8

I am using mongoDB Cluster with version 3.4 in google cloud compute engine, actually past week my database got attacked by hackers that's why i thought about using authorization so that i can avoid these types of attack. Now to add Authorizations i saw this article how-to-create-mongodb-replication-clusters, now i have added a keyfile with chmod 0600 on each of my cluster node, but now when i am trying to add my first admin user i am getting below error

use admin switched to db admin rs0:PRIMARY> db.createUser({user: "RootAdmin", pwd: "password123", roles: [ { role: "root", db: "admin" } ]}); 2017-01-21T18:19:09.814+0000 E QUERY [main] Error: couldn't add user: not authorized on admin to execute comm and { createUser: "RootAdmin", pwd: "xxx", roles: [ { role: "root", db: "admin" } ], digestPassword: false, writ eConcern: { w: "majority", wtimeout: 300000.0 } } : _getErrorWithCode@src/mongo/shell/utils.js:25:13 DB.prototype.createUser@src/mongo/shell/db.js:1290:15 @(shell):1:1

I have searched everywhere but haven't found anything on why i am getting this error.

Can anyone please help me how can i solve this error.

UPDATE My config file is given below for each of the instances

Secondary Server Config

#!/bin/bash # mongod.conf # for documentation of all options, see: # http://docs.mongodb.org/manual/reference/configuration-options/ # Where and how to store data. storage: dbPath: /var/lib/mongodb journal: enabled: false #engine: mmapv1: smallFiles: true # wiredTiger: # where to write logging data. systemLog: destination: file logAppend: true path: /var/log/mongodb/mongod.log # network interfaces net: port: 27017 bindIp: 0.0.0.0 replication: replSetName: rs0 #processManagement: security: authorization: disabled keyFile: /opt/mongodb/keyfile #operationProfiling: #replication: #sharding: ## Enterprise-Only Options: #auditLog: #snmp:

Arbiter Server Config

#!/bin/bash # mongod.conf # for documentation of all options, see: # http://docs.mongodb.org/manual/reference/configuration-options/ # Where and how to store data. storage: dbPath: /mnt/mongodb/db journal: enabled: true #engine: #mmapv1: #smallFiles: true # wiredTiger: # where to write logging data. systemLog: destination: file logAppend: true path: /mnt/mongodb/log/mongodb.log # network interfaces net: port: 27017 bindIp: 0.0.0.0 replication: replSetName: rs0 #processManagement: security: authorization: disabled keyFile: /opt/mongodb/keyfile #operationProfiling: #replication: #sharding: ## Enterprise-Only Options: #auditLog: #snmp:

Primary Server Config

#!/bin/bash # mongod.conf # for documentation of all options, see: # http://docs.mongodb.org/manual/reference/configuration-options/ # Where and how to store data. storage: dbPath: /mnt/mongodb/db journal: enabled: true #engine: #mmapv1: #smallFiles: true # wiredTiger: # where to write logging data. systemLog: destination: file logAppend: true path: /mnt/mongodb/log/mongodb.log # network interfaces net: port: 27017 bindIp: 0.0.0.0 replication: replSetName: rs0 #processManagement: security: authorization: disabled keyFile: /opt/mongodb/keyfile #operationProfiling: #replication: #sharding: ## Enterprise-Only Options: #auditLog: #snmp:
Improve this question
2
  • 1
    just a notice, u have a password shown in the question Commented Jan 22, 2017 at 10:16
  • 1
    Did you get this fixed? If so, please update or answer yourself. Did you inspect the log files - there might be a clue in there. Commented Nov 13, 2017 at 12:53

6 Answers 6

Reset to default
20

You have to change your mongod.conf file to disable authorization before creating such admin user

security: authorization: disabled

After that, restart the mongod service and open mongodb shell to create the admin user

use admin db.createUser({user:"RootAdmin",pwd:"blahblah",roles:["root"]})

Remember to enable authorization back on after creating user.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I have added authorization: disabled but still facing same error. I have updated my config files for all of my instances. Can you please tell me the source url or whole procedure of adding authentication in mongoDB replicasets also thanks for helping me out of here.
that's strange, when authorization is disabled, u can do anything
can you tell me your source(url) where you have done this whole authentication thing ??
4

johnlowvale's answer is correct, but

keyFile implies security.authorization.

source: https://docs.mongodb.com/manual/reference/configuration-options/#security.keyFile

You have to disable authorization AND the keyFile.

security: authorization: disabled # keyFile: /opt/mongodb/keyfile

(insufficient rep or I'd have just commented this on johnlowvale's answer)

Improve this answer

2 Comments

Had the same problem as OP and the keyFile implies security.authorization. -- This is the ticket and the cause of the whole situation. Thanks that small line of text solved all my issues.
yes this is correct, you should be commenting keyFile as well !!
3

Once you are connected to this first node, you can initiate the replica set with rs.initiate(). Again, this command must be run from the same host as the mongod to use the localhost exception.

We can create our admin user with the following commands:

rs.initiate() use admin db.createUser({ user: "admin", pwd: "pass", roles: [ {role: "root", db: "admin"} ] })
Improve this answer

1 Comment

rs.initiate() saved me.
1

edit vim /lib/systemd/system/mongod.service

remove --auth restart #ExecStart=/usr/bin/mongod --quiet --auth --config /etc/mongod.conf ExecStart=/usr/bin/mongod --quiet --config /etc/mongod.conf use admin db.createUser({user:"RootAdmin",pwd:"blahblah",roles:["root"]})
Improve this answer

Comments

0

To be able to create a new user, you need to first disable security in /etc/mongod.conf

// security: // authorization: enabled Then restart Mongodb server sudo service mongo restart

After this you can add the user and role that you want from the shell.

db.createUser({ user: 'test_user', pwd: 'test', roles: [ { role: "userAdmin", db: "test" }, { role: "dbAdmin", db: "test" }, { role: "readWrite", db: "test" } ] })

To enable authenticated connection Uncomment the line again in /etc/mongod.conf

security: authorization: enabled and restart the server again

Improve this answer

Comments

0

When a new database is setup with authorisation/security enabled but no users set up, you can only connect to it from the localhost. In your config file you should have bind ip set to 127.0.0.1 I think in order to make sure you connect to it with the correct authorisation to create new users.

This is what it says in Mongo course M103

By default, a mongod that enforces authentication but has no configured users only allows connections through the localhost.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.