MongoDB: Server has startup warnings ''Access control is not enabled for the database'' - mongodb

I firstly installed MongoDB 3.4.1 today. But when I start it and use MongoDB shell, it gave me these warnings below:
C:\Users\hs>"C:\Program Files\MongoDB\Server\3.4\bin\mongo.exe
MongoDB shell version v3.4.1
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.1
Server has startup warnings:
2017-01-12T21:19:46.941+0800 I CONTROL [initandlisten]
2017-01-12T21:19:46.942+0800 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2017-01-12T21:19:46.942+0800 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2017-01-12T21:19:46.942+0800 I CONTROL [initandlisten]
my computer is Microsoft Windows [version 10.0.14393].


Mongodb v3.4
You need to do the following to create a secure database:
Make sure the user starting the process has permissions and that the directories exist (/data/db in this case).
1) Start MongoDB without access control.
mongod --port 27017 --dbpath /data/db
2) Connect to the instance.
mongo --port 27017
3) Create the user administrator (in the admin authentication database).
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
4) Re-start the MongoDB instance with access control.
mongod --auth --port 27017 --dbpath /data/db
5) Connect and authenticate as the user administrator.
mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"
6) Create additional users as needed for your deployment (e.g. in the test authentication database).
use test
db.createUser(
{
user: "myTester",
pwd: "xyz123",
roles: [ { role: "readWrite", db: "test" },
{ role: "read", db: "reporting" } ]
}
)
7) Connect and authenticate as myTester.
mongo --port 27017 -u "myTester" -p "xyz123" --authenticationDatabase "test"
I basically just explained the short version of the official docs here: https://docs.mongodb.com/master/tutorial/enable-authentication/


OMG, what a gas plant, that top answer!
All you need to do is to:
Edit your config, e.g. C:\Program Files\MongoDB\Server\4.4\bin\mongodb.cfg
Turn the security: authorization: to enabled, as illustrated; note that this sub-entry may be missing completely. Just add it then.
Restart your MongoDB Server service from the Windows Services control panel.
Obviously, if, following this, set up a read/readWrite role-based policy, that will make much more sense.
Ref: https://docs.mongodb.com/manual/tutorial/configure-scram-client-authentication/
I've just tested this using phpunit, works as expected.


you can create an admin user or another role.
run it on mongo shell.
db.createUser({user: "username", pwd: "password", roles: ["dbAdmin"]})
if you get SCRAM-SHA-256error you can set the SHA-1 mechanism.
db.createUser({user: "username", pwd: "password", roles: ["dbAdmin"], mechanisms: ["SCRAM-SHA-1"]})


You need to delete your old db folder and recreate new one. It will resolve your issue.

Related

Mongo secure database

I'mnew on mongo and I'm finding some diferencces with SQL database, I'have created a database and I have created an user this way
db.createUser(
{
user: "chatlearning",
pwd: "mypass",
roles: [ { role: "readWrite", db: "chatlearning" }]
}
)
But I can acces to the database with mongodb compass without introducing any login ingo , what do I have to avoid the access to the database to any other user that not intruces the login?

After creating user have you restarted the mongo server in auth mode?
Here the process to start the mongod with access control enabled.
If you start the mongod from the command line, add the --auth command line option:
mongod --auth --port 27017 --dbpath /var/lib/mongodb
If you start the mongod using a configuration file (/etc/mongod.conf), add the security.authorization configuration file setting:
security:
authorization: enabled

MongoDB Compass Community: Databases are visible but their collections are not showing up after authentication

I created a default admin user with the following command in mongoshell:
use admin
db.createUser(
{
user: "root",
pwd: "root",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Then I authenticated using the shell and my credentianls as following:
mongo --port 27017 -u "root" -p "root" --authenticationDatabase "admin"
In the shell I am able to see the users and version collections using:
> show dbs
admin 0.000GB
config 0.000GB
local 0.000GB
test 0.000GB
> use admin
switched to db admin
> show tables
system.users
system.version
>
Now when I try to access these tables from MongoDB Compass Community I first authenticate:
Now the admin database is showing up empty?
How can I access the users collection and the other collections from the graphic interface just as I did from the shell?

The reason why you cannot see the user collection and other collections is the userAdminAnyDatabase built-in role. By default It does not need the necessary rights to read those collections.
Try root or dbAdminAnyDatabase depends on your needs.
Cheers,
Resource:
https://docs.mongodb.com/manual/reference/built-in-roles/

In short : Use "root" in role instead of "userAdminAnyDatabase" and try again.
If use was set this config in "C:\Program Files\MongoDB\Server\4.4\bin\mongod.cfg"
security:
authorization: enabled
You need to comment these 2 line by insert # at start of lines.
Then restart service of "MongoDB Server (MongoDB)".
Open Cmd type these command line by line
mongo
use admin
db.grantRolesToUser('admin', [{ role: 'root', db: 'admin' }])
Then uncomment security and authorization in mongod.cfg and restart service "MongoDB Server (MongoDB)" again.
You can see how to create or update user role in this answer
Thanks Dan Dascalescu.
https://stackoverflow.com/a/29472184/4418749

How to use the mongodb localhost exception?

