Mongodump with auth doesn't work
2,424 views
Skip to first unread message
Djonatan Buss
Aug 2, 2013, 8:05:48 PM8/2/13
to mongod...@googlegroups.com
Hi guys I'm testing a mongodump backup and it just doesnt work.
I'm using this URL mongodump --host localhost --port 27017 --username admin --password admin --db testcustom --out mongodump
That's the return
connected to: localhost:27017
Fri Aug 2 20:01:43.389 DATABASE: testcustom to mongodump/testcustom
Fri Aug 2 20:01:43.390 testcustom.system.indexes to mongodump/testcustom/system.indexes.bson
Fri Aug 2 20:01:43.391 3 objects
Fri Aug 2 20:01:43.391 testcustom.system.users to mongodump/testcustom/system.users.bson
assertion: 11010 count fails:{ ok: 0.0, errmsg: "unauthorized" }
It creates the files for the system.users and system.indexes but doesn't for the other collection.
I have the authentication turned on and I have tried a lot of roles
This is the user inside the testcustom db
{
"_id" : ObjectId("51fc3701d3baa867a1d6c536"),
"pwd" : "7c67ef13bbd4cae106d959320af3f704",
"roles" : [
"userAdminAnyDatabase",
"readAnyDatabase",
"clusterAdmin",
"readWrite"
],
"user" : "admin"
}
Can someone help me?
I'm using this URL mongodump --host localhost --port 27017 --username admin --password admin --db testcustom --out mongodump
That's the return
connected to: localhost:27017
Fri Aug 2 20:01:43.389 DATABASE: testcustom to mongodump/testcustom
Fri Aug 2 20:01:43.390 testcustom.system.indexes to mongodump/testcustom/system.indexes.bson
Fri Aug 2 20:01:43.391 3 objects
Fri Aug 2 20:01:43.391 testcustom.system.users to mongodump/testcustom/system.users.bson
assertion: 11010 count fails:{ ok: 0.0, errmsg: "unauthorized" }
It creates the files for the system.users and system.indexes but doesn't for the other collection.
I have the authentication turned on and I have tried a lot of roles
This is the user inside the testcustom db
{
"_id" : ObjectId("51fc3701d3baa867a1d6c536"),
"pwd" : "7c67ef13bbd4cae106d959320af3f704",
"roles" : [
"userAdminAnyDatabase",
"readAnyDatabase",
"clusterAdmin",
"readWrite"
],
"user" : "admin"
}
Can someone help me?
Djonatan Buss
Aug 5, 2013, 2:10:07 PM8/5/13
to mongod...@googlegroups.com
I could make it work using roles:['readWrite','userAdmin'], for the record.
Daniel Hodgin
Aug 7, 2013, 11:03:21 AM8/7/13
to mongod...@googlegroups.com
The role userAdminAnyDatabase is only if your user is in the admin database. The admin database is a special system database where any users in it have permissions to all databases with whatever roles you give them.
If your user is in your 'testcustom' db then only the readWrite would have applied here and the rest would be ignored as they are roles for the admin database users only and get ignored I believe.
So adding 'userAdmin' would take the place of userAdminAnyDatabase since it appears your user is in your testcustom db.
My mongodump script uses the following command > mongodump --port 27017 --out c:\backups\ --username admin --password password --authenticationDatabase admin --oplog
I add the --authenticationDatabase param to specify that this user is in the admin database so it knows which system.users collection in which db to find the user, and then the --oplog param to tell it to also dump the oplog since I'm using a replica set (very important!)
If your user is in your 'testcustom' db then only the readWrite would have applied here and the rest would be ignored as they are roles for the admin database users only and get ignored I believe.
So adding 'userAdmin' would take the place of userAdminAnyDatabase since it appears your user is in your testcustom db.
My mongodump script uses the following command > mongodump --port 27017 --out c:\backups\ --username admin --password password --authenticationDatabase admin --oplog
I add the --authenticationDatabase param to specify that this user is in the admin database so it knows which system.users collection in which db to find the user, and then the --oplog param to tell it to also dump the oplog since I'm using a replica set (very important!)
Asya Kamsky
Aug 8, 2013, 5:38:17 AM8/8/13
to mongodb-user
On Wed, Aug 7, 2013 at 8:03 AM, Daniel Hodgin <hodgin...@gmail.com> wrote:
> My mongodump script uses the following command > mongodump --port 27017
> --out c:\backups\ --username admin --password password
> --authenticationDatabase admin --oplog
> My mongodump script uses the following command > mongodump --port 27017
> --out c:\backups\ --username admin --password password
> --authenticationDatabase admin --oplog
> the --oplog param to tell it to also dump the oplog since
> I'm using a replica set (very important!)
