PHP - MongoDB::execute - not authorized in 2.6

[Rene Hanika]

Hi all,

after upgrading to version 2.6 I have the following problem:

Any mongoDB::execute request I make to 2.6 end in an error "not authorized". I already searched in Google and read the documentation for 2.6 but I don't find any reason for that. The same requests to 2.4 are all successfull...

Here are is an example:

$m = new MongoClient("mongodb://admin:pass@localhost");

$testdb = $m->test;

 

$response = $testdb->execute("function() { return 'Hello, world!'; }");

print_r($response);

The response is:

Array ( [ok] => 0 [errmsg] => not authorized on local to execute command { $eval: CodeWScope( function() { return 'Hello, world!'; }, {}), args: [] } [code] => 13 )

I already checked the roles of the user, which is the superuser role "root" - so what I'm doing wrong? Do I need to add some new roles for 2.6 to use the execute request from the php driver?

Thanks for any help and regards

Rene

[s.molinari]

Not sure it has anything to do with is, but did you update the driver? 1.5.0 is the current version.

Scott

[Rene Hanika]

yes, PHP driver is the newest one from PECL, the problem must be in the authorization changes in 2.6 - when I change the server to noauth everything works fine... 

I thought that a user with superuser role 'root' can do anything on the server, or is this wrong?

Rene

[s.molinari]

Root should be able to do everything. 

However, if you read this, it says to be able to run eval (which I think is needed to run Javascript on the server), then your user would have to be assigned the "__system" role, but then that same section says you shouldn't do that either. It says...

If you need access to all actions on all resources, for example to run the eval or applyOpscommands, do not assign this role. Instead,:ref:create a user-defined role <define-roles> that grantsanyAction on anyResource and ensure that only the users who needs access to these operations has this access.

Why do you want to run Javascript on the server anyway. That is considered something only to be done on exception by Mongo. 

http://docs.mongodb.org/manual/tutorial/store-javascript-function-on-server/

NOTE
We do not recommend using server-side stored (javascript) functions if possible.

Scott 

[s.molinari]

Check this out too.

http://docs.mongodb.org/manual/release-notes/2.6-upgrade-authorization/#upgrade-authorization-model

Scott

[Hannes Magnusson]

MongoDB::execute() in the PHP driver calls the MongoDB command eval() under-the-hood.

This command is highly discouraged, and requires very special and separate authorization roles.

See http://docs.mongodb.org/manual/reference/command/eval/

-Hannes

[Rene Hanika]

Thanks for your information - the reason for that is Rockmongo, which uses this command in a lot of functions and gives now the unauthorized errors. I read already that its not recommended...

I  evaluate now some other GUI tools, but I'm not happy with them which I already found - Rockmongo was perfect for us, you just open a browser on any device. 

Thanks for helping and regards

Rene

[Hannes Magnusson]

Try http://genghisapp.com/

-Hannes

> --
> You received this message because you are subscribed to the Google Groups
> "mongodb-user"
> group.
>
> For other MongoDB technical support options, see:
> http://www.mongodb.org/about/support/.
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "mongodb-user" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/mongodb-user/Z67GTPjkBpE/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> mongodb-user...@googlegroups.com.
> To post to this group, send email to mongod...@googlegroups.com.
> Visit this group at http://groups.google.com/group/mongodb-user.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/mongodb-user/8d2e523f-5bd8-42d2-bfd4-266dbf501908%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

[s.molinari]

Gehngis is Ruby. Rockmongo is PHP.;) Asking a PHP person to use Ruby is almost like asking a democrat to become a republican. LOL! :-D

The way it looks, the Rockmongo devs aren't keeping Rockmongo up to date really. Last changes were made 8 months ago and the last release was over a year ago.  I looked through the code and they use execute to allow you to add "code" datatypes to your database (well that is one use of it. I didn't catch the other reasons, looking quickly at the code). They made the eval call "safer" too, so you can push code safely to the DB and eval it, and it is an admin tool, thus only trusted people should use it. So, maybe you could look into adding the proper privileges to your db users to run Rockmongo. 

You could also add an issue to their github and see what happens. https://github.com/iwind/rockmongo/issues

Scott

[Hannes Magnusson]

Genghis is a PHP application too.

Download the zip clicking the "Download" button on http://genghisapp.com/
Extract the .zip file.
Open a terminal when you extracted the zip file
Run php -S localhost:8080 genghis.php

Or stick genghis.php or any webserver and hit it.

-Hannes

> --
> You received this message because you are subscribed to the Google Groups
> "mongodb-user"
> group.
>
> For other MongoDB technical support options, see:
> http://www.mongodb.org/about/support/.
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "mongodb-user" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/mongodb-user/Z67GTPjkBpE/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> mongodb-user...@googlegroups.com.
> To post to this group, send email to mongod...@googlegroups.com.
> Visit this group at http://groups.google.com/group/mongodb-user.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/mongodb-user/e50daaa9-c247-46be-b7ae-7725ccac1766%40googlegroups.com.

[s.molinari]

Oops! I stand corrected. I saw the "gem install" on the front page and assumed it was Ruby only.:)

Scott