Cannot access database after authencation enabled - mongodb

I'm using mongodb 2.6.1, Windows 7 64bit
I started mongod without --auth and create a first user using
db.createUser({
user: "root",
pwd: "xxx",
roles:
[{
role: "userAdminAnyDatabase",
db: "admin"
}]
})
I restarted mongod again with this configuration
systemLog:
destination: "file"
path: "c:\\mongodb\\log\\mongo.log"
quiet: true
logAppend: true
storage:
dbPath: "c:\\mongodb\\data\\db"
directoryPerDB: true
smallFiles: true
journal:
enabled: true
net:
bindIp: 127.0.0.1
port: 27017
http:
enabled: true
JSONPEnabled: true
RESTInterfaceEnabled: true
security:
authorization: enabled
There was no errors, so the authentication has been enabled.
I started mongo using mongo -u root -p --authenticationDatabase admin but I got error message shown below.
MongoDB shell version: 2.6.1
Enter password:
connecting to: test
Error while trying to show server startup warnings: not authorized on admin to execute command { getLog: "startupWarnings" }
I tried to use show collections but I got error message shown below.
2014-05-20T00:36:07.801+0700 error: {
"$err" : "not authorized for query on admin.system.namespaces",
"code" : 13
} at src/mongo/shell/query.js:131
But when I tried db.system.users.find() I can display the user in the collection without any error messages.
I also tried db.auth("root","xxx") but I got the same result, I can display user but I cannot list available collections.
I have 2 more db which were imported from the older version, without --auth these dbs work just fine, but starting mongod with authentication enabled, I cannot display anything inside those dbs.
Please help, solve the question.

In my case, the username: root was created with adminAnyDatabase, which actually has no priviliges such as find action.
Therefore as I expected the root to be top level user, so the root should be granted as superuser using root role.
use admin
db.grantRolesToUser(
"root",
[
{ role: "root", db: "admin" }
]
)
Also the adminAnyDatabase should be revoked
use admin
db.revokeRolesFromUser(
"root",
[
{ role: "adminAnyDatabase", db: "admin" }
]
)

Related

MongoDB 3.2 - creating a CRUD admin for a certain database

I'm trying to create a CRUD database administrator.
From what I read from official documentation, there is a role readWrite, but I don't really got the process of creating an admin.
So I ran mongod without --auth and created a user with these parameters:
use myCustomDB
db.createUser({
user: "snoop",
pwd:"stickyickyicky",
roles:[{role:"readWrite", db:"myCustomDB"}]
});
The command line answered Successfully added new user blah blah..
but when I authenticate it returns 1, which, I suppose is true. But when I run command for example db.peops.find() it gives me this Error: error: { "$err" : "not authorized for query on myCustomDB.peops", "co de" : 13 }
It may be your find call. Try formatting like this:
db.getCollection('peops').find({})
If that's not it, it might be your auth schema. This may not be the best method, but I thought I would share the steps I take to setup a super admin and database specific admin, and a read only user. The all caps should be replaced with corresponding credential / db name:
1.Change Mongo Security Method
sudo service mongod start
mongo
use admin
db.system.version.remove({})
db.system.version.insert({ "_id" : "authSchema", "currentVersion" : 3 })
2.Create Super Admin User
use admin
db.createUser( { user: "SUPERADMINUSER", pwd: "SUPERADMINPASS", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )
3.Create db Admin with read/write access
use DATABASE
db.createUser( { user: "DBADMIN", pwd: "DBPASSWORD", roles: [ { role: "userAdmin", db: "DATABASE" }, { role: "readWrite", db: "DATABASE" }] } )
db.createUser( { user: "DBREADONLYUSER", pwd: "DBREADONLYPASS", roles: [ { role: "read", db: "DATABASE" }] } )
4.Edit mongod.config in /etc folder
sudo service mongod stop
in mongod.config edit so that auth = true is not commented out.
5. Restart mongo, security in place
sudo service mongod start
***Troubleshooting: If you are running mongo 3.2 you can likely skip the db.system.version remove and insert commands, you may want/need to upgrade to SCRAM-SHA-1, if so run db.adminCommand({authSchemaUpgrade: 1}); set up users the same way as shown above, when editing your /etc/mongod.conf file instead of auth=true comment in security: and add authorization=true as follows:
security:
authorization: enabled

