Discussion:
[mongodb-user] Implementing Mongo Auth (default) on a multi node mongo setup
Lance Lyons
2018-11-30 22:38:03 UTC
Permalink
We have 3 machines in a multi-node setup (primary and 2 secondarys.)
we setup the mongo config for each instance to include
authorization: "enabled"
We added 2 users to BOTH the admin and DBConfigs collection... one as
admin of the entire set and one as a application connection login.
db.createUser({ user: "admintool", pwd: "sdfsdfs", roles: [{role: "read",
db: "admin" },{ role : "dbOwner", db : "DBConfigs" }] })
"DBConfigs"},{role: "userAdmin", db: "DBConfigs"}] })
we also updated the mongo connection string
I have confirmed this all works in single node systems
On the multinode system, I did the work on the primary first and recycled
the service thus enabling for primary
then I enabled authorization on the 2 secondary's without adding the users
to those and recycled the service
I was able to connect to the primary with robomongo and authentication
with no problem.
however our app had a problem connecting and bringing back data.
couple of questions.
do I need to add the users to the secondaries as well? I assumed they
would be replicated.
Could working the primary first and recycling it, have caused the primary
to switch? I think our connection string for mongo does not include all
three nodes but just the original primary.
any help would be appreciated.
I have had to disable the authorization on all three for the time being
I forgot to ask if our user admintool defined above, needs any unique
roles on a multinode system to just connect (read/write) on the DBConfigs
db.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/881bbcdd-9564-4cf6-827f-706cf00e19d3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
MH
2018-11-30 23:28:56 UTC
Permalink
Yes, you will need to add the users with the same user and pass to the others. You will also need to have a key file generated that the servers each have for internal authentication. The key file can be created with openssh.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/d93e175a-617b-4224-8cfc-78112684da88%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
MH
2018-11-30 23:32:39 UTC
Permalink
Also, you should edit your connection string when using replica set. You need to specify all servers, the replica set name, and the authentication database.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/498ada6d-8c9e-4ab0-b65e-2aa38ab52d4e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Robert Cochran
2018-12-01 01:26:00 UTC
Permalink
Googling helps! The exact methods needed are described in this overview
<https://docs.mongodb.com/manual/tutorial/enable-authentication/>

As Monica says, you need to do a little more for replica sets and sharded
clusters, as detailed here for internal authentication.
<https://docs.mongodb.com/manual/core/security-internal-authentication/>

Thanks so much

Bob
We have 3 machines in a multi-node setup (primary and 2 secondarys.)
we setup the mongo config for each instance to include
authorization: "enabled"
We added 2 users to BOTH the admin and DBConfigs collection... one as
admin of the entire set and one as a application connection login.
db.createUser({ user: "admintool", pwd: "sdfsdfs", roles: [{role: "read",
db: "admin" },{ role : "dbOwner", db : "DBConfigs" }] })
"DBConfigs"},{role: "userAdmin", db: "DBConfigs"}] })
we also updated the mongo connection string
I have confirmed this all works in single node systems
On the multinode system, I did the work on the primary first and recycled
the service thus enabling for primary
then I enabled authorization on the 2 secondary's without adding the
users to those and recycled the service
I was able to connect to the primary with robomongo and authentication
with no problem.
however our app had a problem connecting and bringing back data.
couple of questions.
do I need to add the users to the secondaries as well? I assumed they
would be replicated.
Could working the primary first and recycling it, have caused the primary
to switch? I think our connection string for mongo does not include all
three nodes but just the original primary.
any help would be appreciated.
I have had to disable the authorization on all three for the time being
I forgot to ask if our user admintool defined above, needs any unique
roles on a multinode system to just connect (read/write) on the DBConfigs
db.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/2d9123c8-94cf-4182-8c23-14ca84d0480a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Lance Lyons
2018-12-03 15:03:11 UTC
Permalink
Thanks for the guidance. I think I understand.
We have 3 machines in a multi-node setup (primary and 2 secondarys.)
we setup the mongo config for each instance to include
authorization: "enabled"
We added 2 users to BOTH the admin and DBConfigs collection... one as
admin of the entire set and one as a application connection login.
db.createUser({ user: "admintool", pwd: "sdfsdfs", roles: [{role: "read",
db: "admin" },{ role : "dbOwner", db : "DBConfigs" }] })
"DBConfigs"},{role: "userAdmin", db: "DBConfigs"}] })
we also updated the mongo connection string
I have confirmed this all works in single node systems
On the multinode system, I did the work on the primary first and recycled
the service thus enabling for primary
then I enabled authorization on the 2 secondary's without adding the
users to those and recycled the service
I was able to connect to the primary with robomongo and authentication
with no problem.
however our app had a problem connecting and bringing back data.
couple of questions.
do I need to add the users to the secondaries as well? I assumed they
would be replicated.
Could working the primary first and recycling it, have caused the primary
to switch? I think our connection string for mongo does not include all
three nodes but just the original primary.
any help would be appreciated.
I have had to disable the authorization on all three for the time being
I forgot to ask if our user admintool defined above, needs any unique
roles on a multinode system to just connect (read/write) on the DBConfigs
db.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/bdb3692c-a63b-4125-9f5f-bef3e8677641%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Lance Lyons
2018-12-03 15:58:12 UTC
Permalink
It looks like while the 2 secondary's are part of the replica set, you can
not add users.

