I would like to give acces to a user to 2 databases in MongoDB.
I tried this, but it only give access to the admin db.
use admin;
db.runCommand(
{
createUser: "myuser",
pwd : "mypwd",
roles:
[
{ role: "readWrite", db: "db1" } ,
{ role: "readWrite", db: "db2" }
]
});
I tried to create the user on each db, but i end up with 2 users:
user#db1 and user#db2
Any suggestions?
Users can basically be saved in any database, which is why you can provide --authenticationDatabase on the command line tools, for example.
Taking the example for the cli, your command line should look something like this
mongo yourhost:yourport/db1 -u myuser --authenticationDatabase admin -p
and
mongo yourhost:yourport/db2 -u myuser --authenticationDatabase admin -p
respectively, where you obvisouly have to substitute yourhost and yourport for actual values.
Related
I have successfully enabled authorization on MongoDB and I have created an account on the admin database and then I created an account for my database called test. The following connection string to connect to my test database works successfully: mongo --host 192.168.17.52 --port 27017 -u user1 -p password --authenticationDatabase test
Only problem I have now is, I cannot execute commands such as: show dbs. I get the following error when I try to do so:
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, lsid: { id: UUID(\"a1d5bc0d-bc58-485e-b232-270758a89455\") }, $db: \"admin\" }"
I have been on many online sources to help fix this issue but no luck, is there a way to resolve this issue? Seems like my user can't access the admin database, is there a way to grant this access to my user so I can run the necessary commands like show dbs?
Any help is much appreciated! :)
In order to run show dbs command and if the user has access to multiple databases, first the user should be created on the admin database (this is because listDatabases action is a cluster wide operation). Also the user should be given access to this operation. In order to do that, a new role should be created with the action. Below are the steps for the same:
//login as admin with --authenticationDatabase "admin" (assumption is that admin user is with root privileges) and then run the below:
use admin;
db.runCommand({ createRole: "listDatabases", privileges: [{ resource: { cluster : true }, actions: ["listDatabases"]} ], roles: [] });
db.createUser({user:"testUser", pwd:"passwd", roles:[{role:"read", db:"db1"},{role:"read", db:"db2"},{ role: "listDatabases", db: "admin" }]});
//exit as admin user and login as testUser: note the --authenticationDatabase "admin"
mongo -u "testUser" -p --authenticationDatabase "admin"
after logging in run the command below and it should list all the databases:
show dbs;
The below will work fine even though user is not given access to admin database:
use admin;
But then the below will give error:
show collections;
The problem is related the database you are using with the --authenticationDatabase parameter.
You are connecting to mongo with the user of your test database who has no privileges to execute listDatabase commands.
Let's do this using the admin db as auth db
mongo --host 192.168.17.52 --port 27017 -u user1 -p password --authenticationDatabase admin
and then run the command
show dbs
I know this is a basic security measure, but I can't make it works with my mongodb installation. Each time I run the command :
mongorestore dump_folder -u "username" -p "password"
It returns:
error reading database: not authorized on DATABASE_NAME to execute command { listCollections: 1, cursor: { batchSize: 0 } }
My question is : What is the permission that I need to enable and how ?
For the time being, I just turn off the Mongo's security in /etc/mongod.conf and start it back after I restore/dump my databases.
Additional Note:
This is how I prepared my databases and its user
I log in with my admin account, create a database, named DATABASE001
And create a user:
use DATABASE001
db.createUser({
user: "USER001",
pwd: "mypassword",
roles:[ { role: "readWrite", db: "DATABASE001" },"dbAdmin" ]
})
For roles, I add readWrite to DATABASE001 and also dbAdmin
I want this user (USER001) be able to backup or restore his database (DATABASE001).
I tested it by login with this command. It successfully logged in
mongo localhost -u USER001 -p mypassword --authenticationDatabase DATABASE001
I want to dump this database content with:
mongodump -u USER001 -p mypassword --authenticationDatabase DATABASE001
it throws me an error:
Failed: error getting database names: not authorized on admin to execute command { listDatabases: 1 }
What is this listDatabases ? how can I add it to my roles?
$ mongorestore --username adminUser --password pass123 --authenticationDatabase admin --db exampleDB dump/exampleDB
I am using the same connection string on local and production.
When the connection string is mongodb://localhost/mydb
What is the username and password?
Is it secure to keep it this way?
By default mongodb has no enabled access control, so there is no default user or password.
To enable access control, use either the command line option --auth or security.authorization configuration file setting.
You can use the following procedure or refer to Enabling Auth in the MongoDB docs.