Kerberos authentication does not work in Mongodb Enterprise 3.2

Environment Windows 2012 R2. MongoDB Enterprise 3.2.0, this is an evaluation version.
I am logged in as muser1.
Why it is looking for a field pwd?
How can I fix it?
c:\MongoDB\scripts>mongo.exe --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username muser1#TEST.MNG
MongoDB shell version: 3.2.0
connecting to: test
2016-01-14T14:03:37.572-0800 E QUERY [thread1] Error: Missing expected field "pwd" :
DB.prototype._authOrThrow#src/mongo/shell/db.js:1395:16
#(auth):6:1
#(auth):1:2
exception: login failed
The user exists:
MongoDB Enterprise > user = db.system.users.findOne({user: "muser1#TEST.MNG"})
{
"_id" : "$external.muser1#TEST.MNG",
"user" : "muser1#TEST.MNG",
"db" : "$external",
"credentials" : {
"external" : true
},
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
Kerberos is correctly configured based on 3.2 documentation. DNS configured correctly.
MongoDB service is running with a domain account. SPN is there for the default and for the named service also. Tried to have just one of them configured alone then the other one, no luck.
c:\MongoDB\scripts>setspn -L m1svr
Registered ServicePrincipalNames for CN=Mongo1,CN=Users,DC=test,DC=mng:
mongodb/m1.test.mng
MongoDB_M1_D1/m1.test.mng
Here is the startup config file:
# Data Node, with minimal oplog and no jurnal
net:
port: 27017
systemLog:
verbosity: '0' #Debug level from 0-5
destination: file
path: C:\MongoDB\logs\m1-d1.log
logAppend: false
storage:
dbPath: C:\MongoDB\data\m1\D1
journal:
enabled: false
directoryPerDB : true
wiredTiger:
engineConfig:
cacheSizeGB: 1
statisticsLogDelaySecs: 1
journalCompressor: snappy
directoryForIndexes: true
collectionConfig:
blockCompressor: snappy
indexConfig:
prefixCompression: true
#replication:
# oplogSizeMB: 10
# replSetName: RSTest
security:
authorization: enabled
# sasl:
# hostName: m1.test.mng
# serviceName: MongoDB_M1_D1
# keyFile: F:\config\key1.txt
# clusterAuthMode: keyFile
setParameter:
authenticationMechanisms: GSSAPI,SCRAM-SHA-1
I tried to add a pwd field to the user document (just in case), but no luck.
I am out of ideas.
When using Kerberos Authentication, you need to define the fully qualified domain name for the server you are connecting to as part of the connection string. Note that the domain portion also needs to be in all caps. eg:
mongo.exe --host servername.TEST.MNG --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username muser1#TEST.MNG

Remote and local authentication fails on Mongo DB 3.0.7 (installed on Amazon EC2)

I created an admin user:
> db.createUser(
... {
... user: "administrator",
... pwd: "password",
... roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
... }
... )
Successfully added user: {
"user" : "administrator",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
and now i'm trying to use it for enter with:
ubuntu#***ip number***:/etc$ sudo mongo --port 27017 -u administrator -p password --authenticationDatabase admin
This is what returns:
MongoDB shell version: 3.0.7
connecting to: 127.0.0.1:27017/test
2015-10-27T15:33:25.670+0000 E QUERY Error: 18 Authentication failed.
at DB._authOrThrow (src/mongo/shell/db.js:1271:32)
at (auth):6:8
at (auth):7:2 at src/mongo/shell/db.js:1271
Mongo is installed into an Amazon EC2 machine with Ubuntu.
What is missing?
The userAdminAnyDatabase role allows the user to grant access (for itself, or any other users) to any other database, however, that does not automatically grant that admin user read/write permission on all those databases (though it can bestow them upon themselves). You can resolve your authentication issue by granting the user the additional role readAnyDatabase.
db.createUser(
{
user: "test1",
pwd: "password",
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, {role:"readAnyDatabase",db:"admin"} ]
}
)
Link to MongoDB docs: Create a User Administrator
Change on mongod.conf ( stop first mongod service. Ex: sudo service mongod stop):
bindIp: 127.0.0.1
for:
bindIp: 0.0.0.0
Now you can restart (Ex:sudo service mongod start)
Now you can enter in the same machine normally typing mongo, but for example, if you try to do it with robomongo gui before makes the test success the ip but don't success the user login. The user and login was created before with a pwd and roles for userAdminAnyDatabase and readAnyDatabase.
Now just type in your machine:
mongo --host (ip number here) --port 27017 -u username -p password --authenticationDatabase admin
And connect to remote Database.

