I checked the permission on the /etc/mongod.conf
:
vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb ls -l /etc/mongod.conf
-rw-r--r-- 1 root root 472 Jun 22 00:09 /etc/mongod.conf
Then, I checked it's corresponding content:
vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb cat /etc/mongod.conf
## mongodb.conf, this file is enforced by puppet.
##
## Note: http://docs.mongodb.org/manual/reference/configuration-options/
##
## where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
## where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
## network interfaces
net:
port: 27017
bindIp: 0.0.0.0
## mongodb process
processManagement:
pidFilePath: /var/run/mongod.pid
## role-based access controls
#security:
# authorization: enabled
Next, I added a mongodb user, adjusted the mongod.conf
, and restarted the mongod process:
vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb sudo mongo mongodb://mongodb:27017 --eval "db.getSiblingDB('admin'); db.createUser({\
user: 'authenticated',\
pwd: 'password',\
roles: [\
'readWrite',\
'userAdmin',\
'dbAdmin',\
{ role: 'readWrite', db: 'dataset' },\
{ role: 'userAdmin', db: 'dataset' },\
{ role: 'dbAdmin', db: 'dataset' },\
]\
},\
{ w: 'majority' , wtimeout: 5000 } )" --quiet
sudo docker exec -it mongodb sudo sed -i "/#[[:space:]]*security:/s/^#//g" /etc/mongod.conf
sudo docker exec -it mongodb sudo sed -i "/#[[:space:]]*authorization:[[:space:]]*enabled/s/^#//g" /etc/mongod.conf
sudo docker restart mongodb
Now, I was ready to try to implement the pymongo connector, from a docker container:
vagrant@trusty64:/vagrant/test$ sudo docker exec -it webserver python
Python 2.7.6 (default, Oct 26 2016, 20:30:19)
[GCC 4.8.4] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pymongo import MongoClient, errors
>>> cur = MongoClient("mongodb://authenticated:password@mongodb:27017/admin")
>>> db = cur['dataset']
>>> col = db['svm']
>>> posts = col.posts
>>> result = posts.insert_one({'one': 'two'})
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/dist-packages/pymongo/collection.py", line 654, in insert_one
with self._socket_for_writes() as sock_info:
File "/usr/lib/python2.7/contextlib.py", line 17, in __enter__
return self.gen.next()
File "/usr/local/lib/python2.7/dist-packages/pymongo/mongo_client.py", line 825, in _get_socket
with server.get_socket(self.__all_credentials) as sock_info:
File "/usr/lib/python2.7/contextlib.py", line 17, in __enter__
return self.gen.next()
File "/usr/local/lib/python2.7/dist-packages/pymongo/server.py", line 168, in get_socket
with self.pool.get_socket(all_credentials, checkout) as sock_info:
File "/usr/lib/python2.7/contextlib.py", line 17, in __enter__
return self.gen.next()
File "/usr/local/lib/python2.7/dist-packages/pymongo/pool.py", line 792, in get_socket
sock_info.check_auth(all_credentials)
File "/usr/local/lib/python2.7/dist-packages/pymongo/pool.py", line 512, in check_auth
auth.authenticate(credentials, self)
File "/usr/local/lib/python2.7/dist-packages/pymongo/auth.py", line 470, in authenticate
auth_func(credentials, sock_info)
File "/usr/local/lib/python2.7/dist-packages/pymongo/auth.py", line 450, in _authenticate_default
return _authenticate_scram_sha1(credentials, sock_info)
File "/usr/local/lib/python2.7/dist-packages/pymongo/auth.py", line 201, in _authenticate_scram_sha1
res = sock_info.command(source, cmd)
File "/usr/local/lib/python2.7/dist-packages/pymongo/pool.py", line 419, in command
collation=collation)
File "/usr/local/lib/python2.7/dist-packages/pymongo/network.py", line 116, in command
parse_write_concern_error=parse_write_concern_error)
File "/usr/local/lib/python2.7/dist-packages/pymongo/helpers.py", line 210, in _check_command_response
raise OperationFailure(msg % errmsg, code, response)
pymongo.errors.OperationFailure: Authentication failed.
