mongodb backup role error to query system.profile - mongodb

I have a mongo user with backup role, when running mongodump, I got the following error:
014-06-13T14:10:53.226-0400 test.system.profile to /backup/mongodb/06-13-2014/test/system.profile.bson
assertion: 11010 count fails:{ ok: 0.0, errmsg: "not authorized on test to execute command { count: "system.profile", query: {} }", code: 13 }
Here is the user setting:
"_id" : "admin.backupAdmin",
"user" : "backupAdmin",
"db" : "admin",
"roles" : [
{
"role" : "backup",
"db" : "admin"
}
]
any help is very appreciated.


In case someone still have problem with that. This is a bug in MongoDB bult-in roles: https://jira.mongodb.org/browse/SERVER-21724
If you don't want to update, here is an online fix without granting dbAdmin:
db.createRole({
role: "backup_fix",
privileges: [
{ resource: { db: "", collection: "system.profile" }, actions: [ "find"] },
],
roles: [
]
})
db.grantRolesToUser("YOUR_BACKUP_USER", [{"role": "backup_fix", "db": "admin"}]);


The backup role you are using provides sufficient privileges to use the MongoDB Management Service (MMS) backup agent to use mongodump or to back up an entire mongod instance.
To backup a given database, you must have read access on the database.To backup the system.profile collection in a database, you must have read access on certain system collections in the database.
So in case you have single instance its enough to have the following role:
db.grantRolesToUser("backupUser", [{role: "dbAdmin", db:"admin"}])
Incase you maintain any shard or replica you can have the below role:
db.grantRolesToUser("backupUser", [{role: "clusterAdmin", db:"admin"}])


I believe you need the dbAdmin role to backup system.profile.
It might not be the best approach, but the error can be fixed by granting the dbAdminAnyDatabase role for the backup user.
db.grantRolesToUser("backupUser", [{role: "dbAdminAnyDatabase", db:"admin"}])

Related

MongoDB: Couldn't add user - not authorized (CloudFoundry)

I have a MongoDB (Service Plan: small) and I would like to create an additional user but it seems I dont have the necessary privileges to do so.
db.createUser({ user: "whateverusername" , pwd: "whateverpassword", roles: ["userAdminAnyDatabase", "dbAdminAnyDatabase", "readWriteAnyDatabase"]})
Failed to execute script.
Error: couldn't add user: not authorized on XXXXXXX to execute
command { createUser: "whateverusername", pwd: "xxx", roles: [
"userAdminAnyDatabase", "dbAdminAnyDatabase", "readWriteAnyDatabase"
], digestPassword: false, writeConcern: { w: "majority", wtimeout:
600000.0 } } :
_getErrorWithCode#src/mongo/shell/utils.js:25:13 DB.prototype.createUser#src/mongo/shell/db.js:1290:15 #(shell):1:1
and I cant list the users:
db.system.users.find();
Error: error: { "ok" : 0, "errmsg" : "not authorized on XXXXXXX to
execute command { find: \"system.users\", filter: {} }", "code" : 13,
"codeName" : "Unauthorized" }
Is this restriction intended? Is there a way to get the readWriteAnyDatabase role? Am I doing something wrong?
I really appreciate any help you can provide!

You need to add users through CloudFoundry. Either bind the service to an app, which will create a user to be used by that app, or create a service key which is meant for all other purposes (mostly for the cases where a human needs to interact with the database).
Here's the docs on how to bind a service to an app: https://docs.developer.swisscom.com/devguide/services/application-binding.html
A tutorial for it: https://docs.developer.swisscom.com/tutorial-go/bind-service.html
And here's how to create service keys: https://docs.developer.swisscom.com/devguide/services/service-keys.html

