Authenticate mongodb on aws linux server - mongodb

I know this has been asked many times before but trust me i have used that,
I just want to know the step to step procudure to authenticate the mongodb 3.0+ on linux aws server.

You can use following procedure to enable auth on stand-alone mongodb deployment:
Create an administrator user
use admin
db.createUser(
{
user: "userAdmin",
pwd: "xxxxx",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Modify mongod.conf file to enable auth
security:
authorization: enabled
Restart mongod service:
sudo service mongod restart
Connect and authenticate as the user administrator
mongo
use admin
db.auth("userAdmin", "xxxxx")
Create additional users as needed for your deployment:
use yourdb
db.createUser(
{
user: "testuser",
pwd: "xxxxxx",
roles: [ { role: "readWrite", db: "yourdb" }
]
}
)
Try logging in using mongo shell
mongo
Reference doc

Related

MongoDB create replica set with authentication enabled

I have a monogDB replica set running on windows , im trying to add users and authentication to them.
use admin
db.createUser(
{
user: "admin",
pwd: "password",
roles: [ { role: "root", db: "admin" } ]
}
);
exit;
mongo --port 27017 -u admin -p password --authenticationDatabase admin
use test
db.createUser(
{
user: "tester",
pwd: "password",
roles: [
{ role: "read", db: "test1" },
{ role: "read", db: "test2" },
{ role: "read", db: "test3" },
{ role: "readWrite", db: "test" }
]
}
);
after creating the user I modify the cfg files of all three replica nodes changing to authorization: enabled. restarting the service and try to log in to servers.
I am able to enter with the user but all nodes changes the status to "OTHER", and if I change the authorization to unmarked (# - like it was) the replica set is working fine but the user I created doesn't work.
Any suggestions?
or does anyone know the actual steps to create replica set with authentication enabled?
Usually you do it the other way around. First enable authentication, then create the users. And typically all users are created in admin database only.
Anyway, regarding your problem: When you enable authentication then the nodes must also authenticate internally, i.e. when a replica set member connects to another replica set member.
See Internal/Membership Authentication
The simple way is to use a keyfile for this.
First create the keyfile:
openssl rand -base64 756 > <path-to-keyfile>
If you don't have openSSL you can download it from OpenSSL for Windows. Then copy this keyfile to each replica set member.
Put this option to the MongoDB configuration files:
security:
authorization: enabled
keyFile: <path-to-keyfile>
Restart the MongoDB service, then it should work.
See also Deploy Replica Set With Keyfile Authentication or Update Replica Set to Keyfile Authentication or Update Replica Set to Keyfile Authentication (No Downtime)

Authenticating into Mongodb docker container

How to use authentication in Mongodb docker container? Create user and use that user authentication in Mongodb containers
While using Mongodb and Python flask application, we want to secure mongodb container with perticular username and password.
As written in the documentation on docker hub, you need to run the image with the --auth flag, and then add the initial admin user. Summary of the steps:
Start the Database
docker run --name some-mongo -d mongo --auth
Add the Initial Admin User
$ docker exec -it some-mongo mongo admin
connecting to: admin
> db.createUser({ user: 'jsmith', pwd: 'some-initial-password', roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] });
Successfully added user: {
"user" : "jsmith",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}

MongoDB: Server has startup warnings ''Access control is not enabled for the database''

I firstly installed MongoDB 3.4.1 today. But when I start it and use MongoDB shell, it gave me these warnings below:
C:\Users\hs>"C:\Program Files\MongoDB\Server\3.4\bin\mongo.exe
MongoDB shell version v3.4.1
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.1
Server has startup warnings:
2017-01-12T21:19:46.941+0800 I CONTROL [initandlisten]
2017-01-12T21:19:46.942+0800 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2017-01-12T21:19:46.942+0800 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2017-01-12T21:19:46.942+0800 I CONTROL [initandlisten]
my computer is Microsoft Windows [version 10.0.14393].
Mongodb v3.4
You need to do the following to create a secure database:
Make sure the user starting the process has permissions and that the directories exist (/data/db in this case).
1) Start MongoDB without access control.
mongod --port 27017 --dbpath /data/db
2) Connect to the instance.
mongo --port 27017
3) Create the user administrator (in the admin authentication database).
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
4) Re-start the MongoDB instance with access control.
mongod --auth --port 27017 --dbpath /data/db
5) Connect and authenticate as the user administrator.
mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"
6) Create additional users as needed for your deployment (e.g. in the test authentication database).
use test
db.createUser(
{
user: "myTester",
pwd: "xyz123",
roles: [ { role: "readWrite", db: "test" },
{ role: "read", db: "reporting" } ]
}
)
7) Connect and authenticate as myTester.
mongo --port 27017 -u "myTester" -p "xyz123" --authenticationDatabase "test"
I basically just explained the short version of the official docs here: https://docs.mongodb.com/master/tutorial/enable-authentication/
OMG, what a gas plant, that top answer!
All you need to do is to:
Edit your config, e.g. C:\Program Files\MongoDB\Server\4.4\bin\mongodb.cfg
Turn the security: authorization: to enabled, as illustrated; note that this sub-entry may be missing completely. Just add it then.
Restart your MongoDB Server service from the Windows Services control panel.
Obviously, if, following this, set up a read/readWrite role-based policy, that will make much more sense.
Ref: https://docs.mongodb.com/manual/tutorial/configure-scram-client-authentication/
I've just tested this using phpunit, works as expected.
you can create an admin user or another role.
run it on mongo shell.
db.createUser({user: "username", pwd: "password", roles: ["dbAdmin"]})
if you get SCRAM-SHA-256error you can set the SHA-1 mechanism.
db.createUser({user: "username", pwd: "password", roles: ["dbAdmin"], mechanisms: ["SCRAM-SHA-1"]})
You need to delete your old db folder and recreate new one. It will resolve your issue.