rs0:SECONDARY> db.createUser({ user: "admintool", pwd: "adm1nt00l", roles:
[{role: "read", db: "admin" },{ role : "dbOwner", db : "OnlifeConfigs" }]
})
2018-12-03T09:54:55.604-0600 E QUERY [thread1] Error: couldn't add user:
not master :
***@src/mongo/shell/utils.js:25:13
***@src/mongo/shell/db.js:1290:15


Do we have to break the replica set to add those first?
Post by Lance Lyons
Thanks for the guidance. I think I understand.
We have 3 machines in a multi-node setup (primary and 2 secondarys.)
we setup the mongo config for each instance to include
authorization: "enabled"
We added 2 users to BOTH the admin and DBConfigs collection... one as
admin of the entire set and one as a application connection login.
"read", db: "admin" },{ role : "dbOwner", db : "DBConfigs" }] })
"DBConfigs"},{role: "userAdmin", db: "DBConfigs"}] })
we also updated the mongo connection string
I have confirmed this all works in single node systems
On the multinode system, I did the work on the primary first and
recycled the service thus enabling for primary
then I enabled authorization on the 2 secondary's without adding the
users to those and recycled the service
I was able to connect to the primary with robomongo and authentication
with no problem.
however our app had a problem connecting and bringing back data.
couple of questions.
do I need to add the users to the secondaries as well? I assumed they
would be replicated.
Could working the primary first and recycling it, have caused the
primary to switch? I think our connection string for mongo does not
include all three nodes but just the original primary.
any help would be appreciated.
I have had to disable the authorization on all three for the time being
I forgot to ask if our user admintool defined above, needs any unique
roles on a multinode system to just connect (read/write) on the DBConfigs
db.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/a4999e22-267f-4807-8688-85e39f44b929%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Lance Lyons
2018-12-03 16:00:18 UTC
Permalink
It seems like we get an error when adding users to the secondary's.

Do we need to break the replica set first and add the users/ passwords and
then reenable the replication?

