Mongodump with user-access enabled issues

[LynnyK]

I'm finding using mongodump on an instance with user-access enabled cumbersome.

 

I get that you can do a instance backup using mongodump --username <user> --password <password> --authenticationDatabase admin

 

But when I only want to backup a single database, it's not very intuitive.

I have create a user with root permissions as well as readAnyDatabase in admin but still when I run

 

> mongodump --username backupuser --password password123 --db db1

 

I get the following error

   Failed: error connecting to db server: server returned error on SASL authentication step: Authentication failed.

 

I have had to explicitly create the same user in the database db1 to be able to run a backup of a single database.

 

db.createUser(
   {
     user: "backupuser",
     pwd: "password123",
     roles: [ {role:"read", db:"db1"} ]
   }
)

 

But this user was already created in admin...

My confusion is, if we have to create the user in admin and add the user in the backup role, then have to create the same account in db1, this means that we have to supply the password twice.

Does that mean the account can have different passwords depending on the database?

 

Has anyone else had any frustration with mongodump with single database backups ?

 

Thanks

 

[Kevin Adistambha]

Hello,

There are two things that could be corrected with what you have tried:

1. The command line you executed:

> mongodump —username backupuser —password password123 —db db1

lacks the --authenticationDatabase admin parameter. Assuming that the backupuser user has the correct privilege, the command should be:

mongodump --username backupuser --password password123 --db db1 --authenticationDatabase admin

This should point mongodump to the admin database where the user information are stored, and the dump should be successful.

2. The user you created:

db.createUser(
{
user: “backupuser”,
pwd: “password123”,
roles: [ {role:”read”, db:”db1”} ]
}
)

using the read role is only valid for the specified database (in this case, db1).

Although this will work with your specified use case, for a more generic backup role, you need to create a user with a backup privilege in the admin database as described in the Backup and Restoration Roles documentation. For example:

db.createUser(
   {
     user: "backupuser",
     pwd: "password123",
     roles: [ "backup" ]
   }
)

Afterward, you should be able to backup any database in your server with the same command:

mongodump --username backupuser --password password123 --db db1 --authenticationDatabase admin

If you are still having issues, please let us know your specific versions of MongoDB and mongodump,

Best regards,
Kevin

[LynnyK]

Hi Kevin,

Thanks for your reply.

Yes I realised after some playing around that I needed to add the --authenticationDatabase and it did work.

My general issue is with the user creation. Perhaps my headspace is still in SQL Server and how it administers roles + users but this is my issue.

If I create an account called USER1 in admin and give it readwriteAnyDatabase, or give it dbowner role in DB1, it is able to read and write to any database or perform all tasks in DB1 so long as I authenticate with the admin database when I connect.

If I don't authenticate with the admin database, then I get an error saying that I can't authenticate because the user USER1 does not exist in the database.

To me, the user should exist in the database given that it has full access to it already...

Otherwise to be able to connect to DB1 using USER1, I need to create the user explicitly in DB1 again and provide password. But will this password need to be the same as the password of  the user USER1 which was created in admin ??

Maybe I am missing something here.

Thanks!

Lyn

[Kevin Adistambha]

Hi Lyn,

There are two parts of MongoDB authentication: username and authentication database.

From the Authentication Database documentation:

“The user’s name and authentication database serve as a unique identifier for that user. That is, if two users have the same name but are created in different databases, they are two separate users. If you intend to have a single user with permissions on multiple databases, create a single user with roles in the applicable databases instead of creating the user multiple times in different databases.“

Regarding your question:

Otherwise to be able to connect to DB1 using USER1, I need to create the user explicitly in DB1 again and provide password. But will this password need to be the same as the password of the user USER1 which was created in admin ??

The USER1 you create in the DB1 database (let’s call it DB1.USER1) and the USER1 you create in the admin database (let’s call it admin.USER1) are two different users.

Which one you need to create depends on the role that USER1 plays:

• If it does not need to access anything server-wide, then you just need to create it in the DB1 database (DB1.USER1)
• Otherwise, you would need to create it in the admin database (admin.USER1).

In general, there are two categories of roles: database-specific roles, and server-wide roles.

Database-specific roles

For database-specific roles, you need to create the user in the database. The roles are:

• Database User Roles, i.e. read and readWrite.
• Database Admin Roles, i.e. dbAdmin, dbOwner, and userAdmin.

For database-specific users, you would need to pass the --authenticationDatabase DatabaseName to either mongodump or mongo executables.

Server-wide roles

For server-wide roles, you need to create the user in the admin database. These roles can only be created in the admin database:

• Cluster Administration Roles
• Backup and Restoration Roles
• All-Database Roles
• Superuser Role

An example of a server-wide role is the backup role; a user with backup role created in the admin database is the only user you need to perform backup of any database in the server. Since this user must be created in the admin database, you would need to pass the --authenticationDatabase admin to mongodump to perform any backup job.

Best regards,
Kevin

​

[LynnyK]

Hi Kevin

Thank you so much for your detailed replies!

Lyn