The documentation for Mongo states that when authentication is enabled, and for users added to the admin database, these users should be able to access the other databases in Mongo, with the rights granted at the admin database level.
"The admin database is unique. Users with normal access to the admin database have read and write access to all databases. Users with read only access to the admin database have read only access to all databases." http://docs.mongodb.org/manual/administration/security/
But in testing with the C# library version 1.7.0.4714, this is not the case.
Only accounts created in a specific database have access to that database.
I have tested with credentials on the connection string
and by setting credentials explicitly at the database level in C#
server.GetDatabase(...
new MongoClient(a connectionString ...
Does anyone know if this expected behavior? or can suggest a resolution.
The answer was already posted here on stackoverflow :)
Mongodb C# driver - can't use admin authentication to access other databases
the username used should have (admin) after it to use that account.
This is not a mongodb problem. I am sure that you could authenticate from mongodb shell like this:
use admin
db.auth(user, pass)
This is a mongodb c# driver trick. A long time ago i spent some time to read c# driver code in order to understand this.
So connection string should be like this:
mongodb://admin(admin):1#localhost:27020/myDb
The trick in (admin) in order to tell the driver that you are going to authenticate via admin user.
There is another way to connect with authentication against the admin database.
The downside is that you have to setup the whole connection object instead of packing all info solely on a connection string.
Instead of instantiating the MongoClient with a connection string like
var connectionString = "mongodb://localhost";
var client = new MongoClient(connectionString);
you can create a MongoClientSettings object, set the credentials (along with any other connection settings) and instantiate the client passing that object
string authenticationDB = "admin"
string authenticationUsername = "user"
string authenticationPassword = "pass"
MongoClientSettings settings = new MongoClientSettings();
settings.Credentials = new[] { MongoCredential.CreateMongoCRCredential(authenticationDB, authenticationUsername, authenticationPassword) };
settings.Servers = new[] { new MongoServerAddress("host_1"), new MongoServerAddress("host_2"), new MongoServerAddress("host_3") };
settings.ConnectionMode = ConnectionMode.ReplicaSet;
var client = new MongoClient(settings);
var db = client.GetServer().GetDatabase(database);
http://docs.mongodb.org/ecosystem/tutorial/authenticate-with-csharp-driver/
Related
Currently, our api (deployed on cloudRun) connects to our Postgres database by passing in a pgConfig with a db configuration and a db user and password.
For example:
const configObject = {
host: cloudRunHost,
user: dbUser,
password: dbPassword,
database: dbName
}
async function connect() {
if(!client) {
const pgPool = new pg.Pool(configObject);
await pgPool.connect()
.then((result) => {
logger.info('Connected to DB')
client = result;
}).catch((err) => {
logger.error(err);
});
}
}
We want the app itself to connect to the database by using Cloud SQL IAM database authentication
So far:
The api cloudRun instance has a service account
The database and CloudSQL has been configured for IAM-based access (we can access with our machine service accounts)
The api service account has access to the DB via IAM, and permissions granted to said user on the Postgres db itself
When the above code runs, it logs error: empty password returned by client
We've tried removing the password line entirely from the configObject but it hasn't helped. Any thoughts on why my service account can access the db directly but the api's can't I suspect we need to indicate to pgPool that we're trying to connect via IAM instead of via user/password.
Unfortunately, there isn't a good way to use "automatic" IAM DB AuthN on Cloud Run - while Cloud Run does use the proxy, there is no way for users to flip on the "-enable-iam-login" flag.
Go, Python, and Java users can use the language-specific connectors, but there isn't one for Node.js.
It looks like node-postgres does have support for dynamic passwords, so you might be able to do something like this:
const {GoogleAuth} = require('google-auth-library');
async function main() {
const auth = new GoogleAuth();
const pool = new pg.Pool({
connectionString: 'postgresql://user#db.example:5432/my-db',
password: async () => auth.getAccessToken(),
})
}
From your question I believe you are using NodeJS. But currently IAM database authentication is supported by Python Connector, Java Connector and Cloud SQL proxy which is mentioned here. Also to use Automatic IAM database authentication it is required to use a Cloud SQL connector.
IAM database authentication is currently supported by the Cloud SQL Auth proxy, the Java connector, and the Python connector.
Automatic IAM database authentication requires the use of a Cloud SQL connector.
As you are using NodeJS which is not supported, that seems to be the reason why you are getting an error: empty password returned by client.
I use mongoDB in Atlas cloud but now I want to movie to a local database. I installed MongoDB and created a admin user. Now I connect with mongoose to :
mongodb://login:pass#db.myserver.com:27017/admin
Works well. Now I create a new development database "develop".
I try to connect
mongodb://login:pass#db.myserver.com:27017/develop
This failed to login. OK, I understand that the admin database is the "/admin" one and that user is authenticated to this database but I thought that an admin can access all databases in a mongodb server?
In Atlas I just created the develop database and connected to it without any problem.
How I can well connect with mongoose to the new develop database? Do I need to create a second admin for this database?
Ok, I found out that I have to name the auth database in my connection string.
mongodb://login:pass#db.myserver.com:27017/develop?authSource=admin
Our company recently changed from Basic auth to LDAP authentication and regular apps are now using authSource=$external&authMechanism=PLAIN on the URL.
This works fine on a normal app but I can't figure out how to set these using Spring Data. Surely there is a way to do this, right?
As you can see below you can't set something like authSource/authMechanism so you have to change to use URI. Also note when using URI you cannot use host/port and username/password. Those all need to go in the URI.
