MongoDB: Understand createUser and db admin
Asked Answered
B

5

5

My MongoDB is hosted on compose.io and is called ScroungeBA. I try to create a user with some built-in roles which by the documentary only work in the admin database:

MongoDB provides all other built-in roles only on the admin database

So my question: What is that admin db about? Is it the standard db which always exists?

Furthermore I have trouble with (using MongoDB shell version: 3.0.5):

$ use admin
switched to db admin
$ db.auth("user", "secret")
Error: 18 Authentication failed.

I guess my user does exist in the ScroungeBA db but not in the admin db? How can I create a user in the admin db since

db.createUser({user:"hello", pwd:"world", roles:[{role: "userAdmin", db: "admin"}]})

results in the error:

Error: couldn't add user: not authorized on admin to execute command { createUser: "hello", pwd: "xxx", roles: [ { role: "userAdmin", db: "admin" } ], digestPassword: false, writeConcern: { w: "majority", wtimeout: 30000.0 } }
at Error (<anonymous>)
at DB.createUser (src/mongo/shell/db.js:1101:11)
at (shell):1:4 at src/mongo/shell/db.js:1101
Breeching answered 7/8, 2015 at 9:19 Comment(0)
T
18

The admin database is a special database that you automatically have with a MongoDB instance. It contains things like the users of your databases, with roles, custom data, etc.

To create a user in the admin database, you have to temporarily disable auth on your MongoDB instance. I don't know how compose.io works specifically, but I usually modify the mongod.conf file, and comment the line auth=true.

After that, you can connect to your MongoDB shell and create a user in the admin database.

Give the user the role userAdminAnyDatabase instead of just useAdmin.

use admin
db.createUser({ user:"admin", pwd: "pass", roles: [{role: "userAdminAnyDatabase", db: "admin"}] })

An user with the role userAdminAnyDatabase can manage the users of all the databases.

Now enable auth again and restart the service.

As I said, I'm not sure how compose.io actually works and how much control it gives to you. If you don't have an admin account, this should be the way to go.

By the way, I've published an article on Medium about MongoDB 3.0 auth.

Trstram answered 7/8, 2015 at 12:41 Comment(0)
B
3

This solved my problem:

I finally got it to work on compose.io! So here it what my oplog url ended up looking like: "MONGO_OPLOG_URL": "mongodb://username:[email protected]:1111/local?authSource=myDB"
I keep the MONGO_URL exactly the same as the URL compose.io provides with ?replicaSet
But for the OPLOG_URL you can only use a single host, not multiple. So you have to edit the URL compose.io gives you to only have one host. And you can't end the oplog with ?replicaSet. you can only have the ?replicaSet in the MONGO_URL.

source

Breeching answered 9/8, 2015 at 9:31 Comment(1)
I have never used compose.io but the answer provided by Matteo is the correct answer if you are working in the mongodb shell.Wrangle
O
2

Flow to set authentication :

  1. Start MongoDB without access control.

    mongod --port 27017 --dbpath /data/db1

  2. Connect to the instance.

    mongo --port 27017

  3. Create the user administrator.

use admin
    db.createUser(
      {
        user: "myUserAdmin",
        pwd: "abc123",
        roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
      }
    )
  1. Re-start the MongoDB instance with access control.

    mongod --auth --port 27017 --dbpath /data/db1

  2. Authenticate as the user administrator.

    Start a mongo shell with the -u , -p , and the --authenticationDatabase command line options:

mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"

An user with the role userAdminAnyDatabase can manage the users of all the databases.

For routine user creation, you must possess the following permissions:

To create a new user in a database, you must have the createUser action on that database resource.
To grant roles to a user, you must have the grantRole action on the role’s database.

MongoDB stores all user information, including name, password, and the user's authentication database, in the system.users collection in the admin database.

More Details : https://docs.mongodb.com/manual/tutorial/enable-authentication/

Opinicus answered 15/8, 2018 at 4:4 Comment(0)
M
1

You can try this:

   use admin
   db.createUser( { user: "user", pwd: "password", roles: [ 
   "readWriteAnyDatabase","dbAdminAnyDatabase","clusterAdmin" ] } )
Maximamaximal answered 10/11, 2019 at 11:4 Comment(0)
S
0

First i had to access mongo cli using following command & following comamnd to create a new user for a new database.

mongosh -u user -p pass  --authenticationDatabase admin //default admin database 

use mydb //create a database mydb is the database name

db.createUser({
user: "newUser",
pwd: "newPassword",
roles: [{ role: "readWrite", db: "mydb" }]
})
Struthious answered 28/6 at 9:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.