rockmongo
rockmongo copied to clipboard
iwind
auth faild with mongodb 2.4 version when using user roles 'read','dbAdmin','clusterAdmin'
We have noticed this also. We had to roll back to our previous 2.2 version for rockmongo to work.
We had the same problem, but i resolved it (in the end) by giving the following roles:
"readWriteAnyDatabase", "clusterAdmin", "userAdminAnyDatabase", "dbAdminAnyDatabase"
And setting the username / password and $MONGO["servers"][$i]["mongo_auth"] = true...
This is a serious problem for anyone that cares about their data. Can we get a fix in place?
Using the roles and config settings, it worked for me... seems OK right? Although requiring the super admin rights does seem like overkill to me, it served my purpose? (for allowing mongo-wide administration...?)
The issue is I need to set up users with different roles including some with read-only access (no admin), some with read-write (no admin) and some with full admin rights. At present I can only create users with full admin rights.
Try my fork - https://github.com/myurasov/rockmongo. This is an effort to provide up-to date version of Rockmongo by including latest patches from a number of forks found on Github.
Correct auth usage is:
- Change Rockmongo configuration like this:
$MONGO["servers"][$i]["mongo_auth"] = true;
- Enter your MongoDB username/password in login dialog.
We need a read only query system on MongoDB 2.4(but rockmongo needs some admin privileges ), does your version meet this need?
On Thu, Dec 26, 2013 at 3:29 AM, Mikhail Yurasov [email protected]:
Try my fork - https://github.com/myurasov/rockmongo. This version is an effort to provide up-to date version of Rockmongo by including latest patches from a number of forks found on Github.
Correct auth usage is:
$MONGO["servers"][$i]["mongo_auth"] = true;
- Enter your MongoDB username/password in login dialog.
— Reply to this email directly or view it on GitHubhttps://github.com/iwind/rockmongo/issues/47#issuecomment-31204135 .
Cyrus
@nosqldb, this should be solved since one of the patches replaced $eval usage (which requires admin priviledges) with functions like $db->getCollectionNames(). Please report if this works for you.
@myurasov It seems unresolved. I test your version the following: add a user with read role at one db,then execute the code: function () { var plus = 1 + 2; return plus; }
Response from server: { "ok": 0, "errmsg": "unauthorized" }
http://docs.mongodb.org/manual/reference/method/db.eval/ says you must have full admin access for this starting from v 2.4.
On Thu, Jan 9, 2014 at 2:08 AM, nosqldb [email protected] wrote:
@myurasov https://github.com/myurasov It seems unresolved. I test your version the following: add a user with read role at one db,then execute the code: function () { var plus = 1 + 2; return plus; }
Response from server: { "ok": 0, "errmsg": "unauthorized" }
— Reply to this email directly or view it on GitHubhttps://github.com/iwind/rockmongo/issues/47#issuecomment-31917172 .
Mikhail Yurasov @mym__
I want to give limited access to mongodb databases via rockmongo interface to my developer. Is there a way to create a rockmongo interface user with read only access to all databases created under mongoDB running on a server?
As rockmongo official site is not reachable, I'm posting it here.
After testing some variations on this, the issue can be easily replicated.
In Mongo 2.4, the introduction of roles allows certain roles to only be created in the "admin" database - such as clusterAdmin and the "anyDatabase" roles. These roles are therefore not assumed when the AUTHENTICATION takes place against another database. For example, I can create a user with these roles in "admin" and create a user without the "admin" roles in a different db. If I authenticate against the admin DB and then switch to the other db, I have the required permissions to execute db.eval. However, there is no way to assume these roles when directly authenticating against the other database.
e.g.
$ mongo -u someadmin -p mypass admin
> use otherDb
switched to otherDb
> db.addUser({user: "testuser",pwd:"thepass",roles:["userAdminAnyDatabase","readWrite","userAdmin","readWriteAnyDatabase","dbAdminAnyDatabase", "clusterAdmin"]});
... (confirmation of user being added)
> exit
$ mongo -u testuser -p thepass otherDb
connecting to: otherDb
> db.eval('db.somecollection.count()')
{ "ok" : 0, "errmsg" : "unauthorized" } at src/mongo/shell/db.js:571
> exit
$ mongo -u someadmin -p mypass admin
> db.addUser({user: "testuser",pwd:"thepass",roles:["userAdminAnyDatabase","readWrite","userAdmin","readWriteAnyDatabase","dbAdminAnyDatabase", "clusterAdmin"]});
.... (confirmation of user being added)
> exit
$ mongo -u testuser -p thepass admin
connecting to admin
> use otherDb
switched to otherDb
> db.eval('db.somecollection.count()')
0
When authenticating as testuser against otherDb, mongod logs the following, as expected:
warning: No such role, "userAdminAnyDatabase", in database otherDb. No privileges will be acquired from this role
warning: No such role, "readWriteAnyDatabase", in database otherDb. No privileges will be acquired from this role
warning: No such role, "dbAdminAnyDatabase", in database otherDb. No privileges will be acquired from this role
warning: No such role, "clusterAdmin", in database otherDb. No privileges will be acquired from this role
Using 'userAdmin', 'readWrite' and 'dbAdmin' for a role within the auth db is not sufficient, the clusterAdmin role is needed and only available in the admin db.
As a workaround, if you're using a driver or connection that doesn't support database switching, you can switch will getSiblingDB
mongo -u admin -p adminpass admin --eval "db.getSiblingDB('otherDb').collection.count()"
