This question already has answers here:
MongoDB server can still be accessed without credentials
(2 answers)
Closed 8 years ago.
I'm a beginner to mongodb,I have a installed mongodb 2.6 on windows. Now, I want to prevent any login without authentication. I read localhost exception manual from docs.mongodb.org. after reading that manual, I created a userAdminAnyDatabase with
use admin
db.createUser
(
{
user: "adminDB",
pwd: "password",
roles: [ "userAdminAnyDatabase","readWriteAnyDatabase","root" ]
}
)
localhost exception must disable automatically. I use this command to start mongodb server.
mongod --auth --setParameter enableLocalhostAuthBypass=0 --setParameter enableTestCommands=0 --dbpath "D:\data"
I still can login with mongo.exe and can see databases name. but I can't change,update or drop anything. Is there anyway to prevent any login ? and prevent anyone to read databases names?
That's the expected behavior of having the MongoDB auth enabled.
You establish a connection with the MongoDB server
you specify against which database you need to authenticate
you validate your credentials
For anyone to be able to authenticate, you actually need to allow them to reach point 3.
Related
What I am trying to do:
I want to have my schema require a log in to order to gain access
From my understanding, you must first use the --auth flag to enable authorization. When I do this in the compass shell, it says auth is not recognized/defined
I want to be able to create new users with different sets of permissions
Neither of the create user commands listed below work for me
My suspicions on the issue:
I think the reason I am struggling might be because I am on a local host connection provided by the MongoDB compass. I am new to MongoDB and am just practicing. My connection URI is mongodb://localhost:27017
Things I have tried:
Using the advanced connection options in compass GUI
Running the below in test and admin
// running:
--auth
db.auth()
db.createUser({user: "max", pwd: "max", roles: ["userAdminAnyDatabase"]})
db.createUser({
user: "max",
pwd: "max",
roles: [{role: "userAdminAnyDatabase", db: "admin"}, {"readWriteAnyDatabase"}]
})
The create functions give this error:
clone(t={}){const r=t.loc||{};return e({loc:new Position("line"in r?r.line:this.loc.line,"column"in r?r.column:...<omitted>...)} could not be cloned.
I'm going to attempt an answer based on the discussion in the comments. There are definitely still some things that I am not clear on, so please do add additional details to help clarify.
the mongod terminal is something different. It used to be installed with MongoDB, but no longer is by default. All the videos I see are old and working in the mongod terminal not the MongoDB compass shell
You are correct that the earlier shell (mongo) that used to ship with the database no longer does. It has been replaced with a newer one (mongosh) which is still functionally mostly the same, but with some additional expanded capabilities. You can mostly still use the older shell to connect to MongoDB though there really shouldn't be any reason for doing so.
It is the newer mongosh utility that is now bundled with Compass.
You can see here that the db.createUser() method is included as one of the mongosh Methods in the navigation on the left side of the page. So that method and functionality should be present in this newer shell.
I believe it is all just stored locally.
This comment doesn't really make sense. It's true that MongoDB credentials are stored by the cluster itself so it is "local" in that regard. But nothing is going to be stored outside of that such as in Compass or on your local machine.
I do not believe it's connected to atlas
What are the actual connection settings you used when opening Compass to connect to a system?
To get back to the original request, what is the actual outcome that you are seeing when running those commands? Are you getting an error message or?
Knowing that would allow us to troubleshoot further. If you do happen to be running these commands against an Atlas cluster and seeing that the users don't exist shortly after doing so, then you will want to use the Atlas interface instead.
Edit
Based on the updated question, it seems part of the confusion is around what and where to run some commands.
Working backwards, the specific error that you mention is caused by a syntax error. In your array of roles the second entry should either just be a string or a fully-formed object. So try changing
roles: [{role: "userAdminAnyDatabase", db: "admin"}, {"readWriteAnyDatabase"}]
to
roles: [{role: "userAdminAnyDatabase", db: "admin"}, {role:"readWriteAnyDatabase",db:"admin"}]
Also I see now that you seem to be adding the --auth flag to the commands that are being run in the shell. This is incorrect. Rather that is a parameter that is included when you start the mongod process, see here. You can still create users without mongod enforcing authentication, but you'll want to restart the mongod process itself with the right configuration (eg with --auth) to actually prevent users from interacting with the data without properly authenticating.
System
Hi I am running mongodb on ubuntu 20.14.
Im running mongodb with systemctl
What I've done
I've tried to make it more secure by adding an admin user and enabled authentication.
Ive restarted the service multiple times.
config file:
security:
authorization: enabled
How I created user:
use admin
db.createUser({
user: "username",
pwd: "123456",
roles:["root"]
})
Problem
I am still able to connect through mongodb compass without any auth??? Im able to do everything even tho I enabled the authentication?
I am not able to login authenticated using these urls:
mongodb://username:password#localhost:27017/
mongodb://username:password#localhost:27017?authSource=admin
Im sure the config file is loading since authentication works in console and I can see the right config load in the mongod.log
It would be this one:
mongodb://username:password#localhost:27017?authSource=admin
See also: Authentication failure while trying to save to mongodb
Yes, even without authentication you can connect to Mongo database in any case. However, apart from harmless commands like db.help(), db.version(), db.getMongo(), etc. you cannot execute anything.
You can skip parameter enableLocalhostAuthBypass. The localhost exception applies only when there are no users created in the MongoDB instance.