I got denied with Authentication failed
. I confirmed that our /etc/mongod.conf
configuration file was correctly adjusted, with respect to the authorization
directive:
vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb cat /etc/mongod.conf
## mongodb.conf, this file is enforced by puppet.
##
## Note: http://docs.mongodb.org/manual/reference/configuration-options/
##
## where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
## where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
## network interfaces
net:
port: 27017
bindIp: 0.0.0.0
## mongodb process
processManagement:
pidFilePath: /var/run/mongod.pid
## role-based access controls
security:
authorization: enabled
Along with checking the logs, and status of the corresponding processes:
vagrant@trusty64:/vagrant/test$ sudo docker exec -it webserver sudo telnet mongodb 27017
Trying 172.18.0.2...
Connected to mongodb.
Escape character is '^]'.
telnet> quit
vagrant@trusty64:/vagrant/test$ cat /var/log/mongodb/mongod.log
[LOGS OMITTED...]
vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb cat /var/log/mongodb/mongod.log
2017-06-22T15:47:06.359-0400 I CONTROL [initandlisten] MongoDB starting : pid=1 port=27017 dbpath=/var/lib/mongodb 64-bit host=4a5966185063
2017-06-22T15:47:06.360-0400 I CONTROL [initandlisten] db version v3.2.14
2017-06-22T15:47:06.360-0400 I CONTROL [initandlisten] git version: 92f6668a768ebf294bd4f494c50f48459198e6a3
2017-06-22T15:47:06.360-0400 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014
2017-06-22T15:47:06.360-0400 I CONTROL [initandlisten] allocator: tcmalloc
2017-06-22T15:47:06.360-0400 I CONTROL [initandlisten] modules: none
2017-06-22T15:47:06.360-0400 I CONTROL [initandlisten] build environment:
2017-06-22T15:47:06.360-0400 I CONTROL [initandlisten] distmod: ubuntu1404
2017-06-22T15:47:06.360-0400 I CONTROL [initandlisten] distarch: x86_64
2017-06-22T15:47:06.360-0400 I CONTROL [initandlisten] target_arch: x86_64
2017-06-22T15:47:06.360-0400 I CONTROL [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "0.0.0.0", port: 27017 }, processManagement: { pidFilePath: "/var/run/mongod.pid" }, storage: { dbPath: "/var/lib/mongodb", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } }
2017-06-22T15:47:06.393-0400 I STORAGE [initandlisten] wiredtiger_open config: create,cache_size=1G,session_max=20000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),
2017-06-22T15:47:07.211-0400 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2017-06-22T15:47:07.211-0400 I CONTROL [initandlisten]
2017-06-22T15:47:07.211-0400 I CONTROL [initandlisten]
2017-06-22T15:47:07.211-0400 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2017-06-22T15:47:07.211-0400 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2017-06-22T15:47:07.211-0400 I CONTROL [initandlisten]
2017-06-22T15:47:07.211-0400 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2017-06-22T15:47:07.211-0400 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2017-06-22T15:47:07.211-0400 I CONTROL [initandlisten]
2017-06-22T15:47:07.504-0400 I FTDC [initandlisten] Initializing full-time diagnostic data capture with directory '/var/lib/mongodb/diagnostic.data'
2017-06-22T15:47:07.504-0400 I NETWORK [initandlisten] waiting for connections on port 27017
2017-06-22T15:47:07.505-0400 I NETWORK [HostnameCanonicalizationWorker] Starting hostname canonicalization worker
2017-06-22T15:47:08.713-0400 I NETWORK [initandlisten] connection accepted from 172.18.0.2:39746 #1 (1 connection now open)
2017-06-22T15:47:09.008-0400 I COMMAND [conn1] insert admin.system.users ninserted:1 keyUpdates:0 writeConflicts:0 numYields:0 locks:{ Global: { acquireCount: { r: 4, w: 4 } }, Database: { acquireCount: { W: 4 } }, Collection: { acquireCount: { w: 1 } } } 151ms
2017-06-22T15:47:09.008-0400 I COMMAND [conn1] command test.$cmd command: createUser { createUser: "authenticated", pwd: "xxx", roles: [ "readWrite", "userAdmin", "dbAdmin", { role: "readWrite", db: "dataset" }, { role: "userAdmin", db: "dataset" }, { role: "dbAdmin", db: "dataset" } ], digestPassword: false, writeConcern: { w: "majority", wtimeout: 5000.0 } } keyUpdates:0 writeConflicts:0 numYields:0 reslen:22 locks:{ Global: { acquireCount: { r: 4, w: 4 } }, Database: { acquireCount: { W: 4 } }, Collection: { acquireCount: { w: 1 } } } protocol:op_command 280ms
2017-06-22T15:47:09.198-0400 I NETWORK [conn1] end connection 172.18.0.2:39746 (0 connections now open)
2017-06-22T15:47:09.744-0400 I CONTROL [signalProcessingThread] got signal 15 (Terminated), will terminate after current cmd ends
2017-06-22T15:47:09.749-0400 I FTDC [signalProcessingThread] Shutting down full-time diagnostic data capture
2017-06-22T15:47:09.753-0400 I CONTROL [signalProcessingThread] now exiting
2017-06-22T15:47:09.753-0400 I NETWORK [signalProcessingThread] shutdown: going to close listening sockets...
