I have a user in admin.system.users:
{
"_id" : "admin.reports",
"user" : "reports",
"db" : "admin",
"credentials" : {
"MONGODB-CR" : "hash"
},
"roles" : [
{
"role" : "read",
"db" : "mydb"
}
]
}
And I am attempting to execute this from a bash script:
mongo --quiet mongodb.production.internal/admin -ureports -p"password" <<< "
var conn = connect('localhost/mydb');
db.auth('reports', 'password');
db.Collection.aggregate([
{
\$group: {
_id: '\$itemId',
count: { \$sum: 1 }
}
},
{
\$sort: {
count: 1
}
}
], {cursor: {}}).forEach(function(line) {
print(line._id+','+line.count);
});
"
And I am getting this response from the mongodb instance:
not authorized on admin to execute command { aggregate: (amongst other very verbose but pointless output).
What permission do I need to enable the use of the aggregation command for this user? Can it not be done without enabling write access?
The issue was not with permissions, read is indeed sufficient, but with correctly switching to the right database.
I was using connect() to silently (no output) switch to the working db because the use command throws output. This is incorrect, and the workaround is in how you specify the connection on the command line, ie:
mongo --quiet mongodb.production.internal/mydb --authenticationDatabase admin -ureports -p"password"
Related
When you first install mongodb, there is no root user. You simply start mongo with (if on mac osx) "mongod --dbpath='/usr/local/var/mongodb'", and then run mongo in the shell and it will connect you without any authentication.
I create the admin user in the admin database:
> db
admin
> db.createUser({
"user" : "test1",
"pwd" : "test1",
"roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ]
})
> db.getUsers()
[
{
"_id" : "admin.test1",
"user" : "test1",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
]
Now I connect to mongo shell as admin user:
> db
admin
> db.runCommand({connectionStatus : 1})
{
"authInfo" : {
"authenticatedUsers" : [
{
"user" : "test1",
"db" : "admin"
}
],
"authenticatedUserRoles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
},
"ok" : 1
}
I start mongod with access control:
$ sudo mongod --auth --port 27017 --dbpath=.
Password:
2020-04-16T20:28:40.656-0400 I CONTROL [main] Automatically disabling TLS 1.0, to force-enable TLS 1.0 specify --sslDisabledProtocols 'none'
2020-04-16T20:28:40.672-0400 I CONTROL [initandlisten] MongoDB starting : pid=8441 port=27017 dbpath=. 64-bit
I even turned on security:
$ cd /usr/local/etc/
$ vim mongod.conf
security:
authorization: "enabled"
Yet I can simply login with just "mongo":
$ mongo admin
MongoDB shell version v4.0.4
connecting to: mongodb://127.0.0.1:27017/admin
Implicit session: session { "id" : UUID("95879725-00ed-4cee-bd43-8ba093df1e19") }
MongoDB server version: 4.0.4
> db.runCommand({connectionStatus : 1})
{
"authInfo" : {
"authenticatedUsers" : [ ],
"authenticatedUserRoles" : [ ]
},
"ok" : 1
}
This is wild. What else must I do? Unless there is some type of automatic login when logged into the ip the server is running on?
Some commands do not require authentication. Try reading or writing to a collection.
Authentication itself is performed via a sequence of commands (you can read about those here) therefore some of the commands must by necessity not require authentication.
Some commands return different responses based on whether a connection is authenticated. For example, try {ismaster:1} with and without authentication.
This is the query i am running:
db.surveyquestion.copyTo('surveyquestionV2')
Error I am getting:
{
"message" : "MongoError: not authorized on GenericSurveyTool to execute command { $eval: function (collName, newName) {\r" +
"var from = db[collName];\r" +
"..., args: [ 'surveyquestion', 'surveyquestionV2' ], $db: 'GenericSurveyTool' }",
"stack" : "script:1:19",
"code" : 13
}
My user in admin db that i am using to run this query:
query: db.getUsers();
/* 2 */
{
"_id" : "admin.moiz",
"user" : "moiz",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
I have this user with the root role but still i am unable to copy collection. Please help!!
