How can I create one user that have complete access to MongoDB? - mongodb

This is really bugging me. I intend to create one user that controls all access to my MongoDB and also use the same user for all my applications. I realize having separate users would be even more secure but I want to keep this simple.
Unfortunately, it does not seem so straightforward to give superuser access. So far I have given the admin user as:
db.addUser({user:"admin", pwd:"ppp",
roles: ["clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase", "userAdminAnyDatabase"] } )
But admin can still not be used to authenticate against another db than admin db itself. For example
mongo raconteurdb -u admin -p
MongoDB shell version: 2.4.9
Enter password:
connecting to: raconteurdb
Tue Apr 1 10:10:57.109 Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" } at src/mongo/shell/db.js:228
Do I need to set access for each DB separate? Will I lose that access when those DBs are dropped?

RipperDoc,
You can use the admin users to authenticate for any database. If the appropriate privileges were setup for the user, you could have used following:
mongo raconteurdb -u admin -p --authenticationDatabase admin
This will authenticate "admin" user setup in the "admin" database and "raconteurdb" will be default db on the mongo-shell.

Related

Can't add admin user in Mongo 3.6.8

I'm trying to add an admin user in Mongo, but I'm having trouble.
I already have auth = true commented out inside /etc/mongodb.conf.
When I run Mongo, I run these commands in order:
mongo
use admin
db.createUser({user:"admin",pwd:"password",roles:["root"]});
When I do so, I encounter the following error:
2020-10-11T04:50:50.714+0000 E QUERY [thread1] Error: couldn't add user: there are
no users authenticated :
_getErrorWithCode#src/mongo/shell/utils.js:25:13
DB.prototype.createUser#src/mongo/shell/db.js:1437:15
#(shell):1:1
I'm not sure exactly how to create an admin user if I have to log in as an admin user to do so. Any help is appreciated!
You don't have to disable authentication. With authentication enabled you can still logon to your MonogDB without username/password. However, as soon as you create the first user with userAdmin or userAdminAnyDatabase role the access control becomes active and you have to authenticate.
This behavior is called Localhost Exception
Is this the first user to try to create? Perhaps another admin user already exist. See also How do I create a the first mongodb user with authorization enabled?
I just gave up and started over with a new database, after exporting the old one as a backup.
For creating a user you will have to have a user in admin database first. So while creating user you need to provide db name and role both. Try creating user with below syntax.
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "password"
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
Reference-
https://docs.mongodb.com/manual/tutorial/enable-authentication/

Mongodump fails against a mongodb in secure mode

I am brand new to Mongo and have just set up my first MongoDB Instance/Server. We must run this as secure as possible when it goes to production, so I am running it in secure mode. I am trying to get backups working.
This is also my first post in this forum. Please bear with me.
The command I used:
mongodump --host=localhost --port=27017 --username=useradmin --authenticationDatabase=admin --out=/opt/mongodb/bkup/mongodump-date +%m%d%yyyy%H%M.
I get:
2020-05-11T14:17:06.087-0500 Failed: error creating intents to dump: error creating intents for database admin: error getting collections for database admin: (Unauthorized) not authorized on admin to execute command { listCollections: 1, filter: {}, lsid: { id: UUID("b524c139-54d1-4789-a2b3-2eb88bb37255") }, $db: "admin" }
I know my authentication works because I can connect with:
[root#svldstkdb01 bin]# mongo svldstkdb01/admin -u useradmin -p
MongoDB shell version v4.2.6
Enter password:
connecting to: mongodb://svldstkdb01:27017/admin?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("cc5b1b24-dc00-437d-ae56-6aef53018589") }
MongoDB server version: 4.2.6
show dbs
admin 0.000GB <-- useradmin account is here
config 0.000GB
local 0.000GB
stkdb 0.000GB <-- I also need to back up this DB.
Questions:
1) Do I need to create an admin account to backup all DBs?
- Please give an example to create such an account.
2) Is there a way to backup all DBs in the instance?
You can create a backup role which provides necessary permissions to do mongodump. To create an user follow example here with role as "backup" or grant existing user backup role

Global admin connection user MongoDB 2.6

I have mongodb server with auth=true and many databases. I'm trying to connect to it remotely using admin database:
mongo --host xxx admin --username admin --password secretPassword
(WORK)
mongo --host xxx products --username admin --password secretPassword
(DOESN'T WORK)
I can connect to admin database and switch to products. But developers using connection string to connect to specific database using same username and password.
I can create admin user for each database but databases are pretty dynamic some added some removed. I've read thread about global admin but set up user role doesn't help
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
and
--authenticationDatabase
Is not an option because a lot of code has to be rewritten.
Is there a way to setup one global admin that anyone can connect to remote database with username and password?
If you are using MongoDB 3.0+, the default location for users is the admin database. You will have to use --authenticationDatabase in this case going forward anyway.
With centralized users, you can define roles with access to all databases as necessary:
https://docs.mongodb.org/manual/reference/built-in-roles/
It sounds like you may want to refactor the database connection code, especially if "a lot of code" has to be rewritten, that sounds like you haven't been following DRY--"don't repeat yourself" principles.