2017-06-22T15:47:09.753-0400 I NETWORK [signalProcessingThread] closing listening socket: 6
2017-06-22T15:47:09.753-0400 I NETWORK [signalProcessingThread] closing listening socket: 7
2017-06-22T15:47:09.753-0400 I NETWORK [signalProcessingThread] removing socket file: /tmp/mongodb-27017.sock
2017-06-22T15:47:09.754-0400 I NETWORK [signalProcessingThread] shutdown: going to flush diaglog...
2017-06-22T15:47:09.754-0400 I NETWORK [signalProcessingThread] shutdown: going to close sockets...
2017-06-22T15:47:09.754-0400 I STORAGE [signalProcessingThread] WiredTigerKVEngine shutting down
2017-06-22T15:47:10.044-0400 I STORAGE [signalProcessingThread] shutdown: removing fs lock...
2017-06-22T15:47:10.045-0400 I CONTROL [signalProcessingThread] dbexit: rc: 0
2017-06-22T15:47:10.825-0400 I CONTROL [main] ***** SERVER RESTARTED *****
2017-06-22T15:47:10.922-0400 I CONTROL [initandlisten] MongoDB starting : pid=1 port=27017 dbpath=/var/lib/mongodb 64-bit host=4a5966185063
2017-06-22T15:47:10.922-0400 I CONTROL [initandlisten] db version v3.2.14
2017-06-22T15:47:10.922-0400 I CONTROL [initandlisten] git version: 92f6668a768ebf294bd4f494c50f48459198e6a3
2017-06-22T15:47:10.922-0400 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014
2017-06-22T15:47:10.922-0400 I CONTROL [initandlisten] allocator: tcmalloc
2017-06-22T15:47:10.922-0400 I CONTROL [initandlisten] modules: none
2017-06-22T15:47:10.922-0400 I CONTROL [initandlisten] build environment:
2017-06-22T15:47:10.922-0400 I CONTROL [initandlisten] distmod: ubuntu1404
2017-06-22T15:47:10.922-0400 I CONTROL [initandlisten] distarch: x86_64
2017-06-22T15:47:10.922-0400 I CONTROL [initandlisten] target_arch: x86_64
2017-06-22T15:47:10.923-0400 I CONTROL [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "0.0.0.0", port: 27017 }, processManagement: { pidFilePath: "/var/run/mongod.pid" }, security: { authorization: "enabled" }, storage: { dbPath: "/var/lib/mongodb", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } }
2017-06-22T15:47:10.940-0400 I - [initandlisten] Detected data files in /var/lib/mongodb created by the 'wiredTiger' storage engine, so setting the active storage engine to 'wiredTiger'.
2017-06-22T15:47:10.940-0400 I STORAGE [initandlisten] wiredtiger_open config: create,cache_size=1G,session_max=20000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),
2017-06-22T15:47:13.466-0400 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2017-06-22T15:47:13.467-0400 I CONTROL [initandlisten]
2017-06-22T15:47:13.468-0400 I CONTROL [initandlisten]
2017-06-22T15:47:13.468-0400 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2017-06-22T15:47:13.468-0400 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2017-06-22T15:47:13.468-0400 I CONTROL [initandlisten]
2017-06-22T15:47:13.468-0400 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2017-06-22T15:47:13.468-0400 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2017-06-22T15:47:13.468-0400 I CONTROL [initandlisten]
2017-06-22T15:47:13.876-0400 I FTDC [initandlisten] Initializing full-time diagnostic data capture with directory '/var/lib/mongodb/diagnostic.data'
2017-06-22T15:47:13.876-0400 I NETWORK [initandlisten] waiting for connections on port 27017
2017-06-22T15:47:13.876-0400 I NETWORK [HostnameCanonicalizationWorker] Starting hostname canonicalization worker
2017-06-22T15:48:13.362-0400 I NETWORK [initandlisten] connection accepted from 172.18.0.6:39426 #1 (1 connection now open)
2017-06-22T15:48:13.492-0400 I NETWORK [initandlisten] connection accepted from 172.18.0.6:39428 #2 (2 connections now open)
2017-06-22T15:48:13.528-0400 I ACCESS [conn2] SCRAM-SHA-1 authentication failed for authenticated on admin from client 172.18.0.6 ; UserNotFound: Could not find user authenticated@admin
