The MongoDB user authentication incident

October 14, 2015

 

As any database user know, permission is an integral part of any database. The one who does not use roles and permissions tend to encounter difficulties when something goes wrong("Who deleted the database!?").

Since this is part of our life, it is mandatory to use the role and users infrastructure of MongoDB, as any one would do, I have created the relevant users and permissions and now all we have to do is just to use it.

 

The problem

Several tools only use old authentication mechanism known as "MONGODB-CR", but MongoDB 3.0 uses by default the "SCRAM-SHA-1" mechanism.

In real life, assume that the first version of MongoDB you are using is 3.0, then all the users created are the using the "SCRAM-SHA-1" mechanism.

But the current tools mostly does not allow the usage of "SCRAM-SHA-1"(MongoDB issue)

 

The undocumented solution

 

We will create a second user that uses an older version mechanism("MONGODB-CR"):

 

 

 

 

Side note: each user can use only a single authentication method.

1. First stop mongo daemon:

> sudo service mongod stop

 

 

 

2. Remove authentication option - open your config file usually: "/etc/mongo.conf"

> noauth=true

 

3. Change the mongo daemon to use a local bind in order to avoid other users to be able to use it while authentication is offline

> bind_ip = 127.0.0.1

 

4. Start the daemon

> sudo service mongod start

 

5. Change the authentication schema - to version 3 ("MONGODB-CR"), start a mongo console and use the following commands:

> use admin 

switched to db admin 

>  var schema = db.system.version.findOne({"_id" : "authSchema"}) 

> schema.currentVersion = 3 

> db.system.version.save(schema) 

WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 }) 

> exit 

bye 

 

6. Create new user: old user with a prefix mytool

> use admin 

> db.createUser({user: "mytool_user", pwd: "****", roles: [{role: "readWrite", db: "admin"]}) 

 

7. Change authentication mechanism back to the new one:

> use admin 

switched to db admin 

>  var schema = db.system.version.findOne({"_id" : "authSchema"}) 

> schema.currentVersion = 5 

> db.system.version.save(schema) 

WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 }) 

> exit 

bye 

 

8. Change back authentication

> auth=true

 

9. Remove bind_ip from config file

10. Restart mongo daemon

> sudo service mongod start

 

Hope this helps to the on who did not find the solution like me.

Please reload

Recent Posts

February 17, 2016

Please reload

Archive

Please reload

Tags

Please reload

 
  • Facebook
  • Twitter
  • LinkedIn

©2017 by Dror Asaf. Proudly created with Wix.com