MongoDB: Understand createUser and db admin

My MongoDB is hosted on compose.io and is called ScroungeBA.
I try to create a user with some built-in roles which by the documentary only work in the admin database:
MongoDB provides all other built-in roles only on the admin database
So my question: What is that admin db about? Is it the standard db which always exists?
Furthermore I have trouble with (using MongoDB shell version: 3.0.5):
$ use admin
switched to db admin
$ db.auth("user", "secret")
Error: 18 Authentication failed.
I guess my user does exist in the ScroungeBA db but not in the admin db? How can I create a user in the admin db since
db.createUser({user:"hello", pwd:"world", roles:[{role: "userAdmin", db: "admin"}]})
results in the error:
Error: couldn't add user: not authorized on admin to execute command { createUser: "hello", pwd: "xxx", roles: [ { role: "userAdmin", db: "admin" } ], digestPassword: false, writeConcern: { w: "majority", wtimeout: 30000.0 } }
at Error (<anonymous>)
at DB.createUser (src/mongo/shell/db.js:1101:11)
at (shell):1:4 at src/mongo/shell/db.js:1101
The admin database is a special database that you automatically have with a MongoDB instance. It contains things like the users of your databases, with roles, custom data, etc.
To create a user in the admin database, you have to temporarily disable auth on your MongoDB instance. I don't know how compose.io works specifically, but I usually modify the mongod.conf file, and comment the line auth=true.
After that, you can connect to your MongoDB shell and create a user in the admin database.
Give the user the role userAdminAnyDatabase instead of just useAdmin.
use admin
db.createUser({ user:"admin", pwd: "pass", roles: [{role: "userAdminAnyDatabase", db: "admin"}] })
An user with the role userAdminAnyDatabase can manage the users of all the databases.
Now enable auth again and restart the service.
As I said, I'm not sure how compose.io actually works and how much control it gives to you. If you don't have an admin account, this should be the way to go.
By the way, I've published an article on Medium about MongoDB 3.0 auth.
This solved my problem:
I finally got it to work on compose.io! So here it what my oplog url ended up looking like:
"MONGO_OPLOG_URL": "mongodb://username:password#single.18.mongolayerhost.com:1111/local?authSource=myDB"
I keep the MONGO_URL exactly the same as the URL compose.io provides with ?replicaSet
But for the OPLOG_URL you can only use a single host, not multiple. So you have to edit the URL compose.io gives you to only have one host. And you can't end the oplog with ?replicaSet. you can only have the ?replicaSet in the MONGO_URL.
source
Flow to set authentication :
Start MongoDB without access control.
mongod --port 27017 --dbpath /data/db1
Connect to the instance.
mongo --port 27017
Create the user administrator.
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Re-start the MongoDB instance with access control.
mongod --auth --port 27017 --dbpath /data/db1
Authenticate as the user administrator.
Start a mongo shell with the -u , -p , and the --authenticationDatabase command line options:
mongo --port 27017 -u "myUserAdmin" -p "abc123"
--authenticationDatabase "admin"
An user with the role userAdminAnyDatabase can manage the users of all the databases.
For routine user creation, you must possess the following permissions:
To create a new user in a database, you must have the createUser action on that database resource.
To grant roles to a user, you must have the grantRole action on the role’s database.
MongoDB stores all user information, including name, password, and the user's authentication database, in the system.users collection in the admin database.
More Details : https://docs.mongodb.com/manual/tutorial/enable-authentication/
You can try this:
use admin
db.createUser( { user: "user", pwd: "password", roles: [
"readWriteAnyDatabase","dbAdminAnyDatabase","clusterAdmin" ] } )

How to give diagnostic actions listDatabases to a user in mongodb?

I'm trying to connect from a java application to a mongodb database in openshift and I'm having some trouble with roles and actions allowed.
I run the rch port-forward command like so:
rhc port-forward -a test
it all goes great and I'm able to connect to the database using:
mongo admin -u admin -p '*******' --host 127.0.0.1 --port 44506
and I can execute commands like:
> use test
> show databases
But if i connect directly to my database using:
mongo test -u admin -p '*******' --host 127.0.0.1 --port 44506
I'm unable to run the show databases command
listDatabases failed:{ "ok" : 0, "errmsg" : "unauthorized" } at src/mongo/shell/mongo.js:47
How can i give action listDatabases to this user in this database?
I found this page in the mongodb documentation http://docs.mongodb.org/manual/reference/privilege-actions/#security-user-actions
Which talks about Diagnostic Actions but does not mention how to give such action to a user.
Thanks for the help.
As mentioned by wdberkeley, you have to have a user in the admin database with the ability to list databases.
To do this, you first have to create a very minimal "role" for this user allowing them to list databases, and then create a user with both this role and the role for reading and writing your other database:
use admin
db.runCommand({ createRole: "listDatabases",
privileges: [
{ resource: { cluster : true }, actions: ["listDatabases"]}
],
roles: []
})
db.createUser({
user: "<userName>",
pwd: "<passwd>",
roles: [
{ role: "readWrite", db: "test" },
{ role: "listDatabases", db: "admin" }
]
})
The MongoDB documentation has references for both createRole and createUser, if you want to learn more about these commands.
You're logging in as two different users. Users are scoped by namespace, so user John who lives in test is not the same as user John who lives in admin, though both Johns may have rights in the test database. I think this much you may already understand, but I wanted to clarify it just in case.
I don't believe you can give a user scoped to a non-admin database the listDatabases action in a privilege because the listDatabases action must go with the cluster resource (listDatabases is a cluster-wide sort of operation), and a privilege with a cluster resource can only be scoped to a role on the admin database. Cutting out the jargon of MongoDB's authorization model, a non-admin database user can't use listDatabases because it's a cluster-wide operation and only admin database users should be able to do cluster-wide things.
Just want to add the approach mentioned by i80and works on MongoDB 3.2.3
create custom role that contain listDatabase and specify cluster:true, I did it when specify resource as db, it doesn't work
grant this role to user
Note: make sure you are connected to the correct db when performing security task because you will need to be authenticated using this specific db where the user is created