MongoDB – Resolving Authentication Failures with mongod.conf

mongodb

Im trying to learn about mongo and how to secure it. I manage to make it work using command line but when I try to use a conf file I get erros on authentication.

I have created an admin user like:

use admin
var admin = {
    user:"admin",
    pwd:"123456",
    roles:[
        {
            role: "userAdminAnyDatabase",
            db:"admin"
        }
    ]
}
db.createUser(admin)

Starting mongod mongod --auth and connecting to it using mongo 127.0.0.1:27017 --authenticationDatabase admin -u admin -p works.

I would like to move from command line to a conf file.
For that purpose, I create the following mongod.conf file:

mongod.conf

systemLog:
  destination: file
  path: /Users/me/Web/blog/setup/logs/mongodb/mongo.log
  logAppend: true
storage:
  dbPath: /usr/local/var/mongodb
net:
  port: 27017
  bindIp: 127.0.0.1
security:
  authorization: enabled

I run the daemon by invoking mongod -f mongod.conf.
I try to authenticate in mongo by invoking the previous command that used to work but this time it does not work:

mongo 127.0.0.1:27017 --authenticationDatabase admin -u admin -p

MongoDB shell version: 3.2.5
Enter password: 
connecting to: 127.0.0.1:27017/test
2018-05-11T08:50:53.908+0300 E QUERY    [thread1] Error: Authentication failed. :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1441:20
@(auth):6:1
@(auth):1:2

exception: login failed

Am I typing something wrong? I dont see what is the issue in here. Something missing in the conf file or wrong params invoking mongo?

Best Answer

As per your log statement it seems like that you are committing mistake in your authentication statement such as in your statement

mongo 127.0.0.1:27017 --authenticationDatabase admin -u admin -p

As per MongoDB BOL documentation here With access control enabled, ensure you have a user with userAdmin or userAdminAnyDatabase role in the admin database. This user can administrate user and roles such as: create users, grant or revoke roles from users, and create or modify customs roles.

Connect and authenticate as the user administrator

Using the mongo shell, you can:

Connect with authentication by passing in user credentials, or
Connect first withouth authentication, and then issue the db.auth()
method to authenticate.

For example, the following creates the user myUserAdmin in the admin database:

use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: "abc123",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

To authenticate during connection

Start a mongo shell with the -u , -p , and the --authenticationDatabase command line options:

mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"

To authenticate after connecting

Connect the mongo shell to the mongod:

mongo --port 27017

Switch to the authentication database (in this case, admin), and use db.auth(<username>, <pwd>) method to authenticate:

use admin
db.auth("myUserAdmin", "abc123" )

As I am able to see that in your below mention mongod.conf file the authorization : enable . It's means your authentication is enable. So, there is no issue in your mongod.conf file.

systemLog:
  destination: file
  path: /Users/me/Web/blog/setup/logs/mongodb/mongo.log
  logAppend: true
storage:
  dbPath: /usr/local/var/mongodb
net:
  port: 27017
  bindIp: 127.0.0.1
security:
  authorization: enabled

For your further ref here and here

Exporting the users

Assuming you have already upgraded all of your config servers to WiredTiger, here are some steps to add the user information:

Disable the balancer
Stop the last config server listed in your mongos' configDB setting (will call that config3 for the purpose of these steps). This will ensure your sharded cluster metadata remains read-only for the following steps.
Re-start config2 using the mmap data directory

At this stage you should have:
- config1 (running WiredTiger)
- config2 (running mmap with user/role data)
- config3 (stopped)
Export the data from config2:

mongodump --db config --dumpDbUsersAndRoles --username .. --password ..

Add any other parameters needed, eg --authenticationDatabase .. if you need to auth against another database.
If you have users in the admin database on your config server, you will also want to dump that as well.
(optional) Remove files from your dump except for the user/role information. If you are certain nothing has changed since you did the original migration from mmap to WiredTiger you could skip this step, however it would be safer to not overwrite any existing data.

Preview the files to remove:

find ./dump -type f -not -name "\$admin.system*"

WARNING: removing files, make sure you have previewed to confirm:

find ./dump -type f -not -name "\$admin.system*" | xargs rm
Re-start config2 using the wiredTiger storage engine
Run: mongorestore --db config --restoreDbUsersAndRoles dump/config/

You should see messages about restoring users & roles, for example:

2015-03-18T02:41:34.887+1100 restoring users from dump/config/$admin.system.users.bson

2015-03-18T02:41:34.887+1100 restoring roles from dump/config/$admin.system.roles.bson
Login to config2 and confirm the users are correctly setup (i.e. auth with admin account, use db.getUsers() to check).

At this stage you should have:
- config1 (running WiredTiger)
- config2 (running WiredTiger with user/role data)
- config3 (stopped)
Copy the dump directory to config1 and repeat the mongorestore step.
Shutdown config2 (to keep the sharded cluster metadata readonly for the next step).

At this stage you should have:
- config1 (running WiredTiger with user/role data)
- config2 (stopped)
- config3 (stopped)
Start config3. Copy the dump directory to config3, and repeat the mongorestore step.

At this stage you should have:
- config1 (running WiredTiger with user/role data)
- config2 (stopped)
- config3 (running WiredTiger with user/role data)
Start config2. At this point all config servers should be online with the user information.
Re-enable the balancer so normal balancing activity & chunk migration can resume.

MongoDB: All commands spit out “not authorized on admin to execute command”

Let's try this:

Connect to your DO droplet.

In your /etc/mongod.conf, comment out 'security' and restore bindIp to value 127.0.0.1

Restart your mongod instance.

Connect to mongo (at this point without security).

Create you admin user in mongo with something like this:

use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: "abc123",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

Make sure the user was successfully created.

Go back to your /etc/mongod.conf. Set your bindIp value as: 127.0.0.1,YOUR_DO_DROPLET_IP (no spaces between).

Uncomment 'security', keep 'authentication' commented out, add below it 'authorization: enabled'

Restart your server's mongod instance.

Connect to mongod remotely by using:

mongo YOUR_DO_DROPLET_IP -u myUserAdmin -p --authenticationDatabase admin

References: MongoDB Authentication Enabling MongoDB Authentication

Best Answer

Related Solutions

MongoDB – Config Server with WiredTiger Does Not Authenticate Existing User

Exporting the users

MongoDB: All commands spit out “not authorized on admin to execute command”

Related Question