MongoDB what are the default user and password?

I am using the same connection string on local and production.
When the connection string is mongodb://localhost/mydb
What is the username and password?
Is it secure to keep it this way?
By default mongodb has no enabled access control, so there is no default user or password.
To enable access control, use either the command line option --auth or security.authorization configuration file setting.
You can use the following procedure or refer to Enabling Auth in the MongoDB docs.
Procedure
Start MongoDB without access control.
mongod --port 27017 --dbpath /data/db1
Connect to the instance.
mongosh --port 27017
Create the user administrator.
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: passwordPrompt(), // or cleartext password
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" }
]
}
)
Re-start the MongoDB instance with access control.
mongod --auth --port 27017 --dbpath /data/db1
Authenticate as the user administrator.
mongosh --port 27017 --authenticationDatabase "admin"\
-u "myUserAdmin" -p
In addition with what #Camilo Silva already mentioned, if you want to give free access to create databases, read, write databases, etc, but you don't want to create a root role, you can change the 3rd step with the following:
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" } ]
}
)
If you have already created the user, you can update the user as follows:
First log on:
mongo --port 27017 -u "myUserAdmin" -p "abc123" \
--authenticationDatabase "admin"
The add permissions:
use admin
db.grantRolesToUser(
"myUserAdmin",
[ { role: "userAdminAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" } ]
)
For MongoDB earlier than 2.6, the command to add a root user is addUser (e.g.)
db.addUser({user:'admin',pwd:'<password>',roles:["root"]})
In addition to previously provided answers, one option is to follow the 'localhost exception' approach to create the first user if your db is already started with access control (--auth switch). In order to do that, you need to have localhost access to the server and then run:
mongo
use admin
db.createUser(
{
user: "user_name",
pwd: "user_pass",
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" }
]
})
As stated in MongoDB documentation:
The localhost exception allows you to enable access control and then create the first user in the system. With the localhost exception, after you enable access control, connect to the localhost interface and create the first user in the admin database. The first user must have privileges to create other users, such as a user with the userAdmin or userAdminAnyDatabase role. Connections using the localhost exception only have access to create the first user on the admin database.
Here is the link to that section of the docs.
Go to mongo in your instance
mongo
use admin
db.createUser({user:"Username", pwd:"Password", roles:[{role:"root", db:"admin"}]})
mongod --bind_ip_all --auth
use this command after modifying the .conf file:
network interfaces
net:
port: 27017
bindIp: 127.0.0.1,mongodb_server_ip

authentication with mongo shard

I am setting up a Mongo test shard and would like to use Mongo user authentication with it. I have added the user on the config server(s). I am not certain if I need to add the same user on all the shards as well. I am assuming I do not need to add the user on the query router (mongos). However, when I simply add the user on the config server (via the Mongo shell), I can authenticate if I stay in the shell. However, as soon as I log out of the shell and log back in, I am unable to log back in with the same credentials. The shard servers do have a data directory associated with them as does the config server. Any ideas on how to troubleshoot this further?
Creating user
db.createUser( { user: "test",
pwd: "testPassword",
roles: [ { role: "clusterAdmin", db: "admin" },
{ role: "readAnyDatabase", db: "admin" },
"readWrite"] },
{ w: "majority" , wtimeout: 5000 } )
authenticating
db.auth("test", "testPassword")
I did specify a data directory for the config server (running on port 27019, not 27017 & the data directory has the correct permissions for the mongo process).
mongod --configsvr --dbpath /var/lib/mongodb3 --port 27019
Once the mongo cluster is properly setup (query router connected to config server and shards with replica sets & config serers/shards writing to disk), I was able to simply add the user via the query router and get authentication working with a Mongo Java driver