Solution
I thought the issue was with mongodb compass.
So what I did was deleting the application and when I did that I saw that I had mongodb installed on my pc too.
I was never connecting to the mongodb that I have created on my ubuntu server but on my own pc.
I am running a local MongoDB service on Windows using WAMP64.
I want to access the db using Adminer. I cannot get thru the login page.
It keeps saying that Database does not support password, which it does as proven by me logging into the db using MongoDB Compass with the created auth uid and pw.
I have tried Adminer 4.6.3 and 4.7.6 (lastest v)
Anyone know how to get past this? Thanks.
The code that produces this message seems to be here.
What it appears to do is:
Connect with the provided username and password.
Connect with the provided username with an empty password.
If the second connection succeeds, return the "does not support password" error.
Otherwise, presumably return the first connection.
If I try to login without a password, even if mongod was not started with --auth parameter, my login fails. So I'm not sure what setup is needed to reproduce this behavior, but I suggest:
Ensuring your mongod invocation has --auth parameter.
Ensuring you are not able to connect to your server without specifying the password (i.e., unauthenticated connection fails).
The thing you need to do is to add a user. You don't have to run mongo with authentication enabled; if you add a user adminer will accept the auth and just work. Just run mongo:
db.createUser({
... user: "admin",
... pwd: "PASSWORD",
... roles: ["readWrite","dbAdmin"]
... })
and then you'll be able to log in with adminer
I am running MongoDB on windows8.1 and created users for admin database. For convenience, I use mongoVUE to check data. But after turning on the "auth" function. I cannot logged in.
Actually, I can use the username and password to authenticate with mongo shell. Further more, I can also use them to authenticate by python codes. They failed to work only when I use mongoVUE or Robomongo.
When I clicked "test" button on mongoVUE, it returned a message "Connection was refused". And the windows command shell presents the following words:
2015-07-03T19:52:34.843+0800 I NETWORK [initandlisten] connection
accepted from
127.0.0.1:24163 #242 (4 connections now open)
2015-07-03T19:52:34.845+0800 I ACCESS [conn242] authenticate db:
admin { auth enticate: 1, user: "uvpaiad", nonce: "xxx", key: "xxx" }
2015-07-03T19:52:34.846+0800 I ACCESS [conn242] Failed to
authenticate uvpaiad #admin with mechanism MONGODB-CR:
AuthenticationFailed MONGODB-CR credentials mi ssing in the user
document
2015-07-03T19:52:34.847+0800 I NETWORK [conn242] end connection
127.0.0.1:24163 (3 connections now open)
Does anyone know what the matter is?
This is because of the changed authentication mechanism in MongoDB latest version. In Mongo 3.X, auth mechanism is changed to SCRAM- Salted challenge response authentication mechanism.
In order to avoid this one needs to get into system users collection and create the new users documents and delete the old ones.
I upgraded from 2.4 to 2.6 and authentication broke. This tutorial seems pretty straightforward but I keep getting locked out of my own database. My situation is pretty simple, I have a single Mongo server and need one user/pwd combination to connect.
First I connect via the localhost exception as mentioned. Then I create the admin user as suggested:
use admin
db.createUser(
{
user: "myadmin",
pwd: "mysecret",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
}
)
Now it's time to add new users so to sanity check myself, I logout of the shell. Now when I type "mongo" it fails. That used to work but OK, it's not seeing a username password and I guess the localhost exception isn't there anymore so I follow the instructions outlined here:
mongo --port 27017 -u myadmin -p mysecret --authenticationDatabase admin
And I get:
MongoDB shell version: 2.6.0
connecting to: 127.0.0.1:27017/test
Error while trying to show server startup warnings: not authorized on admin to execute command { getLog: "startupWarnings" }
>
Any idea on how to:
Setup Mongo 2.6 so I can easily go in and out of the shell managing the databases (I would think this is the "system user administrator")
Enable a user from a remote client to connect? (Just the mongo side, no help needed with iptables ...)
Thanks!
Apparently the "system user administrator" isn't enough. Create a root user:
> db.createUser({user:"someadmin",pwd:"secret", roles:[{role:"root",db:"admin"}]})
Then add your database user:
> use some_db
> db.createUser(
{
user: "mongouser",
pwd: "someothersecret",
roles: ["readWrite"]
}
)
More details on this gist. Comments on gist and better answers on SO welcome - I'm not a sys admin
1) The role that you assign the admin user- userAdminAnyDatabase - doesn't have unlimited privileges. It's just a role that is allowed to create and manage users on any database. Apparently, by default it is restricted from executing certain commands that are not directly related to managing database users (such as fetching the startup warnings from the log, querying the server status, etc.).
You can use the 'root' role instead as Tony suggests. If you are going to use the root account to do setup and management and then just have a few basic read/write privileged accounts talking to the database, this probably makes the most sense.
2) In general, connecting on the client side just requires calling the db.authenticate() function after connecting from your client code. There are different ways to do this depending on the driver/language that you are using for a client. The node.js driver code is pretty typical: http://mongodb.github.io/node-mongodb-native/api-generated/db.html#authenticate
Even after following #Tony's method I was getting a
`com.mongodb.CommandFailureException:`
Adding
compile 'org.mongodb:mongo-java-driver:2.13.1'
in Dependency section of BuildConfig.groovy however fixed the issue.