> use failsafereports;
> db.createUser({ user : 'readonly', pwd: 'readonly', roles : ['read']})
Successfully added user: { "user" : "readonly", "roles" : [ "read" ] }
> show users;
{
"_id" : "failsafereports.readonly",
"user" : "readonly",
"db" : "failsafereports",
"roles" : [
{
"role" : "read",
"db" : "failsafereports"
}
]
}
> db.auth('readonly','readonly')
Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 }
0
I am creating a new user.
It shows when I use show users
But when I try to auth, it fails.
any ideas?
I've read around the internet about this problem occurring from the command line, but couldn't find one that happens from mongo shell.
Related
I added an 'admin' user in the admin db, with roles on admin db and another db :
[admin] user: yves>db.auth("isabelle", "abc123")
1
[admin] user: isabelle>db.getUser("isabelle")
{
"_id" : "admin.isabelle",
"user" : "isabelle",
"db" : "admin",
"roles" : [
{
"role" : "userAdmin",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "cockpit"
}
]
}
I am testing that this user cannot admin the 'test' database ( updating a tester user email )
[admin] user: isabelle>use test
switched to db test
[test] user: isabelle>db.updateUser(
... "myTester",
... {
... customData: {email: "mytester#example.com"}
... }
... )
As 'isabelle' has no roles on 'test' db , she should not be allowed to update any user on this db ... (?)
but it is ...
[test] user: isabelle>db.getUser("myTester")
{
"_id" : "test.myTester",
"user" : "myTester",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "read",
"db" : "reporting"
}
],
"customData" : {
"email" : "mytester#example.com"
}
}
what am I missing ?
do the isabelle' role 'userAdmin' on 'admin' db allow it ?
I tried to remove it, but it deosn(t change anything ...
I also tried to move isabelle in the cockpit database, with dbOwner role, it doesn't change anything... isabelle is still able to update myTester user in the test database...
how can I restrict isabelle to admin only the 'cockpit' db ( managing users and roles for this db ..?
thanks for enlightment ...
Add to your mongod.conf
security:
authorization: enabled
Also check this mongodb link.
When I try to get info about replica I get the following error:
rep0:PRIMARY> rs.printReplicationInfo()
2015-05-19T13:30:29.231+0200 error: {
"$err" : "not authorized for query on local.system.namespaces",
"code" : 13
} at src/mongo/shell/query.js:131
I have tried to execute the command with the two following users:
[
{
"_id" : "admin.siteRootAdmin",
"user" : "siteRootAdmin",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
},
{
"_id" : "admin.mongoadmin",
"user" : "mongoadmin",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
]
}
]
Althought I have clusterAdmin role to work with replicas, I have tried to update roles of mongoadmin to read local database (as all roles are granted on admin db) but I get the following error:
rep0:PRIMARY> db.system.users.update({"user":"mongoadmin"},{$addToSet:{"roles":"readAnyDatabase"}})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on admin to execute command { update: \"system.users\", updates: [ { q: { user: \"mongoadmin\" }, u: { $addToSet: { roles: \"readAnyDatabase\" } }, multi: false, upsert: false } ], ordered: true }"
}
})
What is supposed I need to have in order to get full access to all
replica commands in addition to clusterAdmin role?
If any of both users have permissions in admin db (mongoadmin is dbOwner), why I don't have permissions for update command?
I was updating roles with the wrong command here is the right one:
db.grantRolesToUser( "mongoadmin", [{ role: "read", db: "local"}])
Now I can check the replicainfo:
rep0:PRIMARY> rs.printReplicationInfo()
configured oplog size: 990MB
log length start to end: 617347secs (171.49hrs)
oplog first event time: Thu May 14 2015 14:25:04 GMT+0200 (CEST)
oplog last event time: Thu May 21 2015 17:54:11 GMT+0200 (CEST)
now: Thu May 21 2015 17:54:24 GMT+0200 (CEST)
I am logged in with the following:
{
"_id" : "admin.root",
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
The following happens:
> use mydb
switched to db mydb
> db.dropUser("mydbReadWrite")
false
I suspect I do not have the roles, I am root?
It was correct, the user was somehow dropped before without notifying me(hmm...). So it returned false as the user did not exist.
may be you need switch to the db that you create the uesr "mydbReadWrite"
> use mydb
switched to db mydb
> show users
{
"_id" : "mydb.mydbReadWrite",
"user" : "mydbReadWrite",
"db" : "mydb",
"roles" : [
{
"role" : "readWrite",
"db" : "mydb"
}
]
}
> db.dropUser(mydbReadWrite)
2015-03-29T03:55:52.276+0200 E QUERY ReferenceError: mydbReadWrite is not defined
at (shell):1:13
I don't understand? I am logged in with a root user.
db.dropUser(mydbReadWrite)
instead use:
db.dropUser("mydbReadWrite")
For instance, if I have this user:
> db.system.users.find()
{ "user" : "testAdmin", "pwd" : "[some hash]", "roles" : [ "clusterAdmin" ], "otherDBRoles" : { "TestDB" : [ "readWrite" ] } }
And I want to give that user the dbAdmin permissions on the TestDB database, I can remove the user record then add it back with the new permissions:
> db.system.users.remove({"user":"testAdmin"})
> db.addUser( { user: "testAdmin",
pwd: "[whatever]",
roles: [ "clusterAdmin" ],
otherDBRoles: { TestDB: [ "readWrite", "dbAdmin" ] } } )
But that seems hacky and error-prone.
And I can update the table record itself:
> db.system.users.update({"user":"testAdmin"}, {$set:{ otherDBRoles: { TestDB: [ "readWrite", "dbAdmin" ] }}})
But I'm not sure if that really creates the correct permissions - it looks fine but it may be subtly wrong.
Is there a better way to do this?
If you want to just update Role of User. You can do in the following way
db.updateUser( "userName",
{
roles : [
{ role : "dbAdmin", db : "dbName" },
{ role : "readWrite", db : "dbName" }
]
}
)
Note:- This will override only roles for that user.
See array update operators.
> db.users.findOne()
{
"_id" : ObjectId("51e3e2e16a847147f7ccdf7d"),
"user" : "testAdmin",
"pwd" : "[some hash]",
"roles" : [
"clusterAdmin"
],
"otherDBRoles" : {
"TestDB" : [
"readWrite"
]
}
}
> db.users.update({"user" : "testAdmin"}, {$addToSet: {'otherDBRoles.TestDB': 'dbAdmin'}}, false, false)
> db.users.findOne()
{
"_id" : ObjectId("51e3e2e16a847147f7ccdf7d"),
"user" : "testAdmin"
"pwd" : "[some hash]",
"roles" : [
"clusterAdmin"
],
"otherDBRoles" : {
"TestDB" : [
"readWrite",
"dbAdmin"
]
},
}
Update:
MongoDB checks permission on every access. If you see operator db.changeUserPassword:
> db.changeUserPassword
function (username, password) {
var hashedPassword = _hashPassword(username, password);
db.system.users.update({user : username, userSource : null}, {$set : {pwd : hashedPassword}});
var err = db.getLastError();
if (err) {
throw "Changing password failed: " + err;
}
}
You will see — operator changes user's document.
See also system.users Privilege Documents and Delegated Credentials for MongoDB Authentication