need to connect to the port 10903 or 10902 or 10901 to create new databases, create new users for db's.?
6) Is there anything else important to be added here?
Thanks
I am using mongoDB Cluster with version 3.4 in google cloud compute engine, actually past week my database got attacked by hackers that's why i thought about using authorization so that i can avoid these types of attack. Now to add Authorizations i saw this article how-to-create-mongodb-replication-clusters, now i have added a keyfile with chmod 0600 on each of my cluster node, but now when i am trying to add my first admin user i am getting below error
use admin
switched to db admin
rs0:PRIMARY> db.createUser({user: "RootAdmin", pwd: "password123", roles: [ { role: "root", db: "admin" } ]});
2017-01-21T18:19:09.814+0000 E QUERY [main] Error: couldn't add user: not authorized on admin to execute comm
and { createUser: "RootAdmin", pwd: "xxx", roles: [ { role: "root", db: "admin" } ], digestPassword: false, writ
eConcern: { w: "majority", wtimeout: 300000.0 } } :
_getErrorWithCode#src/mongo/shell/utils.js:25:13
DB.prototype.createUser#src/mongo/shell/db.js:1290:15
#(shell):1:1
I have searched everywhere but haven't found anything on why i am getting this error.
Can anyone please help me how can i solve this error.
UPDATE
My config file is given below for each of the instances
Secondary Server Config
#!/bin/bash
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: false
#engine:
mmapv1:
smallFiles: true
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
replication:
replSetName: rs0
#processManagement:
security:
authorization: disabled
keyFile: /opt/mongodb/keyfile
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
Arbiter Server Config
#!/bin/bash
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /mnt/mongodb/db
journal:
enabled: true
#engine:
#mmapv1:
#smallFiles: true
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /mnt/mongodb/log/mongodb.log
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
replication:
replSetName: rs0
#processManagement:
security:
authorization: disabled
keyFile: /opt/mongodb/keyfile
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
Primary Server Config
#!/bin/bash
# mongod.conf
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: /mnt/mongodb/db
journal:
enabled: true
#engine:
#mmapv1:
#smallFiles: true
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /mnt/mongodb/log/mongodb.log
# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
replication:
replSetName: rs0
#processManagement:
security:
authorization: disabled
keyFile: /opt/mongodb/keyfile
#operationProfiling:
#replication:
#sharding:
## Enterprise-Only Options:
#auditLog:
#snmp:
You have to change your mongod.conf file to disable authorization before creating such admin user
security:
authorization: disabled
After that, restart the mongod service and open mongodb shell to create the admin user
use admin
db.createUser({user:"RootAdmin",pwd:"blahblah",roles:["root"]})
Remember to enable authorization back on after creating user.
johnlowvale's answer is correct, but
keyFile implies security.authorization.
source: https://docs.mongodb.com/manual/reference/configuration-options/#security.keyFile
You have to disable authorization AND the keyFile.
security:
authorization: disabled
# keyFile: /opt/mongodb/keyfile
(insufficient rep or I'd have just commented this on johnlowvale's answer)
Once you are connected to this first node, you can initiate the replica set with rs.initiate(). Again, this command must be run from the same host as the mongod to use the localhost exception.
We can create our admin user with the following commands:
rs.initiate()
use admin
db.createUser({
user: "admin",
pwd: "pass",
roles: [
{role: "root", db: "admin"}
]
})
edit vim /lib/systemd/system/mongod.service
remove --auth
restart
#ExecStart=/usr/bin/mongod --quiet --auth --config /etc/mongod.conf
ExecStart=/usr/bin/mongod --quiet --config /etc/mongod.conf
use admin
db.createUser({user:"RootAdmin",pwd:"blahblah",roles:["root"]})
To be able to create a new user, you need to first disable security in /etc/mongod.conf
// security:
// authorization: enabled
Then restart Mongodb server
sudo service mongo restart
After this you can add the user and role that you want from the shell.
db.createUser({
user: 'test_user',
pwd: 'test',
roles: [
{ role: "userAdmin", db: "test" },
{ role: "dbAdmin", db: "test" },
{ role: "readWrite", db: "test" }
]
})
To enable authenticated connection
Uncomment the line again in /etc/mongod.conf
security:
authorization: enabled
and restart the server again
When a new database is setup with authorisation/security enabled but no users set up, you can only connect to it from the localhost. In your config file you should have bind ip set to 127.0.0.1 I think in order to make sure you connect to it with the correct authorisation to create new users.
This is what it says in Mongo course M103
By default, a mongod that enforces authentication but has no configured users only allows connections through the localhost.