rs0:SECONDARY> db.createUser({ user: "admintool", pwd: "sdfsdfsdfs", roles:
[{role: "read", db: "admin" },{ role : "dbOwner", db : "DBConfigs" }] })
Post by Lance Lyons
Thanks for the guidance. I think I understand.
We have 3 machines in a multi-node setup (primary and 2 secondarys.)
we setup the mongo config for each instance to include
authorization: "enabled"
We added 2 users to BOTH the admin and DBConfigs collection... one as
admin of the entire set and one as a application connection login.
"read", db: "admin" },{ role : "dbOwner", db : "DBConfigs" }] })
"DBConfigs"},{role: "userAdmin", db: "DBConfigs"}] })
we also updated the mongo connection string
I have confirmed this all works in single node systems
On the multinode system, I did the work on the primary first and
recycled the service thus enabling for primary
then I enabled authorization on the 2 secondary's without adding the
users to those and recycled the service
I was able to connect to the primary with robomongo and authentication
with no problem.
however our app had a problem connecting and bringing back data.
couple of questions.
do I need to add the users to the secondaries as well? I assumed they
would be replicated.
Could working the primary first and recycling it, have caused the
primary to switch? I think our connection string for mongo does not
include all three nodes but just the original primary.
any help would be appreciated.
I have had to disable the authorization on all three for the time being
I forgot to ask if our user admintool defined above, needs any unique
roles on a multinode system to just connect (read/write) on the DBConfigs
db.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/81bfa766-b632-416a-9952-90d7df46d64c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
MH
2018-12-03 16:23:28 UTC
Permalink
You should be able to restart the secondary instances with the replication
lines in the config file commented out, connect to them and add the user.
Post by Lance Lyons
It seems like we get an error when adding users to the secondary's.
Do we need to break the replica set first and add the users/ passwords and
then reenable the replication?
rs0:SECONDARY> db.createUser({ user: "admintool", pwd: "sdfsdfsdfs",
roles: [{role: "read", db: "admin" },{ role : "dbOwner", db : "DBConfigs"
}] })
2018-12-03T09:54:55.604-0600 E QUERY [thread1] Error: couldn't add
Post by Lance Lyons
Thanks for the guidance. I think I understand.
We have 3 machines in a multi-node setup (primary and 2 secondarys.)
we setup the mongo config for each instance to include
authorization: "enabled"
We added 2 users to BOTH the admin and DBConfigs collection... one as
admin of the entire set and one as a application connection login.
"read", db: "admin" },{ role : "dbOwner", db : "DBConfigs" }] })
"DBConfigs"},{role: "userAdmin", db: "DBConfigs"}] })
we also updated the mongo connection string
I have confirmed this all works in single node systems
On the multinode system, I did the work on the primary first and
recycled the service thus enabling for primary
then I enabled authorization on the 2 secondary's without adding the
users to those and recycled the service
I was able to connect to the primary with robomongo and authentication
with no problem.
however our app had a problem connecting and bringing back data.
couple of questions.
do I need to add the users to the secondaries as well? I assumed they
would be replicated.
Could working the primary first and recycling it, have caused the
primary to switch? I think our connection string for mongo does not
include all three nodes but just the original primary.
any help would be appreciated.
I have had to disable the authorization on all three for the time being
I forgot to ask if our user admintool defined above, needs any unique
roles on a multinode system to just connect (read/write) on the DBConfigs
db.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/0f4988e0-4b31-4cb7-9029-1c96508d4f93%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Bob Cochran
2018-12-03 17:01:38 UTC
Permalink
If you Google on ‘MongoDB Enable Auth internal authentication’ the exact procedure is spelled out.