Not authorized to execute command find in local mongo database

I have an application scenario where 3 meteor applications are using a mongo database replication set. A machine is allocated to run each meteor application. A single mongo database is running on each machine. Each application (the server) is supposed to access a collection in the local mongo database.
The server creates a connection to the local database collection as follows:
const url = "myUser:myPass#localhost:27017/local?authSource=admin"
const MyCollection = new Mongo.Collection('myCollection', { _driver: new MongoInternals.RemoteCollectionDriver(url) });
2 of the 3 meteor applications, i.e. the application connected to the primary database and secondary database are able to read/write from/to the collection.
However, the meteor application connected to the arbiter database runs into issues when it tries to execute the following code in the meteor startup function:
MyCollection.update({}, { $unset: { myData1: '', myData2: '' }}, { upsert: true });
It produces the following exception:
not authorized on local to execute command { find: "myCollection", filter: {}, limit: 1 }
I can use the URL declared in the url variable to connect to a mongo shell and perform reads and writes on the same collection in the local database.
When I checked the user permissions this is what I see in the mongo shell:
{
"_id" : "admin.myUser",
"user" : "myUser",
"db" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "meteorDB"
},
{
"role" : "readWrite",
"db" : "local"
},
{
"role" : "read",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
]
}
Therefore, it appears as if the user has the correct permissions.
Also, if I disable mongo DB security then the meteor application does not throw any exceptions.
I was wondering if someone could point out if I’m doing something wrong. Any help is much appreciated.

MongoDB - userAdminAnyDatabase can't create users

Currently I've got a siteUserAdmin authenticated on the admin database:
{
"_id" : "admin.siteUserAdmin",
"user" : "siteUserAdmin",
"db" : "admin",
"credentials" : {
"MONGODB-CR" : "...."
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
When I run:
use admin;
db.auth('siteUserAdmin', 'supersecret');
Everything authenticates just fine.
However when I then do:
use myotherdb
db.addUser({ user: 'chris', pwd: 'anothersecretpassword', roles: ['dbOwner']});
It doesn't add the user, I get the following:
couldn't add user: not authorized for insert on admin.system.users at src/mongo/shell/db.js:128
What am I doing wrong? This all looks nuts.
FYIL I'm using MongoDB version 2.6.10.
Random side note: weirdly createUser isn't a function, even though according to the MongoDB docs it was added in 2.6.

I was seeing this exact error in Robomongo 0.8.5. I copy/pasted the command to the the Mongo cli client and it worked fine.
Authenticated as siteUserAdmin to admin db on both clients.
Hopefully this helps someone else.

MongoDB 2.4 unauthorized to setProfilingLevel with admin role

I am the admin of a MongoDB 2.4 which is in production. When I am trying to activate profiling on some databases, it returns:
{ "ok" : 0, "errmsg" : "unauthorized" }
all the other profile-related commands return also a sort of unauthorized error messages.
my admin roles and rights are as follows:
{ "_id" : ObjectId("..."), "pwd" : "...", "roles" : [ "userAdminAnyDatabase", "readWriteAnyDatabase", "clusterAdmin" ], "user" : "admin" }
Do I need any other role to be able to profile, or there is another problem?

You need to add the dbAdminAnyDatabase role:
dbAdminAnyDatabase
dbAdminAnyDatabase provides users with the same access to database
administration operations as dbAdmin, except it applies to all logical
databases in the MongoDB environment.
http://docs.mongodb.org/v2.4/reference/user-privileges/

MongoDB "root" user

Is there a super UNIX like "root" user for MongoDB? I've been looking at http://docs.mongodb.org/manual/reference/user-privileges/ and have tried many combinations, but they all seem to lack in an area or another. Surely there is a role that is above all the ones listed there.

The best superuser role would be the root.The Syntax is:
use admin
db.createUser(
{
user: "root",
pwd: "password",
roles: [ "root" ]
})
For more details look at built-in roles.

While out of the box, MongoDb has no authentication, you can create the equivalent of a root/superuser by using the "any" roles to a specific user to the admin database.
Something like this:
use admin
db.addUser( { user: "<username>",
pwd: "<password>",
roles: [ "userAdminAnyDatabase",
"dbAdminAnyDatabase",
"readWriteAnyDatabase"
] } )
Update for 2.6+
While there is a new root user in 2.6, you may find that it doesn't meet your needs, as it still has a few limitations:
Provides access to the operations and all the resources of the
readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase and
clusterAdmin roles combined.
root does not include any access to collections that begin with the
system. prefix.
Update for 3.0+
Use db.createUser as db.addUser was removed.
Update for 3.0.7+
root no longer has the limitations stated above.
The root has the validate privilege action on system. collections.
Previously, root does not include any access to collections that begin
with the system. prefix other than system.indexes and
system.namespaces.

