I have a mongodb server installed on my debian linux machine. Now to secure it before allowing remote login I'm trying to add an admin user, with the command:
db.addUser( { user: "admin",pwd: "MY_PASSWORD",roles: [ "userAdminAnyDatabase" ] } )
I must be doing something terribly wrong since my password ends up unencrypted in the database along with a md5 hashed version of it. I tried hashing it manually using md5 before running the command but still no luck...
This is what I get in the DB:
{ "_id" : ObjectId("5260fc9f51f87eba8d937701"), "user" : { "user" : "admin", "pwd" : "MY_PASSOWRD", "roles" : [ "userAdminAnyDatabase" ] }, "readOnly" : false, "pwd" : "HASHED_VERSION_OF_MY_PASSWORD" }
How do I add a user without ending up with cleartext passwords in the database?
You are probably using an older version which expected different syntax. The addUser function in 2.2 expected a string as username, another string as password. It seems you added a user whose entire full username is '{ "user" : "admin", "pwd" : "MY_PASSOWRD", "roles" : [ "userAdminAnyDatabase" ] }' - probably the shell should give an error, but it does not.
Try instead the expected 2.2 syntax:
> db.addUser( "admin", "MY_PASSWORD")
You can confirm the server version by running:
> db.version()
Related
I installed Locally on mac. Created user superuser with root privledges as per MongoDB Docs:https://docs.mongodb.com/guides/server/auth/#procedure
> db.createUser({user:"superuser",pwd:"strongPassword",roles:["root"]})
Successfully added user: { "user" : "superuser", "roles" : [ "root" ] }
> show users
{
"_id" : "admin.superuser",
"userId" : UUID("f873bafd-8d9b-4d2d-95a2-95d9e05db25d"),
"user" : "superuser",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
launch it with
resulting in running mongodb instance:
"ctx":"listener","msg":"Waiting for connections","attr":{"port":27017,"ssl":"off"}}
then I mongo --port 27017
use admin
response: switched to db admin
here's the kicker:
I input
db.auth("superuser","strongPassword")
and then
0```
This is the output in the running mongod client:
```{"t":{"$date":"2021-03-15T14:41:11.167-05:00"},"s":"I", "c":"ACCESS", "id":20251, "ctx":"conn1","msg":"Supported SASL mechanisms requested for unknown user","attr":{"user":"superuser#admin"}}
{"t":{"$date":"2021-03-15T14:41:11.168-05:00"},"s":"I", "c":"ACCESS", "id":20249, "ctx":"conn1","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-1","principalName":"superuser","authenticationDatabase":"admin","client":"127.0.0.1:51532","result":"UserNotFound: Could not find user \"superuser\" for db \"admin\""}}
Please help me? Seems pretty straightforward what my problem is here. Followed the mongoDb docs exactly, and then just totally failing to see my user. What's the trick here?
I'm using MongoDB 3.0.7. I have a database called bravegoat and a read-only user called bravegoat-r.
I connect via shell:
mongo localhost:27017/bravegoat -u bravegoat-r -p mypassword
I switch to my database:
use bravegoat;
And I run:
db.runCommand({connectionStatus : 1})
Which outputs:
{
"authInfo" : {
"authenticatedUsers" : [
{
"user" : "bravegoat-r",
"db" : "bravegoat"
}
],
"authenticatedUserRoles" : [
{
"role" : "read",
"db" : "bravegoat"
}
]
},
"ok" : 1
}
Only read role, so it looks fine, but when I invoke .save(), my user can insert data. I've read few pages about creating read-only users and I'm not able to see my problem. I'm starting to think it might be a bug in my version.
You have to enable client access control by doing the following:
Edit the /etc/mongod.conf file
Add the following lines
security:
authorization: enabled
Restart MongoDB:
sudo service mongodb restart
I am running mongd with Auth enabled
mongod --auth
I have a read write user on a DB.
db.system.users.find()
Logs -
{ "_id" : "products_development.user_rw", "user" : "user_rw", "db" : "products_development", "credentials" : { "MONGODB-CR" : "0e857eaebba13dca9b53eb4440ab1657" }, "roles" : [ { "role" : "readWrite", "db" : "products_development" } ] }
I am able to login with the above user credentials using mongo client - Authentication works fine
mongo -uuser_rw -p123456 --authenticationDatabase products_development
Reading the tables inside the collection works as well
use products_development
db.table1.find()
So the user is getting Authorised.
But when i try to Read from Reactivemongo i am getting the below error.
assertion 13 not authorized for query on products_development.table1 ns:products_development.table1 query:{ _id: ObjectId('5564ba210b00009900150c72') }
Authentication is working fine connection is getting setup.
