I have created two users with below roles on my mongoinstance
use mydb
db.createUser(
{
user: "dbUser",
pwd: "dbPassword",
roles: [ { role: "dbOwner", db: "mydb" } ]
}
)
use admin
db.createUser(
{
user: "adminUser",
pwd: "adminPassword",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
MongoDb is up & running using above credentials, Now when i try to take mongodump using below command in terminal
mongodump --host localhost --port 27017 -u dbUser -p dbPassword --authenticationDatabase mydb
i am getting below error, not able to resolve this
connected to: localhost:27017
assertion: 13 not authorized on admin to execute command { getParameter: 1, authSchemaVersion: 1 }
Any idea? where i am doing wrong?
As suggested by #wdberkeley, problem got resolved by passing db name as parameter
below command runs fine
mongodump --host localhost --port 27017 -u dbUser -p dbPassword -d mydb
mongodump is not a Mongo shell command, it's an operating system command.
Just like you run mongo.exe to start the shell from OS prompt, you should run mongodump the same way from OS prompt. Example:
mongodump --host localhost --port 27017 -u dbUser -p dbPassword --authenticationDatabase mydb
Thanks
userAdminAnyDatabase is not enough to do mongodump on all the dbs that's why you are getting this error. You will need a super user that has:
userAdminAnyDatabase
readWriteAnyDatabase
clusterAdmin
privileges to run mongodump on all dbs.
OR you just need 'backup' privilege
db.grantRolesToUser('username', [{
role: 'backup',
db: 'name of ur authentication db'
}])
Related
I know this is a basic security measure, but I can't make it works with my mongodb installation. Each time I run the command :
mongorestore dump_folder -u "username" -p "password"
It returns:
error reading database: not authorized on DATABASE_NAME to execute command { listCollections: 1, cursor: { batchSize: 0 } }
My question is : What is the permission that I need to enable and how ?
For the time being, I just turn off the Mongo's security in /etc/mongod.conf and start it back after I restore/dump my databases.
Additional Note:
This is how I prepared my databases and its user
I log in with my admin account, create a database, named DATABASE001
And create a user:
use DATABASE001
db.createUser({
user: "USER001",
pwd: "mypassword",
roles:[ { role: "readWrite", db: "DATABASE001" },"dbAdmin" ]
})
For roles, I add readWrite to DATABASE001 and also dbAdmin
I want this user (USER001) be able to backup or restore his database (DATABASE001).
I tested it by login with this command. It successfully logged in
mongo localhost -u USER001 -p mypassword --authenticationDatabase DATABASE001
I want to dump this database content with:
mongodump -u USER001 -p mypassword --authenticationDatabase DATABASE001
it throws me an error:
Failed: error getting database names: not authorized on admin to execute command { listDatabases: 1 }
What is this listDatabases ? how can I add it to my roles?
$ mongorestore --username adminUser --password pass123 --authenticationDatabase admin --db exampleDB dump/exampleDB
I try to create a backup of my MongoDB replicaset but I have an authentication problem :D .
So when I try to use mongodump
root#e03c2a89ac31:/# mongodump -u myBackupAccount -p 123456 --host mongo1 --out /home/backup
2017-01-17T11:00:41.069+0000 Failed: error connecting to db server: server returned error on SASL authentication step: Authentication failed.
root#e03c2a89ac31:/# mongodump -u myBackupAccount -p 123456 --host mongo1 --authenticationDatabase admin --out /home/backup
2017-01-17T12:37:45.819+0000 Failed: error connecting to db server: server returned error on SASL authentication step: Authentication failed.
But if I try with a mongo shell, I can connect to my instance
root#e03c2a89ac31:/# mongo -u myBackupAccount -p 123456 --host mongo1
MongoDB shell version v3.4.1
connecting to: mongodb://mongo1:27017/
MongoDB server version: 3.4.1
REPLICASET_NAME:PRIMARY> exit
My backup user was created with that command
root#e03c2a89ac31:/# mongo -u myUserAdmin --authenticationDatabase "admin" -p 123456
MongoDB shell version v3.4.1
connecting to: mongodb://mongo1:27017/
MongoDB server version: 3.4.1
REPLICASET_NAME:PRIMARY> db.createUser({user: "myBackupAccount", pwd: "123456", roles: [ { role: "backup", db: "admin" } ]})
So do you know why it isn't working ?
I did somethings bad ? :p
Thanks in advance for your help ;)
I'm rather new with MongoDB and I'm trying to add a admin account into my MongoDB whithout any users at this point.
Using this command: mongo --port 27017 -u manager -p 123456 --authenticationDatabase admin
I receive this error:
Kind regards.
Let me explain the reason why its not working. mongo db refers to users collection to validate the login user.