Just to clarify something - the --oplog flag makes point-in-time
> I'm using a replica set (very important!)
recovery possible by dumping
the last portion of the --oplog at the end of the mongodump - from the
time mongodump started till
it's finished. It does not dump out the entire oplog. If you wanted
to dump out the oplog you
would have to do that with a separate mongodump command (with -d local
-c oplog.rs).
Asya
Djonatan Buss
Aug 11, 2013, 11:51:43 PM8/11/13
to mongod...@googlegroups.com
Hi Daniel, Thank you for clarifying the use of the userAdminAnyDatabase and thank you for your answer.
What I'm trying to understand are the roles I need to have if I want to make the dump authenticating in different dbs;
For instance: if I want to dump table A and authenticate in table A (that's where mongo will look if you don't specify the authenticationDatabase) I need to have ['readWrte', 'userAdmin'].
1 - Why?
2 - Is there anything in the documentation that I overlooked saying something like this?
3 - Am I doing wrong?
4 - Is it a bad practice to authenticate in a different database then the admin database when you are dumping?
Those are my main concerns so far.
Daniel Hodgin
Aug 12, 2013, 9:50:37 PM8/12/13
to mongod...@googlegroups.com
Hi Djonatan,
First you should mention which version of mongodb you are using. I am assuming 2.4+ for the purposes of this repsonse as 2.2 didn't have roles like 2.4 has.
First you should mention which version of mongodb you are using. I am assuming 2.4+ for the purposes of this repsonse as 2.2 didn't have roles like 2.4 has.
For instance: if I want to dump table A and authenticate in table A
(that's where mongo will look if you don't specify the
authenticationDatabase) I need to have ['readWrte', 'userAdmin'].
1 - Why?
The examples for users here http://docs.mongodb.org/manual/tutorial/add-user-administrator/ I found confusing. Then I read the stuff about security roles here http://docs.mongodb.org/manual/reference/user-privileges/ and things became clearer.
To sum it up: Users are stored in individual DB's in the system.users collection, which is a special reserved collection name for every database. You create users in a database directly if you want them to only have access to that database and no others. You create users in the mongodb reserved special database 'admin' if you want those users to be able to have access to all databases on the server. There are user roles in v2.4 that you attach to a user.
There are 4 roles for users in individual databases and there are 5 roles that apply to users you create in the 'admin' database. If you try to use any of the 5 roles that are special for users in the admin database in a different database they are ignored.
This is why if you are creating a user in your own custom database you can only assign roles of: read, readWrite, dbAdmin, or userAdmin.
The other 5 roles only apply to users in the admin database because they are designed to give similar permissions as the other 4 except for all db's on the server.
clusterAdmin, readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase, dbAdminAnyDatabase are only applicable to users in the admin database.
And this link tells you what each role allows the user to do specifically in the database: http://docs.mongodb.org/manual/reference/user-privileges/
The examples for users here http://docs.mongodb.org/manual/tutorial/add-user-administrator/ I found confusing. Then I read the stuff about security roles here http://docs.mongodb.org/manual/reference/user-privileges/ and things became clearer.
To sum it up: Users are stored in individual DB's in the system.users collection, which is a special reserved collection name for every database. You create users in a database directly if you want them to only have access to that database and no others. You create users in the mongodb reserved special database 'admin' if you want those users to be able to have access to all databases on the server. There are user roles in v2.4 that you attach to a user.
There are 4 roles for users in individual databases and there are 5 roles that apply to users you create in the 'admin' database. If you try to use any of the 5 roles that are special for users in the admin database in a different database they are ignored.
This is why if you are creating a user in your own custom database you can only assign roles of: read, readWrite, dbAdmin, or userAdmin.
The other 5 roles only apply to users in the admin database because they are designed to give similar permissions as the other 4 except for all db's on the server.
clusterAdmin, readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase, dbAdminAnyDatabase are only applicable to users in the admin database.
And this link tells you what each role allows the user to do specifically in the database: http://docs.mongodb.org/manual/reference/user-privileges/
2 - Is there anything in the documentation that I overlooked saying something like this?
3 - Am I doing wrong?
I don't think so in my opinion. This is working as intended you just need to know how the roles apply to which users for which database
4 - Is it a bad practice to authenticate in a different database then the admin database when you are dumping?
I'm not the authority on 'best practices' for mongodb but from what I learned taking the mongodb for DBA's course with 10Gen I think it's perfectly fine because you would be using a user that only has just enough access to do the task required of it. I think if your backup user had full system access it would be a potential security risk if the credentials were compromised. If your backup task had to backup multiple DB's then it would make sense to elevate the users credentials and I believe there is a way to create a user that can have access to more than 1 db but not access to ALL db's on the server to say backup database A and B but not C and D.
Hope that clears it up,
Daniel
Hope that clears it up,
Daniel
Reply all
Reply to author
Forward
0 new messages