Something like
export spring_data_mongodb_database=db
export spring_data_mongodb_uri = mongodb://username:password#host:port?authSource=$external&authMechanism=PLAIN
Here all the properties that you can currently configure for mongodb in spring boot.
https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html
spring.data.mongodb.authentication-database= # Authentication database name.
spring.data.mongodb.database=test # Database name.
spring.data.mongodb.field-naming-strategy= # Fully qualified name of the FieldNamingStrategy to use.
spring.data.mongodb.grid-fs-database= # GridFS database name.
spring.data.mongodb.host=localhost # Mongo server host.
spring.data.mongodb.password= # Login password of the mongo server.
spring.data.mongodb.port=27017 # Mongo server port.
spring.data.mongodb.repositories.enabled=true # Enable Mongo repositories.
spring.data.mongodb.uri=mongodb://localhost/test # Mongo database URI. When set, host and port are ignored.
spring.data.mongodb.username= # Login user of the mongo server.
If you are using Spring-Boot mongodb api with LDAP then the uri has to be the following in application.properties files in the resources folder:
spring.data.mongodb.uri="mongodb://username:password#host:port/?authSource=$external&authMechanism=PLAIN"
spring.data.mongodb.database="databasThatYouWantToConnectTo"
No need for other parameters like spring.data.mongodb.username, spring.data.mongodb.password, etc., because everhything is mentioned in the spring.data.mongodb.uri
the substring authSource=$external&authMechanism=PLAIN in spring.data.mongodb.uri says Mongo that the authentication and authorization is by LDAP.
You can check the image below which is taken from the Connection String URI format document form MongoDB
If you are using the Mongo Java Driver provided by Mongo Db then you have to do the connection like this:
import com.mongodb.MonogoClient;
import com.mongodb.MongoClientURI;
import com.mongodb.client.MongoDatabase;
public class MongoConnect{
public static void main(String args[]){
MongoClientURI connString = new MongoClientURI("mongodb://username:password#host:port/?authSource=$external&authMechanism=PLAIN");
MongoClient mongoClient = new MongoClient(connString);
MongoDatabase database = mongoClient.getDatabase("databasThatYouWantToConnectTo");
System.out.println(database.getName()+" "+ mongoClient.getCredentialList());
}
}
I have database hosted on MLab and I am trying to connect it with Compass. I am using host and port given in connection string but it is showing error, here is my screenshot:
What am I doing wrong?
Had same problem manage to solve it like this:
A. Go to your db in mlab and in the tab choose "users"
B. Create a new user ex: username: admin password: 123456
C: Go to compass and fill it this way
Example of your connection path
ds012345.mlab.com:56789/myDBname
hostname
ds012345.mlab.com
port
56789
authentication: username /password
admin // or the name of the user you created in step A
123456 // or password for the user you created in step A
authentication database
myDBname // the name of your database in mlab
I just had the same problem.
I fixed it by updating my version of MongoDB Compass. No problems encountered with version 1.15.4.
Also, Authentication Database should not have the value "admin" but the name of the DB to connect you.
To make your connection easier, don't hesitate to copy your entire connection string into the clipboard. Compass detects it and proposes to automatically fill in the connection form.
The problem that I had was the Authentication Database Compass filled in automatically wasn't correct for my setup. By default, this was pointing to admin but it needs to point to the database that the user is associated with.
Summed up: The database of admin didn't exist.
Just to rule it out, double check what database you're pointing to. It should be in the name, like ds739176/database_name where database_name is, you guessed it, the name of your database.
Hope this helps.
The required credentials are not your login credentials to MLab,
instead these are database user credentials.
How to get them:
click on your DB on MLab.
go to users tab and create new user.
use the created users credentials to access db.
set authenticationdatabase to be your database.
I had the same problem. MongoDB url was working in code but Authentication failed was showing in MongoDB Compass.
When I checked, my mongodb password was iam%40me1234.
Here I'm using %40 HTML hex code in the password for # character.
So, If we will use the original character in the password like iam#me1234 in MongoDB Compass then it will work great.
Here is a full list of Hex codes
What I did:
Click on "Fill in connection fields individually" option in Compass.
Enter the hostname (Example ds051234.mlab.com)
Enter PORT (Example 12345)
Select Username/password in the Authentication option.
Enter username and password (Create a new user in mlab.com for your database)
Authentication Database (Just enter the "database name" in this field. Example: heroku_8967jgy5)
I hope this will help you.
My Question:
Is there any way to connect to Mongo DB (hosted on MongoLab) without username and password ?
My Case:
I have created a free MongoLab account (https://mongolab.com) and also create new database -> collection -> document in it.
When I connect to Mongo DB (on Mongo Lab) without username and password, I was able to connect, but when I try to retrieve any data it gives me "unauthorized db:testing lock type:-1 client:...." error.
So I have created a DB User in MongLab as well and provide username and password at the time of connection. After that I am able to connect and retrieve data from Mongo DB.
MongoLab's multi-tenant database plans are on shared servers. We cannot give you the choice to forgo authentication. Even if you were ok with others seeing you data, the other tenants on the server you share would still not want you to see their data.
We have dedicated server plans where you have your own server. On those we could turn off authentication for you. Email us at support#mongolab.com.
As for your benchmarks - auth will not slow things down. The drivers do not authentication on each request, just each connection. If you use the driver properly it should all work well.
-will (MongoLab)