By default mongodb doesnt provide any user login like manager, using which your were trying to login
Thus the below command is not working
mongo --port 27017 -u manager -p 123456 --authenticationDatabase admin
To make the below command to work. You need to add user "manager" to mongodb user collection.
To create user run the below command:
db.addUser( { user: "manager",
pwd: "123456",
roles: [ "userAdminAnyDatabase",
"dbAdminAnyDatabase",
"readWriteAnyDatabase"
] } )
Once you have the user created, below command work.
mongo --port 27017 -u manager -p 123456 --authenticationDatabase admin
I did the following
-- `sudo apt-get install mongodb-org`
-- go to `etc/mongod.conf` change bindIp to: `0.0.0.0`
-- sudo mkdir /data/db
-- start without auth to create user
`sudo mongod --port 27017 --dbpath /data/db`
-- open shell with : mongo --port 27017
```
> use admin
> db.createUser( { user: "useradmin", pwd: "mypassword", roles: [ { role: "root", db: "admin" } ] } )
```
-- Restart with auth required(ctrl+c the above mongod process):
`sudo mongod --auth --port 27017 --dbpath /data/db'
-- To open shell(ctrl+c above mongo shell):
`mongo --port 27017 -u useradmin -p mypassword --authenticationDatabase admin`
my mongoengine_settings.py
```PYTHON
from mongoengine import connect
DATABASE = 'tracking'
USERNAME = 'useradmin'
PASSWORD = 'mypassword'
HOST = 'mongodb://localhost/tracking'
PORT = 27017
connect(DATABASE,
username=USERNAME,
password=PASSWORD,
host=HOST,
port=PORT
)
```
now when i try to bulk insert some data using mongoengine that works fine if i don't have --auth enabled, otherwise it throws the following error:
OperationFailure(u'command SON([(\'createIndexes\', u\'order\'), (\'indexes\', [{\'unique\': True, \'background\': False, \'sparse\': False, \'key\': SON([(\'order_id\', 1)]), \'name\': u\'order_id_1\'}])]) on namespace tracking.$cmd failed: not authorized on tracking to execute command { createIndexes: "order", indexes: [ { unique: true, background: false, sparse: false, key: { order_id: 1 }, name: "order_id_1" } ] }',)
what am i doing wrong?
MongoDB users are created in a specific database rather than at the instance level. Once created users can be granted different roles for different databases. The database a user is created in is called their authentication database
Because usernames are not unique (only the combination of username and authentication database is) you can create two users with the same name in different databases with different roles and passwords. This also means that when connecting you need to specify the authentication database as well as the username and password.
This is why after creating the useradmin user in the admin database you needed to run this command:
mongo --port 27017 -u useradmin -p mypassword --authenticationDatabase admin
to connect the MongoDB shell to the default database test.
If you don't specify the authentication database explicitly then MongoDB assumes the database you are connecting to is also the authentication database. So connecting to the admin database like this would have worked:
mongo --port 27017 -u useradmin -p mypassword admin
and these three commands are effectively the same and all will return an "Authentication failed" error :
mongo --port 27017 -u useradmin -p mypassword
mongo --port 27017 -u useradmin -p my password test
mongo --port 27017 -u useradmin -p my password test --authenticationDatabase test
To connect from Python, if you use MongoClient and pass it a complete MongoDB URI, the connection string can include optional parameters. One of the options is authSource (the the database name associated with the user’s credentials) which is obviously what you need: connection options.
Your URI will look something like this:
MdbURI = "mongodb://useradmin:mypassword#localhost:27017/tracking?authSource=admin"
client = MongoClient(MdbURI)
Here's a means of connecting and authenticating with pymongo:
from pymongo import MongoClient
# MongoDB connection info
hostname = '10.20.30.40'
port = 27017
username = 'adminUserName'
password = 'secret'
databaseName = 'someDB'
# connect with authentication
client = MongoClient(hostname, port)
db = client[databaseName]
db.authenticate(username, password)
I would like to give acces to a user to 2 databases in MongoDB.
I tried this, but it only give access to the admin db.
use admin;
db.runCommand(
{
createUser: "myuser",
pwd : "mypwd",
roles:
[
{ role: "readWrite", db: "db1" } ,
{ role: "readWrite", db: "db2" }
]
});
I tried to create the user on each db, but i end up with 2 users:
user#db1 and user#db2
Any suggestions?
Users can basically be saved in any database, which is why you can provide --authenticationDatabase on the command line tools, for example.
Taking the example for the cli, your command line should look something like this
mongo yourhost:yourport/db1 -u myuser --authenticationDatabase admin -p
and
mongo yourhost:yourport/db2 -u myuser --authenticationDatabase admin -p
respectively, where you obvisouly have to substitute yourhost and yourport for actual values.