How do I restrict access to mongodb to one OS user?
ie. I have a user "system" on a linux machine. I want only user "system" to access mongodb. If "tom" on linux tries to use mongo shell and connect to the localhost mongodb, it needs to fail
First enable authentication for your database.
Next, create a database admin who can create users and assign roles/privileges.
Next, create the user "system" and assign him the necessary roles for your database.
Finally, close the localhost authentication (admin) bypass once the above steps are complete:
mongod --setParameter enableLocalhostAuthBypass=0
All of these steps are described in great detail in Mongo's access control tutorials.
Related
I'm new to MongoDB and I'm having some problems with MongoDB recently.
I'm not sure about Connect with the MongoDB Shell, Connect your application, Connect using MongoDB Compass, what's the difference?
The current demand is. I want to directly allow connection from anywhere and create a user account password to log into this database, which option should I choose?
https://i.stack.imgur.com/iwYMf.png
In Connect your application tab, you get a link that you need to copy
and paste in your application you are building to connect it to the
database. Remember to replace your password and databse name.
In Connect using MongoDB Compass tab, you get a link that you need
to paste in your compass application(A desktop application that
makes your mongodb data handling so much easier). And again remember to replace
your credentials.
I'm not very fond of Mongodb shell. It's actually an extensible
command-line interface.
I have a fresh install of a database on AWS. I have installed PG Admin 4 for Web and set up for a user login. This works.
I find it is not possible to connect to the localhost database using 'postgres' as a user, without a password. This appears to be enforced by the dialog. Is there a way around this enforcement? How would a user only having web access ALTER this ROLE? I would expect this to be relaxed for the initial login.
The database is local to the webserver and the web server is remote for the user.
TL:DR This logon is not a peer logon as the postgres *nix user.
It's a gap in the install. A manual step will always be required to add a password for postgres for anyone wanting to use the interface for initial USER/ROLE creation. It would be nice to have had this opportunity in the setup script.
I suppose it is expected that most administrators would also add other users/roles at this time and these would be supplied to the users. Changes to config files would still be managed. They are not getting shell access.
I have created a user and added my IP to whitelist.
when trying to connect to a cluster through mongo shell, i am required to enter the following line: mongo "mongodb+srv://cluster0.****.mongodb.net/" --username --password
I have filled in credentials for username and password and replaced dbname with my database name(tried using non-existing one as well in case that was the problem). it connects to the shell, but then crashes with the following error:
Error while trying to show server startup warnings: user is not allowed to do action [getLog] on [admin.]
MongoDB Enterprise atlas-7cwf8s-shard-0:PRIMARY>
tried googling and youtubing the issue, but cannot find the match on how to fix it.
Many thanks
That message says that the shell is unable to show you server startup warnings. It's expected in Atlas environment.
Supposing that's your own cluster, then:
Check the user in Atlas > Database Access
Check the MongoDB Roles header in the table.
If it's not atlas Admin, you can't issue this command:
db.adminCommand({getLog:"startupWarnings"})
Or any admin command, which is issued or tested automatically in the connection, hence the error.
Edit MongoDB Roles to the highest privileges (atlas Admin)
But you can still work anyways.
If you're accessing someone else's cluster, then there isn't much to do.
I used mongodb on my local without authentication by running mongod as server and connecting it by just mongo as a user.
Now after creating users and running the server as mongod --auth i can connect using user id and pwd assigned by me.
The problem is while connecting back mongo with mongod it again gets connected to the database and whole database is visible again,this should not happen as I have enabled the authentication.
Using mongod as a server should block the users from getting access. Same is the problem for my personal server.
Is there any solution to enable the security permanently that is enable mongod --auth and not just mongod.
If I understand correctly, your concern is that restarting a mongod process without access control enabled allows you to access data without authentication. This is the expected outcome: a user with direct access to restart services or copy MongoDB data files has greater permissions than the mongod process.
Authentication only verifies remote client access to the mongod service: it does not encrypt or protect data files if a user has direct local read access. If you have an environment allowing remote and/or multi-user access, you should take steps to appropropriately limit access to your data files and service management.
If you want to secure data files from direct access, it sounds like you may be looking for Encryption at Rest or Disk Encryption. These security measures prevent direct read access to your data files or filesystem without appropriate credentials, but you still have to limit access appropriately and protect those credentials.
For general measures see the MongoDB Security Checklist.
I have a mongodb sharded cluster, with mongos machines, mongo nodes in replicate sets and config servers. MongoDB version is 3.02
The guy that set this up left the company a while ago and now I cant do simple things like show dbs or show collections
I have OS root in all these Debian machines, so I want to know how to reset mongo's root password so I can admin the database.
The apps that access this db seem to be working fine, using a user that has low privileges. I know the password for this particular user.
This is a production setup, so I can't afford to keep it down for more than a few seconds, tops minutes.
It depends on the types of users. For example, if you are using SCRAM, the basic steps to reset password would be:
Stop the mongod nodes
Disable authorization in mongod.conf
Restart the Replica set nodes
Connect to the replica set primary node using the mongo shell
Reset the your password by db.changePassword
I think this may work:
Stop your MongoDB instance
Remove the --auth and/or --keyfile options from your MongoDB config to disable authentication
Start the instance without authentication
Edit the users as needed
Restart the instance with authentication enabled
https://dba.stackexchange.com/questions/62976/how-can-i-enter-mongo-as-a-superuser-or-reset-users
This may not be the perfect answer, because I cannot test it. The base problem is of course that, that you cannot put your system into maintenance mode, where you can change admin password... But there is config file parameter security.transitionToAuth what you can add with rolling matter to your config file(s).
A mongod or mongos running with security.transitionToAuth does not enforce user access controls. Users may connect to your deployment without any access control checks and perform read, write, and administrative operations.
There are two options here
If you plan to upgrade to 3.4 this can be done without downtime:
MongoDB 3.4 allows Enforce Keyfile Access Control in a Replica Set without Downtime
You need to start all your members with --transitionToAuth(This will allow both authenticated and non-authenticated traffic for some duration)
Login to mongo shell on primary and create a userAdmin
Logout and login again using userAdmin
Create rootAdmin
Store the password in password manager
Disable transitionToAuth (Allow only authenticated traffic to replica set)
If you need to do this with existing MongoDB without upgrade:
Stop a secondaries in the replica set in a rolling manner. Disable authentication using keyFile options
Stepdown a primary and update its configuration to disable authentication.
Update you're the application to remove username and password from application config
Restart application
Create useradmin and rootAdmin in admin DB
Save passwords in the password manager
Enable authentication in the replica set
Start your application with the old config that includes username and password
Steps
Connect to the machine hosting your MongoDB instance
Open the MongoDB configuration file found in /etc/ folder using: sudo nano mongod.conf
Comment out the following code like so:
# security:
# authorization: enabled
Stop the MongoDB service: sudo service mongod stop
Start the MongoDB service: sudo service mongod start
Connect to the database using Robo3T or equivalent. With a connection to the admin collection, create a new admin superuser:
db.createUser({ user:"admin", pwd:"password", roles:[{role:"root", db:"admin"}] });
Go back and uncomment the lines from step 3. Then repeat steps 4 and 5.
You should now be able to authenticate with the new user you created in step 6 and have full access to the database.
Troubleshooting
If for whatever reason, after trying to restart your mongo service, you cannot connect to it, you can make sure the service properly started with: systemctl --type=service --state=active. If it has started, it will be in the list as mongod.service.
Mongo logs can also be found at /var/log/mongodb/mongodb.log but this is less likely to be helpful in this situation.