I am using 0.10.5.0.akka23 version, mongodb 2.6.8.
Currently I've got a siteUserAdmin authenticated on the admin database:
{
"_id" : "admin.siteUserAdmin",
"user" : "siteUserAdmin",
"db" : "admin",
"credentials" : {
"MONGODB-CR" : "...."
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
When I run:
use admin;
db.auth('siteUserAdmin', 'supersecret');
Everything authenticates just fine.
However when I then do:
use myotherdb
db.addUser({ user: 'chris', pwd: 'anothersecretpassword', roles: ['dbOwner']});
It doesn't add the user, I get the following:
couldn't add user: not authorized for insert on admin.system.users at src/mongo/shell/db.js:128
What am I doing wrong? This all looks nuts.
FYIL I'm using MongoDB version 2.6.10.
Random side note: weirdly createUser isn't a function, even though according to the MongoDB docs it was added in 2.6.
I was seeing this exact error in Robomongo 0.8.5. I copy/pasted the command to the the Mongo cli client and it worked fine.
Authenticated as siteUserAdmin to admin db on both clients.
Hopefully this helps someone else.
This is probably a stupid newbie question. I scoured the Google-scape for answers and found a few things on stackoverflow, but nothing really works yet.
I am trying to create a database, and a user who can insert entries to the db.
So far I managed to create the following users & associated privileges:
$ ./mongo localhost:29525/admin -username admin -password "somesecret"
MongoDB shell version: 2.4.9
connecting to: localhost:29525/admin
> db.system.users.find()
{ "_id" : ObjectId("533dc34753178fa1d0707308"), "user" : "admin", "pwd" : "145efb041abb3f9dd2531b26c90f2a4c", "roles" : [ "userAdminAnyDatabase" ] }
{ "_id" : ObjectId("533dc9c03eb5b535e9691f21"), "user" : "node", "pwd" : "a2cbb645cec16dedd4a4f9ee53a332a7", "roles" : [ "readWrite", "dbAdmin" ] }
{ "_id" : ObjectId("533dd1c52d0f16b6fae61188"), "user" : "node2", "pwd" : "488fba587da677d48825b425ebf7031e", "roles" : [ "userAdminAnyDatabase", "userAdmin", "clusterAdmin", "dbAdminAnyDatabase" ] }
I ideally wanted to give the "admin" user full privileges, but unfortunately admin's 'userAdminAnyDatabase' privilege is not enough to enable this:
> db.users.update({"admin" : "somesecret"}, {$addToSet: {'roles': [ 'dbAdminAnyDatabase', 'clusterAdmin']}}, false, false)
not authorized for update on admin.users
I wondered if maybe I just wasn't actually executing the command as "admin", so I re-authenticated as user admin. Still no joy:
> db.auth("admin", "somesecret")
1
> db.users.update({"admin" : "somesecret"}, {$addToSet: {'roles': [ 'dbAdminAnyDatabase', 'clusterAdmin']}}, false, false)
not authorized for update on admin.users
So I tried the "node2" user - I had created that with more privileges (dbAdminAnyDatabase, clusterAdmin, ..), so maybe that would work? But alas it also fails:
> db.auth("node2", "anothersecret")
1
> db.users.update({"admin" : "somesecret"}, {$addToSet: {'roles': [ 'dbAdminAnyDatabase', 'clusterAdmin']}}, false, false)
not authorized for update on admin.users
That aside, I tried to create a database 'mynewdb', and add a collection 'users'. As the user with most privileges is "node2", I switched to that user first. But that user cannot insert records into the new database's new collection:
> db.auth("node2", "anothersecret")
1
> use mynewdb
switched to db mynewdb
> db.users.save( {username: "philipp"})
not authorized for insert on testapp.users
Nor for that matter can "admin".
Sorry for my ignorance, I have spent some hours Googling here and am still struggling to piece together jigsaw pieces presented by the many disparit bits of info on the MongoDB docs.
Thanks for any help!
This answer ONLY pertains to MongoDB 2.4.X and lower. The methods for doing this are significantly different under MongoDB 2.6
You are correctly querying the "system.users" collection in your examples:
db.system.users.find()
But your updates are to the "users" collection, which the admin user cannot access as it only has "userAdminAnyDatabase". Can you try running your update against "system.users" instead? ie
db.system.users.update({"admin" : "somesecret"}, {$addToSet: {'roles': [ 'dbAdminAnyDatabase', 'clusterAdmin']}})