From the documentation:
The localhost exception allows you to enable access control and then
create the first user in the system. With the localhost exception,
after you enable access control, connect to the localhost interface
and create the first user in the admin database. The first user must
have privileges to create other users, such as a user with the
userAdmin or userAdminAnyDatabase role.
So I run the latest mongo with enabled access control (--auth):
docker run -p 27017:27017 mongo --auth
connect with my shell and try to create the admin user:
mongo
MongoDB shell version v4.0.2
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 4.0.2
> use admin
switched to db admin
> db.createUser(
... {
... user: "admin",
... pwd: "password",
... roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
... }
... )
2018-10-03T15:29:30.234+0200 E QUERY [js] Error: couldn't add user: command createUser requires authentication :
_getErrorWithCode#src/mongo/shell/utils.js:25:13
DB.prototype.createUser#src/mongo/shell/db.js:1491:15
#(shell):1:1
What am I doing wrong?

You are not connecting to localhost but to the exported port.
For the exception to work you need to connect to localhost from within the container.
E.g.:
docker exec -it `docker ps --filter ancestor=mongo --format "{{.ID}}"` mongo

See / change local username and password for MongoDB?

Ive downloaded a project using MongoDB and im having trouble getting set up. From the terminal where ive run mongod I see this error:
2017-05-26T14:51:22.908+0800 I ACCESS [conn21] SCRAM-SHA-1 authentication failed for user on wesbostest from client 127.0.0.1:51653 ; UserNotFound: Could not find user user#wesbostest
From my npm start terminal mongoose logs out this error: Authentication failed.
My environment file has this line:
DATABASE=mongodb://user:pass#localhost:27017/wesbostest
Ive got MongoDB Compass installed. It successfully connects with these settings:
Hostname: localhost
Port: 27017
Authentication: None
SSL: Off
SSH Tunnel: Off
So I think the user:pass part of the environment file is wrong? How can I see what local username and password are and/or set them if no authentication is set up?

I solved this by setting a username and password for MongoDB:
MongoDB what are the default user and password?
Procedure
Start MongoDB without access control.
mongod --port 27017 --dbpath /data/db1
Connect to the instance.
mongo --port 27017
Create the user administrator.
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Re-start the MongoDB instance with access control.
mongod --auth --port 27017 --dbpath /data/db1
Authenticate as the user administrator.
mongo --port 27017 -u "myUserAdmin" -p "abc123" \
--authenticationDatabase "admin"

MongoDB what are the default user and password?

I am using the same connection string on local and production.
When the connection string is mongodb://localhost/mydb
What is the username and password?
Is it secure to keep it this way?

By default mongodb has no enabled access control, so there is no default user or password.
To enable access control, use either the command line option --auth or security.authorization configuration file setting.
You can use the following procedure or refer to Enabling Auth in the MongoDB docs.
Procedure
Start MongoDB without access control.
mongod --port 27017 --dbpath /data/db1
Connect to the instance.
mongosh --port 27017
Create the user administrator.
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: passwordPrompt(), // or cleartext password
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" }
]
}
)
Re-start the MongoDB instance with access control.
mongod --auth --port 27017 --dbpath /data/db1
Authenticate as the user administrator.
mongosh --port 27017 --authenticationDatabase "admin"\
-u "myUserAdmin" -p

In addition with what #Camilo Silva already mentioned, if you want to give free access to create databases, read, write databases, etc, but you don't want to create a root role, you can change the 3rd step with the following:
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" } ]
}
)
If you have already created the user, you can update the user as follows:
First log on:
mongo --port 27017 -u "myUserAdmin" -p "abc123" \
--authenticationDatabase "admin"
The add permissions:
use admin
db.grantRolesToUser(
"myUserAdmin",
[ { role: "userAdminAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" } ]
)

For MongoDB earlier than 2.6, the command to add a root user is addUser (e.g.)
db.addUser({user:'admin',pwd:'<password>',roles:["root"]})

In addition to previously provided answers, one option is to follow the 'localhost exception' approach to create the first user if your db is already started with access control (--auth switch). In order to do that, you need to have localhost access to the server and then run:
mongo
use admin
db.createUser(
{
user: "user_name",
pwd: "user_pass",
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" }
]
})
As stated in MongoDB documentation:
The localhost exception allows you to enable access control and then create the first user in the system. With the localhost exception, after you enable access control, connect to the localhost interface and create the first user in the admin database. The first user must have privileges to create other users, such as a user with the userAdmin or userAdminAnyDatabase role. Connections using the localhost exception only have access to create the first user on the admin database.
Here is the link to that section of the docs.

Go to mongo in your instance
mongo
use admin
db.createUser({user:"Username", pwd:"Password", roles:[{role:"root", db:"admin"}]})

mongod --bind_ip_all --auth
use this command after modifying the .conf file:
network interfaces
net:
port: 27017
bindIp: 127.0.0.1,mongodb_server_ip