To the people who has the same problem, the solution is in the documentation of db.eval() : just right here
If authorization is enabled, you must have access to all actions on all resources in order to run eval. Providing such access is not recommended, but if your organization requires a user to run eval, create a role that grants anyAction on anyResource. Do not assign this role to any other user.
I have an application scenario where 3 meteor applications are using a mongo database replication set. A machine is allocated to run each meteor application. A single mongo database is running on each machine. Each application (the server) is supposed to access a collection in the local mongo database.
The server creates a connection to the local database collection as follows:
const url = "myUser:myPass#localhost:27017/local?authSource=admin"
const MyCollection = new Mongo.Collection('myCollection', { _driver: new MongoInternals.RemoteCollectionDriver(url) });
2 of the 3 meteor applications, i.e. the application connected to the primary database and secondary database are able to read/write from/to the collection.
However, the meteor application connected to the arbiter database runs into issues when it tries to execute the following code in the meteor startup function:
MyCollection.update({}, { $unset: { myData1: '', myData2: '' }}, { upsert: true });
It produces the following exception:
not authorized on local to execute command { find: "myCollection", filter: {}, limit: 1 }
I can use the URL declared in the url variable to connect to a mongo shell and perform reads and writes on the same collection in the local database.
When I checked the user permissions this is what I see in the mongo shell:
{
"_id" : "admin.myUser",
"user" : "myUser",
"db" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "meteorDB"
},
{
"role" : "readWrite",
"db" : "local"
},
{
"role" : "read",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
]
}
Therefore, it appears as if the user has the correct permissions.
Also, if I disable mongo DB security then the meteor application does not throw any exceptions.
I was wondering if someone could point out if I’m doing something wrong. Any help is much appreciated.
In Mongo, I've created a database and created a user specifically for that database. When I type "show users" I get this:
rs0:PRIMARY> show users;
{
"_id" : "sampleuser.sampleuser",
"user" : "sampleuser",
"db" : "sampledb",
"roles" : [
{
"role" : "readWrite",
"db" : "sampledb"
},
{
"role" : "dbAdmin",
"db" : "sampledb"
}
]
}
But when I try to execute a command with that user, I get the following:
not authorized on sampledb to execute command { find: "social_posts", filter: { customer_id: "123", 0: { posted: { $ne: 1 } } } }
What permissions are setup wrong?
You have to use db.auth() to authenticate to the database before executing any query.
From db.auth() doc
db.auth()
Allows a user to authenticate to the database from within the shell.
The db.auth() method can accept:
the username and password.
db.auth( <username>, <password> )
a user document that contains the username and password, and optionally, the authentication mechanism and a digest password flag.
db.auth( {
user: <username>,
pwd: <password>,
mechanism: <authentication mechanism>,
digestPassword: <boolean>
}
Returns: db.auth() returns 0 when authentication is not successful, and 1 when the operation is successful.
I'm using MongoDB 3.0.7. I have a database called bravegoat and a read-only user called bravegoat-r.
I connect via shell:
mongo localhost:27017/bravegoat -u bravegoat-r -p mypassword
I switch to my database:
use bravegoat;
And I run:
db.runCommand({connectionStatus : 1})
Which outputs:
{
"authInfo" : {
"authenticatedUsers" : [
{
"user" : "bravegoat-r",
"db" : "bravegoat"
}
],
"authenticatedUserRoles" : [
{
"role" : "read",
"db" : "bravegoat"
}
]
},
"ok" : 1
}
Only read role, so it looks fine, but when I invoke .save(), my user can insert data. I've read few pages about creating read-only users and I'm not able to see my problem. I'm starting to think it might be a bug in my version.
You have to enable client access control by doing the following:
Edit the /etc/mongod.conf file
Add the following lines
security:
authorization: enabled
Restart MongoDB:
sudo service mongodb restart