Meteor and MongoDB: Authentication failures

If I run Meteor locally it works perfectly. If I call Meteor with a MONGO_URL that has no username:password it works perfectly too. However, if I turn on the MongoDB authentication and restart and then run Meteor with the username:password set, as in MONGO_URL="mongodb://username:password#127.0.0.1:27017/meteor", then I get an authentication failure as Meteor loads. I have checked that the username and password are correct. I have read that there maybe problems with Meteor and MongoDB authentication so does anyone have any information on this? I am using the following versions:
Meteor - 1.0.3.2
MongoDB - 2.6.7 (installed via brew)
I20150304-21:48:00.597(1)? Exception in callback of async function: MongoError: auth failed
I20150304-21:48:00.598(1)? at Object.toError (/Users/me/.meteor/packages/mongo/.1.0.11.1hg8e3j++os+web.browser+web.cordova/npm/node_modules/mongodb/lib/mongodb/utils.js:110:11)
I20150304-21:48:00.598(1)? at /Users/me/.meteor/packages/mongo/.1.0.11.1hg8e3j++os+web.browser+web.cordova/npm/node_modules/mongodb/lib/mongodb/db.js:1128:31
I20150304-21:48:00.598(1)? at /Users/me/.meteor/packages/mongo/.1.0.11.1hg8e3j++os+web.browser+web.cordova/npm/node_modules/mongodb/lib/mongodb/db.js:1843:9
I20150304-21:48:00.598(1)? at Server.Base._callHandler (/Users/me/.meteor/packages/mongo/.1.0.11.1hg8e3j++os+web.browser+web.cordova/npm/node_modules/mongodb/lib/mongodb/connection/base.js:445:41)
I20150304-21:48:00.598(1)? at /Users/me/.meteor/packages/mongo/.1.0.11.1hg8e3j++os+web.browser+web.cordova/npm/node_modules/mongodb/lib/mongodb/connection/server.js:468:18
I20150304-21:48:00.598(1)? at [object Object].MongoReply.parseBody (/Users/me/.meteor/packages/mongo/.1.0.11.1hg8e3j++os+web.browser+web.cordova/npm/node_modules/mongodb/lib/mongodb/responses/mongo_reply.js:68:5)
I20150304-21:48:00.599(1)? at [object Object].<anonymous> (/Users/me/.meteor/packages/mongo/.1.0.11.1hg8e3j++os+web.browser+web.cordova/npm/node_modules/mongodb/lib/mongodb/connection/server.js:426:20)
I20150304-21:48:00.599(1)? at [object Object].emit (events.js:95:17)
I20150304-21:48:00.599(1)? at [object Object].<anonymous> (/Users/me/.meteor/packages/mongo/.1.0.11.1hg8e3j++os+web.browser+web.cordova/npm/node_modules/mongodb/lib/mongodb/connection/connection_pool.js:201:13)
I20150304-21:48:00.599(1)? at [object Object].emit (events.js:98:17)
=================================================
I thought I had an answer to the above but alas not, I made suggested changes and I still could not authenticate. So, to provide more details:
I have upgraded to MonogoDB 3.0.0
I delete the database so that a brand new one was created.
My config file is as follows:
systemLog:
destination: file
path: /usr/local/var/log/mongodb/mongo.log
logAppend: true
storage:
dbPath: /usr/local/var/mongodb
net:
bindIp: 127.0.0.1
security:
authorization: enabled
On the "admin" database a "super user" has been created as follows:
use admin
db.createUser({user: "superuser", pwd: "password", roles:["root"]})use admin
I then created a user on the "meteor" database
db.auth("superuser", "password")
use meteor
db.createUser({user: "meteor", pwd: "password", roles: [{ role: "readWrite", db: "meteor"}]})
The above step generates:
Successfully added user: {
"user" : "meteor",
"roles" : [
{
"role" : "readWrite",
"db" : "meteor"
}
]
}
If I perform a db.getUsers() I get the message:
[
{
"_id" : "meteor.meteor",
"user" : "meteor",
"db" : "meteor",
"roles" : [
{
"role" : "readWrite",
"db" : "meteor"
}
]
}
]
If I comment out the two security lines in the config then I can access MongoDB from Meteor or RoboMongo without a problem - using mongodb:127.0.0.1:27017/meteor. If I uncomment the two security lines in the config then I can no longer access MongoDB from either Meteor or MongoDB - using mongodb://meteor:password#127.0.0.1:27017/meteor. In the last instance I continue to get the message that authentication failed. In the MongoDB logs I have:
authenticate db: meteor { authenticate: 1, nonce: "xxx", user: "meteor", key: "xxx" }
2015-03-08T14:34:44.909+0100 I ACCESS [conn7] Failed to authenticate meteor#meteor with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user meteor#meteor
Update
The answer below and the configuration above work on v2.6.7
I haven't seen the issues you describe and without seeing code or knowing how you "turned on" MongoDB authentication I need to guess - so let's focus on what made things work for me.
You should check where the user was created. In MongoDB there are multiple databases, each having their own users. When using your connection string
mongodb://username:password#127.0.0.1:27017/meteor
you are authenticating against the meteor database. Using a tool such as RoboMongo I'd check if the user is actually inside that database or whether you created it inside the admin (or any other) database.
As a quick rundown:
When securing MongoDB you need to set an admin account, change the mongodb.conf file that it contains the line auth = true and restart. Then using the admin account you create a new (low-privilege) db user that has only access to the meteor database. You can do this using the command line like this (code for 2.6 as this was in your questions and will be default for next Meteor version):
db.createUser(
{ user: "username",
pwd: "password",
roles: [
{ role: "readwrite", db: "meteor" }
]
})
If you run mongod on the same box as Meteor I think we can safely rule out any issues with net.port or net.bindIpconfig settings where the DB would simply not listen to requests.
If you did all this and restarted MongoDB, perhaps a meteor reset inside your projects can help fix anything.
it turns out for me was just about having special chars on the password and a dash on the username, once i made it simpler it all worked like magic :(
I had the same issue when I deployed on my new VPS.
On this new VPS, mongo version is 3.0.1
To solve the problem, a meteor update before building the package and it works
(meteor version: 1.0.4.1)

