I have created MongoDB deployment (replica set) using MMS Portal. I have enabled authentication in MMS portal, so that DB can be only accessed by providing credentials.
In MMS portal I don't find any option to assign oplog permission to user.
So, how can I create User with OpLog permission?
Background
Before posting this question I have searched for for the same, and found following link.
How to access to oplog MongoDB (MMS replica set)
Solution in above link is to create roles. But am not sure about this approach because, in MMS portal I can see many build-in roles but in admin database there is no system.roles collection!
INFO MongoDB version is 3.0.3
Here is how I added user with oplog access for MongoDB Replication set deployed via MMS.
In MMS Portal
Click Deployment -> MongoDB Users menu.
Click ADD USERS button.
In the form type database as admin, type preferred username & password, in roles enter root#admin (You can choose other roles as well which has create users privilege)
Now we have to login via mongo console.
mongo <domain.name>:<port>/admin -u <just_created_user> -p
Once inside mongo console type following command to create user with access to oplog
db.createUser({user: "oplogUser", pwd: "PASSWORD", roles: [{role: "read", db: "local"}]})
Now we can access oplog using following URL
mongodb://oplogUser:PASSWORD#<domain.name>:<port>/local?authSource=admin
Related
We have installed MongoDB in AWS and it is running in without Authentication mode. But we want to run MongoDB instance in authentication mode. We have added the line security:
authorization: "enabled" in mongod.conf file . But still we are able to connect our database without any credentials.
You are able to login because of localhost exception, you can login in DB to create users, as you haven't created any yet. As mentioned in mongodb site.
You can create users either before or after enabling access control.
If you enable access control before creating any user, MongoDB
provides a localhost exception which allows you to create a user
administrator in the admin database. Once created, you must
authenticate as the user administrator to create additional users as
needed.
After it you should create Admin user with role userAdminAnyDatabase, and you will be able to create this user even mongod is started with --auth or not. you can create this user by below command.
use admin
db.createUser(
{
user: "myAdmin",
pwd: "123adc",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
And then create other users, for more detail you can go to another answer given by me.
https://stackoverflow.com/a/40058794/3879440
I had create an account on "admin" database with roles :
roles:["readWriteAnyDatabase","userAdminAnyDatabase","dbAdminAnyDatabase”,”root"]
Is it an highest privileges account ?
If not which roles have I missing ?
I want this "admin" account can manage all the action on database mongo includes replicate set , sharding ...
The privileges mentioned by you should manage all the actions on a single mongod instance. As you want to manage the replica set also, I would suggest you to add clusterAdmin privilege as well.
It potentially contains the clusterManager, clusterMonitor, and hostManager including dropping database action.
So, update the admin user with clusterAdmin role to get the absolute control on your mongod cluster.
ref: https://docs.mongodb.org/manual/reference/built-in-roles/
I've created two users, who I thought were userAdmins. Unfortunately, when I login with them, I get permission denied for everything. If I login locally without providing a username or password, I get permission denied for everything. What can I do?
The users were created using the following commands
use admin
db.createUser(
{
user: "Nikhil",
pwd: "wouldntyouliketoknow",
roles: ["userAdminAnyDatabase" ]
}
)
Does userAdminAnyDatabase not mean what I think it means?
I'm using that you've got authorization security enabled for this to be happening. Why don't you just set security.authorization to disabled and restart mongod?
http://docs.mongodb.org/manual/reference/configuration-options/
As far as the command you issued it looks to be incorrect, should be something like this:
use admin
db.createUser(
{
user: "Nikhil",
pwd: "wouldntyouliketoknow",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
}
)
Note that you have to pass in a document with both the role and the db into the call.
Best starting point is here: http://docs.mongodb.org/manual/tutorial/enable-authentication/
This user is limited to the userAdmin role on all databases. If you want to perform additional actions you'll need to either grant yourself additional roles or create a new user who has them:
userAdminAnyDatabase
Provides the same access to user administration operations as userAdmin, except it applies to all databases in the cluster. The role also provides the following actions on the cluster as a whole:
authSchemaUpgrade
invalidateUserCache
listDatabases
The role also provides the following actions on the admin.system.users and admin.system.roles collections on the admin database, and on legacy system.users collections from versions of MongoDB prior to 2.6:
collStats
dbHash
dbStats
find
killCursors
planCacheRead
The userAdminAnyDatabase role does not restrict the permissions that a user can grant. As a result, userAdminAnyDatabase users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration. This role is effectively a MongoDB system superuser.
http://docs.mongodb.org/manual/reference/built-in-roles/#built-in-roles
You can simply restart your MongoD without the auth options and it should happily allow you to login and do any operations.
Alternatively you can also enable the bypass for localhost authentication and connect from the same host where you the MongoD is running. You can find more information about it at http://docs.mongodb.org/manual/core/authentication/#localhost-exception
The above mentioned steps may have different behaviour based on version of MongoDB you are using and I would suggest looking up version specific documentation at the mentioned website.
I have a fresh MongoDB 2.4.7 installation. I run commands below in first run:
db.getSiblingDB('admin').addUser({
user: 'root',
pwd: 'root',
roles:['userAdminAnyDatabase', 'dbAdminAnyDatabase']
});
After restarting mongod using --auth, running db.auth('root', 'root') on any dbs fails including admin db.
How can i fix it to have a super user (root access) and add other users for dbs?
You need to authenticate against the admin database and the MongoDB documentation recommend to use this user only to create new users and give appropriated permissions. But if you want to have a super user, also add the role readWriteAnyDatabase.
I want to create a new user in MongoDB.
Do I do that by logging in as admin (use admin) and then using the command add user to create new user?
If no users created you can create new user without any authentification, but if you have created admin user for specific database you should authentifcate, and then perform any operation.
Documentation:
If no users are configured in
admin.system.users, one may access the
database from the localhost interface
without authenticating. Thus, from the
server running the database (and thus
on localhost), run the database shell
and configure an administrative user:
$ ./mongo
> use admin
> db.addUser("theadmin", "anadminpassword")
We now have a user created for
database admin. Note that if we have
not previously authenticated, we now
must if we wish to perform further
operations, as there is a user in
admin.system.users.
> db.auth("theadmin", "anadminpassword")
We can view existing users for the
database with the command:
> db.system.users.find()
Now, let's configure a "regular" user
for another database.
> use projectx
> db.addUser("joe", "passwordForJoe")