Archive

Tags

Recent Posts

The MongoDB user authentication incident


As any database user know, permission is an integral part of any database. The one who does not use roles and permissions tend to encounter difficulties when something goes wrong("Who deleted the database!?").

Since this is part of our life, it is mandatory to use the role and users infrastructure of MongoDB, as any one would do, I have created the relevant users and permissions and now all we have to do is just to use it.

The problem

Several tools only use old authentication mechanism known as "MONGODB-CR", but MongoDB 3.0 uses by default the "SCRAM-SHA-1" mechanism.

In real life, assume that the first version of MongoDB you are using is 3.0, then all the users created are the using the "SCRAM-SHA-1" mechanism.

But the current tools mostly does not allow the usage of "SCRAM-SHA-1"(MongoDB issue)

The undocumented solution

We will create a second user that uses an older version mechanism("MONGODB-CR"):

Side note: each user can use only a single authentication method.

1. First stop mongo daemon:

> sudo service mongod stop

2. Remove authentication option - open your config file usually: "/etc/mongo.conf"

> noauth=true

3. Change the mongo daemon to use a local bind in order to avoid other users to be able to use it while authentication is offline

> bind_ip = 127.0.0.1

4. Start the daemon

> sudo service mongod start

5. Change the authentication schema - to version 3 ("MONGODB-CR"), start a mongo console and use the following commands:

> use admin

switched to db admin

> var schema = db.system.version.findOne({"_id" : "authSchema"})

> schema.currentVersion = 3

3

> db.system.version.save(schema)

WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })

> exit

bye

6. Create new user: old user with a prefix mytool

> use admin

> db.createUser({user: "mytool_user", pwd: "****", roles: [{role: "readWrite", db: "admin"]})

7. Change authentication mechanism back to the new one:

> use admin

switched to db admin

> var schema = db.system.version.findOne({"_id" : "authSchema"})

> schema.currentVersion = 5

5

> db.system.version.save(schema)

WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })

> exit

bye

8. Change back authentication

> auth=true

9. Remove bind_ip from config file

10. Restart mongo daemon

> sudo service mongod start

Hope this helps to the on who did not find the solution like me.

  • Facebook
  • Twitter
  • LinkedIn

©2017 by Dror Asaf. Proudly created with Wix.com