Mongodb user management:
roles list:
read
readWrite
dbAdmin
userAdmin
clusterAdmin
readAnyDatabase
readWriteAnyDatabase
userAdminAnyDatabase
dbAdminAnyDatabase
create user:
db.createUser(user, writeConcern)
db.createUser({ user: "user",
pwd: "pass",
roles: [
{ role: "read", db: "database" }
]
})
update user:
db.updateUser("user",{
roles: [
{ role: "readWrite", db: "database" }
]
})
drop user:
db.removeUser("user")
or
db.dropUser("user")
view users:
db.getUsers();
more information: https://docs.mongodb.com/manual/reference/security/#read

There is a Superuser Roles: root, which is a Built-In Roles, may meet your need.

I noticed a lot of these answers, use this command:
use admin
which switches to the admin database. At least in Mongo v4.0.6, creating a user in the context of the admin database will create a user with "_id" : "admin.administrator":
> use admin
> db.getUsers()
[ ]
> db.createUser({ user: 'administrator', pwd: 'changeme', roles: [ { role: 'root', db: 'admin' } ] })
> db.getUsers()
[
{
"_id" : "admin.administrator",
"user" : "administrator",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
]
I emphasize "admin.administrator", for I have a Mongoid (mongodb ruby adapter) application with a different database than admin and I use the URI to reference the database in my mongoid.yml configuration:
development:
clients:
default:
uri: <%= ENV['MONGODB_URI'] %>
options:
connect_timeout: 15
retry_writes: false
This references the following environment variable:
export MONGODB_URI='mongodb://administrator:changeme#127.0.0.1/mysite_development?retryWrites=true&w=majority'
Notice the database is mysite_development, not admin. When I try to run the application, I get an error "User administrator (mechanism: scram256) is not authorized to access mysite_development".
So I return to the Mongo shell delete the user, switch to the specified database and recreate the user:
$ mongo
> db.dropUser('administrator')
> db.getUsers()
[]
> use mysite_development
> db.createUser({ user: 'administrator', pwd: 'changeme', roles: [ { role: 'root', db: 'admin' } ] })
> db.getUsers()
[
{
"_id" : "mysite_development.administrator",
"user" : "administrator",
"db" : "mysite_development",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
]
Notice that the _id and db changed to reference the specific database my application depends on:
"_id" : "mysite_development.administrator",
"db" : "mysite_development",
After making this change, the error went away and I was able to connect to MongoDB fine inside my application.
Extra Notes:
In my example above, I deleted the user and recreated the user in the right database context. Had you already created the user in the right database context but given it the wrong roles, you could assign a mongodb built-in role to the user:
db.grantRolesToUser('administrator', [{ role: 'root', db: 'admin' }])
There is also a db.updateUser command, albiet typically used to update the user password.

It is common practice to have a single db that is used just for the authentication data for a whole system.
On the connection uri, as well as specifying the db that you are connecting to use, you can also specify the db to authenticate against.
"mongodb://usreName:passwordthatsN0tEasy2Gue55#mongodb.myDmoain.com:27017/enduserdb?authSource=myAuthdb"
That way you create all your user credentions AND roles in that single auth db.
If you want a be all and end all super user on a db then, you just givem the role of "root#thedbinquestion"
for example...
use admin
db.runCommand({
"updateUser" : "anAdminUser",
"customData" : {
},
"roles" : [
{
"role" : "root",
"db" : "thedbinquestion"
} ] });

now you can change your built-in role to atlas admin in the console;
this fixed my issue.

"userAdmin is effectively the superuser role for a specific database. Users with userAdmin can grant themselves all privileges. However, userAdmin does not explicitly authorize a user for any privileges beyond user administration." from the link you posted