Procedure
Start MongoDB without access control.
mongod --port 27017 --dbpath /data/db1
Connect to the instance.
mongosh --port 27017
Create the user administrator.
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: passwordPrompt(), // or cleartext password
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" }
]
}
)
Re-start the MongoDB instance with access control.
mongod --auth --port 27017 --dbpath /data/db1
Authenticate as the user administrator.
mongosh --port 27017 --authenticationDatabase "admin"\
-u "myUserAdmin" -p
In addition with what #Camilo Silva already mentioned, if you want to give free access to create databases, read, write databases, etc, but you don't want to create a root role, you can change the 3rd step with the following:
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" } ]
}
)
If you have already created the user, you can update the user as follows:
First log on:
mongo --port 27017 -u "myUserAdmin" -p "abc123" \
--authenticationDatabase "admin"
The add permissions:
use admin
db.grantRolesToUser(
"myUserAdmin",
[ { role: "userAdminAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" } ]
)
For MongoDB earlier than 2.6, the command to add a root user is addUser (e.g.)
db.addUser({user:'admin',pwd:'<password>',roles:["root"]})
In addition to previously provided answers, one option is to follow the 'localhost exception' approach to create the first user if your db is already started with access control (--auth switch). In order to do that, you need to have localhost access to the server and then run:
mongo
use admin
db.createUser(
{
user: "user_name",
pwd: "user_pass",
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" }
]
})
As stated in MongoDB documentation:
The localhost exception allows you to enable access control and then create the first user in the system. With the localhost exception, after you enable access control, connect to the localhost interface and create the first user in the admin database. The first user must have privileges to create other users, such as a user with the userAdmin or userAdminAnyDatabase role. Connections using the localhost exception only have access to create the first user on the admin database.
Here is the link to that section of the docs.
Go to mongo in your instance
mongo
use admin
db.createUser({user:"Username", pwd:"Password", roles:[{role:"root", db:"admin"}]})
mongod --bind_ip_all --auth
use this command after modifying the .conf file:
network interfaces
net:
port: 27017
bindIp: 127.0.0.1,mongodb_server_ip
I'm rather new with MongoDB and I'm trying to add a admin account into my MongoDB whithout any users at this point.
Using this command: mongo --port 27017 -u manager -p 123456 --authenticationDatabase admin
I receive this error:
Kind regards.
Let me explain the reason why its not working. mongo db refers to users collection to validate the login user.
By default mongodb doesnt provide any user login like manager, using which your were trying to login
Thus the below command is not working
mongo --port 27017 -u manager -p 123456 --authenticationDatabase admin
To make the below command to work. You need to add user "manager" to mongodb user collection.
To create user run the below command:
db.addUser( { user: "manager",
pwd: "123456",
roles: [ "userAdminAnyDatabase",
"dbAdminAnyDatabase",
"readWriteAnyDatabase"
] } )
Once you have the user created, below command work.
mongo --port 27017 -u manager -p 123456 --authenticationDatabase admin
I have created two users with below roles on my mongoinstance
use mydb
db.createUser(
{
user: "dbUser",
pwd: "dbPassword",
roles: [ { role: "dbOwner", db: "mydb" } ]
}
)
use admin
db.createUser(
{
user: "adminUser",
pwd: "adminPassword",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
MongoDb is up & running using above credentials, Now when i try to take mongodump using below command in terminal
mongodump --host localhost --port 27017 -u dbUser -p dbPassword --authenticationDatabase mydb
i am getting below error, not able to resolve this
connected to: localhost:27017
assertion: 13 not authorized on admin to execute command { getParameter: 1, authSchemaVersion: 1 }
Any idea? where i am doing wrong?
As suggested by #wdberkeley, problem got resolved by passing db name as parameter
below command runs fine
mongodump --host localhost --port 27017 -u dbUser -p dbPassword -d mydb
mongodump is not a Mongo shell command, it's an operating system command.
Just like you run mongo.exe to start the shell from OS prompt, you should run mongodump the same way from OS prompt. Example:
mongodump --host localhost --port 27017 -u dbUser -p dbPassword --authenticationDatabase mydb
Thanks
userAdminAnyDatabase is not enough to do mongodump on all the dbs that's why you are getting this error. You will need a super user that has:
userAdminAnyDatabase
readWriteAnyDatabase
clusterAdmin
privileges to run mongodump on all dbs.
OR you just need 'backup' privilege
db.grantRolesToUser('username', [{
role: 'backup',
db: 'name of ur authentication db'
}])