authentication with mongo shard - mongodb

I am setting up a Mongo test shard and would like to use Mongo user authentication with it. I have added the user on the config server(s). I am not certain if I need to add the same user on all the shards as well. I am assuming I do not need to add the user on the query router (mongos). However, when I simply add the user on the config server (via the Mongo shell), I can authenticate if I stay in the shell. However, as soon as I log out of the shell and log back in, I am unable to log back in with the same credentials. The shard servers do have a data directory associated with them as does the config server. Any ideas on how to troubleshoot this further?
Creating user
db.createUser( { user: "test",
pwd: "testPassword",
roles: [ { role: "clusterAdmin", db: "admin" },
{ role: "readAnyDatabase", db: "admin" },
"readWrite"] },
{ w: "majority" , wtimeout: 5000 } )
authenticating
db.auth("test", "testPassword")
I did specify a data directory for the config server (running on port 27019, not 27017 & the data directory has the correct permissions for the mongo process).
mongod --configsvr --dbpath /var/lib/mongodb3 --port 27019

Once the mongo cluster is properly setup (query router connected to config server and shards with replica sets & config serers/shards writing to disk), I was able to simply add the user via the query router and get authentication working with a Mongo Java driver

Related

MongoDB create replica set with authentication enabled

I have a monogDB replica set running on windows , im trying to add users and authentication to them.
use admin
db.createUser(
{
user: "admin",
pwd: "password",
roles: [ { role: "root", db: "admin" } ]
}
);
exit;
mongo --port 27017 -u admin -p password --authenticationDatabase admin
use test
db.createUser(
{
user: "tester",
pwd: "password",
roles: [
{ role: "read", db: "test1" },
{ role: "read", db: "test2" },
{ role: "read", db: "test3" },
{ role: "readWrite", db: "test" }
]
}
);
after creating the user I modify the cfg files of all three replica nodes changing to authorization: enabled. restarting the service and try to log in to servers.
I am able to enter with the user but all nodes changes the status to "OTHER", and if I change the authorization to unmarked (# - like it was) the replica set is working fine but the user I created doesn't work.
Any suggestions?
or does anyone know the actual steps to create replica set with authentication enabled?
Usually you do it the other way around. First enable authentication, then create the users. And typically all users are created in admin database only.
Anyway, regarding your problem: When you enable authentication then the nodes must also authenticate internally, i.e. when a replica set member connects to another replica set member.
See Internal/Membership Authentication
The simple way is to use a keyfile for this.
First create the keyfile:
openssl rand -base64 756 > <path-to-keyfile>
If you don't have openSSL you can download it from OpenSSL for Windows. Then copy this keyfile to each replica set member.
Put this option to the MongoDB configuration files:
security:
authorization: enabled
keyFile: <path-to-keyfile>
Restart the MongoDB service, then it should work.
See also Deploy Replica Set With Keyfile Authentication or Update Replica Set to Keyfile Authentication or Update Replica Set to Keyfile Authentication (No Downtime)

Mongo secure database

I'mnew on mongo and I'm finding some diferencces with SQL database, I'have created a database and I have created an user this way
db.createUser(
{
user: "chatlearning",
pwd: "mypass",
roles: [ { role: "readWrite", db: "chatlearning" }]
}
)
But I can acces to the database with mongodb compass without introducing any login ingo , what do I have to avoid the access to the database to any other user that not intruces the login?
After creating user have you restarted the mongo server in auth mode?
Here the process to start the mongod with access control enabled.
If you start the mongod from the command line, add the --auth command line option:
mongod --auth --port 27017 --dbpath /var/lib/mongodb
If you start the mongod using a configuration file (/etc/mongod.conf), add the security.authorization configuration file setting:
security:
authorization: enabled

MongoDB: Server has startup warnings ''Access control is not enabled for the database''