Bob
You should be able to restart the secondary instances with the replication lines in the config file commented out, connect to them and add the user.
Post by Lance Lyons
It seems like we get an error when adding users to the secondary's.
Do we need to break the replica set first and add the users/ passwords and then reenable the replication?
rs0:SECONDARY> db.createUser({ user: "admintool", pwd: "sdfsdfsdfs", roles: [{role: "read", db: "admin" },{ role : "dbOwner", db : "DBConfigs" }] })
Post by Lance Lyons
Thanks for the guidance. I think I understand.
We have 3 machines in a multi-node setup (primary and 2 secondarys.)
we setup the mongo config for each instance to include
authorization: "enabled"
We added 2 users to BOTH the admin and DBConfigs collection... one as admin of the entire set and one as a application connection login.
db.createUser({ user: "admintool", pwd: "sdfsdfs", roles: [{role: "read", db: "admin" },{ role : "dbOwner", db : "DBConfigs" }] })
db.createUser ( { user: "mongoadmin", pwd: "sdfssdf", roles: [{role: "userAdminAnyDatabase", db: "admin" },{role: "dbOwner", db: "DBConfigs"},{role: "userAdmin", db: "DBConfigs"}] })
I have confirmed this all works in single node systems
On the multinode system, I did the work on the primary first and recycled the service thus enabling for primary
then I enabled authorization on the 2 secondary's without adding the users to those and recycled the service
I was able to connect to the primary with robomongo and authentication with no problem.
however our app had a problem connecting and bringing back data.
couple of questions.
do I need to add the users to the secondaries as well? I assumed they would be replicated.
Could working the primary first and recycling it, have caused the primary to switch? I think our connection string for mongo does not include all three nodes but just the original primary.
any help would be appreciated.
I have had to disable the authorization on all three for the time being
I forgot to ask if our user admintool defined above, needs any unique roles on a multinode system to just connect (read/write) on the DBConfigs db.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/0f4988e0-4b31-4cb7-9029-1c96508d4f93%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/051570CD-7A49-413B-AB13-8DCDF8DEC6AF%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
Lance Lyons
2018-12-03 19:23:56 UTC
Permalink
Thanks Monica,

That did work. Thanks.

I have setup a temp key file that is the same on all three servers.

the connection string now looks like this.


<add key="MongoDBConnectionString"
value="mongodb://admintool:***@machine1.domain.local:27017,machine2.domain.local:27017,machine3.domain.local:27017/DBConfigs?replicaSet=rs0&authSource=admin"
/>

I am not sure if the authSource setting is proper. I only added users to
the admin db and DBConfigs db.

also I have used openssl to create a key file and am going to set it up in
the config file as such.

systemLog:
destination: file
path: "F:\\MongoDB_Logs\\mongoSt.log"
logAppend: true
storage:
dbPath: "E:\\MongoDB_Data\\dataSt"
replication:
replSetName: "rs0"
net:
port: 27017
security:
keyfile: e:\\MongoDB_Inst\\keyfile.txt
authorization: "enabled"


Does this look proper or can you see any issues?

Thanks
Lance
Post by MH
You should be able to restart the secondary instances with the replication
lines in the config file commented out, connect to them and add the user.
Post by Lance Lyons
It seems like we get an error when adding users to the secondary's.
Do we need to break the replica set first and add the users/ passwords
and then reenable the replication?
rs0:SECONDARY> db.createUser({ user: "admintool", pwd: "sdfsdfsdfs",
roles: [{role: "read", db: "admin" },{ role : "dbOwner", db : "DBConfigs"
}] })
2018-12-03T09:54:55.604-0600 E QUERY [thread1] Error: couldn't add
Post by Lance Lyons
Thanks for the guidance. I think I understand.
We have 3 machines in a multi-node setup (primary and 2 secondarys.)
we setup the mongo config for each instance to include
authorization: "enabled"
We added 2 users to BOTH the admin and DBConfigs collection... one as
admin of the entire set and one as a application connection login.
"read", db: "admin" },{ role : "dbOwner", db : "DBConfigs" }] })
"DBConfigs"},{role: "userAdmin", db: "DBConfigs"}] })
we also updated the mongo connection string
I have confirmed this all works in single node systems
On the multinode system, I did the work on the primary first and
recycled the service thus enabling for primary
then I enabled authorization on the 2 secondary's without adding the
users to those and recycled the service
I was able to connect to the primary with robomongo and authentication
with no problem.
however our app had a problem connecting and bringing back data.
couple of questions.
do I need to add the users to the secondaries as well? I assumed they
would be replicated.
Could working the primary first and recycling it, have caused the
primary to switch? I think our connection string for mongo does not
include all three nodes but just the original primary.
any help would be appreciated.
I have had to disable the authorization on all three for the time being
I forgot to ask if our user admintool defined above, needs any unique
roles on a multinode system to just connect (read/write) on the DBConfigs
db.
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/4c0cd7b2-82b4-47f1-9236-427c1971f935%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...