Discussion:
[mongodb-user] mongoexport with ssl authentication
Iľja Pelech
2018-11-29 08:51:09 UTC
Permalink
Hey, folks!

Anyone ever tried to use mongoexport with ssl authentication?

I have a strange issue - maybe I missed something:


- I have ssl auth enabled on the instance
- ssl auth using pymogno works fine
- ssl auth using mongo shell works fine too
- the user has appropriate privileges (see below)

Though I can authenticate and work without any issues using shell or
python, mongoexport fails every time with:

Failed: error running `listCollections`. Database: `test` Err: not
authorized on test to execute command { listCollections: 1, filter: { name:
"tc1" }, cursor: {}, $readPreference: { mode: "secondaryPreferred" }, $db:
"test" }

Permissions (using export requires listCollections which is encapsulated in
readWrite on the database which, again, IS set):

SANDBOX:PRIMARY> use $external
switched to db $external
SANDBOX:PRIMARY> show users
{
"_id" : "$external.CN=sbxuser,OU=d_sbx,O=o_sbx,C=SK",
"user" : "CN=sbxuser,OU=d_sbx,O=o_sbx,C=SK",
"db" : "$external",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "readWrite",
"db" : "sbx"
}
]
}
SANDBOX:PRIMARY>


Shell works just fine:
***@wneg2220:~/mongo$ mongo wneg2220/test --ssl --sslPEMKeyFile
s432013.nopasswd.pem --sslCAFile sandbox.ca.pem --authenticationDatabase
'$external' --authenticationMechanism=MONGODB-X509
MongoDB shell version v3.6.9
connecting to: mongodb://wneg2220:27017/test
Implicit session: session { "id" :
UUID("6c777c69-d58c-4b85-a3f7-63347b5c839f") }
MongoDB server version: 3.6.9
SANDBOX:PRIMARY> show collections
tc1
SANDBOX:PRIMARY> db.tc1.find();
{ "_id" : ObjectId("5b4c5cda62523fdeeda63b7b") }
{ "_id" : "a", "b" : "c" }
SANDBOX:PRIMARY>
bye

mongoexport fails:
***@wneg2220:~/mongo$ mongoexport -vvvv -h wneg2220 -d test -c tc1 --ssl
--sslPEMKeyFile s432013.nopasswd.pem --sslCAFile sandbox.ca.pem
--authenticationDatabase '$external' --authenticationMechanism=MONGODB-X509
2018-11-29T09:41:19.864+0100 will listen for SIGTERM, SIGINT, and SIGKILL
2018-11-29T09:41:19.880+0100 Failed: error running `listCollections`.
Database: `test` Err: not authorized on test to execute command {
listCollections: 1, filter: { name: "tc1" }, cursor: {}, $readPreference: {
mode: "secondaryPreferred" }, $db: "test" }


Increasing log verbosity (db.setlogLevel(5,"accessControl"))didn't help. It
showed even less output than mongoexport itself :-)

Any ideas? Am I missing something? :-)

I found an issue submitted to mongodb
(https://jira.mongodb.org/browse/TOOLS-1804), but it turned out, that the
guy who submitted it, didn't have correct permissions set on the target
database, which apparently (at least I don't see) isn't my case.

Thanks for any help!

ip
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/886dadb5-6bf8-4f6e-94a1-9541cc83f6b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
'Kevin Adistambha' via mongodb-user
2018-12-10 03:25:10 UTC
Permalink
Hi

I find that I can reproduce the issue you’re seeing using MongoDB 4.0.4.
However I see a different error message:

$ mongoexport --host localhost --ssl --sslCAFile ca.crt --sslPEMKeyFile client.pem \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 \
-d test -c test
2018-12-10T14:18:18.173+1100 error connecting to db server: auth failed

Having said that, it seems to export successfully if I specify the user:

$ mongoexport --host localhost --ssl --sslCAFile ca.crt --sslPEMKeyFile client.pem \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 \
-u 'emailAddress=***@mongodb.com,CN=localhost,OU=client,O=MongoDB,L=Sydney,ST=NSW,C=AU' \
-d test -c test
2018-12-10T14:19:21.187+1100 connected to: localhost
{"_id":0.0}
{"_id":1.0}
{"_id":2.0}
2018-12-10T14:19:21.188+1100 exported 3 records

where the user is the subject of the client’s certificate:

$ openssl x509 -in client.pem -inform PEM -subject -nameopt RFC2253 -noout
subject= emailAddress=***@mongodb.com,CN=localhost,OU=client,O=MongoDB,L=Sydney,ST=NSW,C=AU

this is also reflected in the user in the $external database. Here I
attempted to copy the permission that you have:

$external> show users
{
"_id": "$external.emailAddress=***@mongodb.com,CN=localhost,OU=client,O=MongoDB,L=Sydney,ST=NSW,C=AU",
"user": "emailAddress=***@mongodb.com,CN=localhost,OU=client,O=MongoDB,L=Sydney,ST=NSW,C=AU",
"db": "$external",
"roles": [
{
"role": "readWrite",
"db": "test"
}
]
}

Could you confirm your MongoDB version and whether mongoexport works when
you specify the user parameter?

Best regards
Kevin
​
--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.

For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user+***@googlegroups.com.
To post to this group, send email to mongodb-***@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/2ed68501-0d92-4c96-b1a1-e74372e1a4e1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...