I firstly installed MongoDB 3.4.1 today. But when I start it and use MongoDB shell, it gave me these warnings below:
C:\Users\hs>"C:\Program Files\MongoDB\Server\3.4\bin\mongo.exe
MongoDB shell version v3.4.1
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.1
Server has startup warnings:
2017-01-12T21:19:46.941+0800 I CONTROL [initandlisten]
2017-01-12T21:19:46.942+0800 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2017-01-12T21:19:46.942+0800 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2017-01-12T21:19:46.942+0800 I CONTROL [initandlisten]
my computer is Microsoft Windows [version 10.0.14393].
Mongodb v3.4
You need to do the following to create a secure database:
Make sure the user starting the process has permissions and that the directories exist (/data/db in this case).
1) Start MongoDB without access control.
mongod --port 27017 --dbpath /data/db
2) Connect to the instance.
mongo --port 27017
3) Create the user administrator (in the admin authentication database).
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
4) Re-start the MongoDB instance with access control.
mongod --auth --port 27017 --dbpath /data/db
5) Connect and authenticate as the user administrator.
mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"
6) Create additional users as needed for your deployment (e.g. in the test authentication database).
use test
db.createUser(
{
user: "myTester",
pwd: "xyz123",
roles: [ { role: "readWrite", db: "test" },
{ role: "read", db: "reporting" } ]
}
)
7) Connect and authenticate as myTester.
mongo --port 27017 -u "myTester" -p "xyz123" --authenticationDatabase "test"
I basically just explained the short version of the official docs here: https://docs.mongodb.com/master/tutorial/enable-authentication/
OMG, what a gas plant, that top answer!
All you need to do is to:
Edit your config, e.g. C:\Program Files\MongoDB\Server\4.4\bin\mongodb.cfg
Turn the security: authorization: to enabled, as illustrated; note that this sub-entry may be missing completely. Just add it then.
Restart your MongoDB Server service from the Windows Services control panel.
Obviously, if, following this, set up a read/readWrite role-based policy, that will make much more sense.
Ref: https://docs.mongodb.com/manual/tutorial/configure-scram-client-authentication/
I've just tested this using phpunit, works as expected.
you can create an admin user or another role.
run it on mongo shell.
db.createUser({user: "username", pwd: "password", roles: ["dbAdmin"]})
if you get SCRAM-SHA-256error you can set the SHA-1 mechanism.
db.createUser({user: "username", pwd: "password", roles: ["dbAdmin"], mechanisms: ["SCRAM-SHA-1"]})
You need to delete your old db folder and recreate new one. It will resolve your issue.

MongoDB Authentication in a Sharded Cluster

I'm trying to set up authentication in a sharded cluster. Currently all shards, config servers and mongos are running without --auth or keyfile information.
when I'm connecting to mongo and trying to create user:
db.createUser({
user: "test",
pwd: "test",
roles: []
});
i get the following error:
Error: couldn't add user: Could not lock auth data update lock. at src/mongo/shell/db.js:1004
Does anyone know what causes this error and how to fix it?

MongoDB server can still be accessed without credentials

I have a fresh mongodb server (2.6.0) in my machine and I started the mongod instance with the following config file:
dbpath = c:\mongo\data\db
port = 27017
logpath = c:\mongo\data\logs\mongo.log
auth = true
Later, I connected to this mongod instance through mongo shell and created an admin user:
use admin
db.createUser(
{
user: "tugberk",
pwd: "12345678",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
}
)
Then, I logged out from the shell and reconnect with the following command:
mongo --host localhost --port 27017 -u tugberk -p 12345678 --authenticationDatabase admin
Then, I created a user with root access:
use admin
db.createUser(
{
user: "tugberkRoot",
pwd: "12345678",
roles: [ "root" ]
}
)
The last step is not necessary here but the anonymous access now should have been fully disabled. However, I can still connect to it anonymously through mongo shell (even if I don't have any access to do anything):
What should I do to prevent any anonymous connection?
Authentication prevents you from performing actions on the database (as your screenshot shows - you can't even list databases), it doesn't prevent connections - after all, you have to be able to connect to be able to authenticate.
There is a feature request to add timeouts, but for now this is essentially how the server is meant to behave.
It's worth noting that up until you try to do something, this is really no different than just connecting to the port with telnet - the text displayed at the start "connecting to:" etc. is from the client, not the server. As soon as it tries to do anything unauthenticated, even list the server warnings, an error is thrown because it does not have sufficient permissions.
If you want to lock down things from a connection perspective, the only option from a MongoDB perspective is to restrict the IP addresses it listens on (default is all) using the bindIp option. Using 127.0.0.1 would lock it down to local usage for example (but you would then be unable to connect from a remote host), which makes replication an issue so be careful when choosing your bound address.
Outside MongoDB, you should look at locking things down from a firewall perspective. On Linux this would be IPTables, ufw, hosts.allow/deny or similar. Windows firewall is not my area of expertise, but I would imagine you can do similar there also.
Although you can protect your databases by enabling authentication in security section of the mongo.conf file like this:
security:
authorization: enabled