Create Superuser in mongo

I'm trying to create a user in mongo who can do anything in any db.
According to the guide I created a new admin: http://docs.mongodb.org/manual/tutorial/add-user-administrator
This is the code:
use admin
db.addUser( { user: "try1",
pwd: "hello,
roles: [ "userAdminAnyDatabase" ] } )
Then I stopped mongo, enabled the auth and restarted mongo.
Then I tried to create a database with his user.
According with this guide: http://www.mkyong.com/mongodb/how-to-create-database-or-collection-in-mongodb/
use fragola
db.users.save( {username:"fragolino"} )
And I get this: "not authorized for insert on fragola.users"
Anyone can help me?
from docs.mongodb.org-superuser-roles
Lets write answer that looks simple & also simple to implement
Steps :
1 : sudo apt-get install mongodb-org - in new terminal
2 : sudo mongod --port 27017 --dbpath /var/lib/mongodb
3 : mongo --port 27017 - in new terminal
4 : use admin
5 : As #drmirror said a user should have all 4 roles to be superuser
For Mongo Version 2.
db.createUser(
{
user: "tom",
pwd: "jerry",
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" },
{ role: "dbAdminAnyDatabase", db: "admin" },
{ role: "clusterAdmin", db: "admin" }
]
})
For Mongo Version 3.
db.createUser(
{
user: "tom",
pwd: "jerry",
roles:["root"]
})
6 : sudo /etc/init.d/mongod stop OR sudo service mongod stop - in new terminal
7 : sudo /etc/init.d/mongod start OR sudo service mongod start
8 : restart your pc
9 : sudo mongod --auth --port 27017 --dbpath /var/lib/mongodb - in new terminal
10: mongo --port 27017 -u "tom" -p "jerry" --authenticationDatabase "admin" - in new terminal
Note : step 10 is most important step .
it will give Output on terminal like
MongoDB shell version: 2.6.11
connecting to: 127.0.0.1:27017/test
>
The role userAdminAnyDatabase gives the user the ability to create users and assign arbitrary roles to them. Because of this, that user has the power to do anything on the database, because he can give anybody any permission (including himself).
However, the userAdminAnyDatabase role by itself doesn't allow the user to do anything else besides assigning arbitrary rights to arbitrary users. To actually do something on the database, that user needs to have the following additional roles:
readWriteAnyDatabase
dbAdminAnyDatabase
clusterAdmin
A user who has the above three rights and userAdminAnyDatabase is a true super-user and can do anything.