2017-06-22T15:48:30.488-0400 I NETWORK [initandlisten] connection accepted from 172.18.0.6:39454 #3 (3 connections now open)
2017-06-22T15:48:30.493-0400 I NETWORK [initandlisten] connection accepted from 172.18.0.6:39456 #4 (4 connections now open)
2017-06-22T15:48:30.495-0400 I ACCESS [conn4] SCRAM-SHA-1 authentication failed for authenticated on admin from client 172.18.0.6 ; UserNotFound: Could not find user authenticated@admin
2017-06-22T15:48:34.065-0400 I NETWORK [conn2] end connection 172.18.0.6:39428 (3 connections now open)
2017-06-22T15:48:34.065-0400 I NETWORK [conn1] end connection 172.18.0.6:39426 (2 connections now open)
2017-06-22T15:48:44.930-0400 I NETWORK [conn4] end connection 172.18.0.6:39456 (1 connection now open)
2017-06-22T15:48:44.930-0400 I NETWORK [conn3] end connection 172.18.0.6:39454 (0 connections now open)
2017-06-22T15:48:46.287-0400 I NETWORK [initandlisten] connection accepted from 172.18.0.6:39484 #5 (1 connection now open)
2017-06-22T15:48:46.291-0400 I NETWORK [initandlisten] connection accepted from 172.18.0.6:39486 #6 (2 connections now open)
2017-06-22T15:48:46.293-0400 I ACCESS [conn6] SCRAM-SHA-1 authentication failed for authenticated on admin from client 172.18.0.6 ; UserNotFound: Could not find user authenticated@admin
2017-06-22T15:48:58.031-0400 I NETWORK [conn6] end connection 172.18.0.6:39486 (1 connection now open)
2017-06-22T15:48:58.032-0400 I NETWORK [conn5] end connection 172.18.0.6:39484 (0 connections now open)
2017-06-22T15:49:02.907-0400 I NETWORK [initandlisten] connection accepted from 172.18.0.6:39512 #7 (1 connection now open)
2017-06-22T15:49:02.912-0400 I NETWORK [initandlisten] connection accepted from 172.18.0.6:39514 #8 (2 connections now open)
2017-06-22T15:49:02.915-0400 I ACCESS [conn8] SCRAM-SHA-1 authentication failed for authenticated on admin from client 172.18.0.6 ; UserNotFound: Could not find user authenticated@admin
2017-06-22T15:49:10.806-0400 I NETWORK [conn8] end connection 172.18.0.6:39514 (1 connection now open)
2017-06-22T15:49:10.807-0400 I NETWORK [conn7] end connection 172.18.0.6:39512 (0 connections now open)
vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb netstat -ntlup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN 1/mongod
tcp 0 0 127.0.0.11:44122 0.0.0.0:* LISTEN -
udp 0 0 127.0.0.11:49005 0.0.0.0:*
I thought that I had created a user based on the above steps. Have I instead created a user on a local database? I can successfully login with the authenticated
user (not to a specific database):
vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb mongo --port 27017 -u authenticated -p password
MongoDB shell version: 3.2.14
connecting to: 127.0.0.1:27017/test
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
>
Note: I have a corresponding github issue, to track the progress of this question.
Perhaps, I need to pay particular notice to the following sub-snippet taken from the above /var/log/mongodb/mongod.log
:
2017-06-22T17:49:49.663-0400 I NETWORK [initandlisten] connection accepted from 172.18.0.2:40926 #1 (1 connection now open)
2017-06-22T17:49:50.180-0400 I COMMAND [conn1] update admin.system.version query: { _id: "authSchema" } update: { $set: { currentVersion: 5 } } keysExamined:0 docsExamined:0 nMatched:1 nModified:1 upsert:1 keyUpdates:0 writeConflicts:0 numYields:0 locks:{ Global: { acquireCount: { r: 2, w: 2 } }, Database: { acquireCount: { W: 2 } } } 428ms
2017-06-22T17:49:50.397-0400 I COMMAND [conn1] insert admin.system.users ninserted:1 keyUpdates:0 writeConflicts:0 numYields:0 locks:{ Global: { acquireCount: { r: 4, w: 4 } }, Database: { acquireCount: { W: 4 } }, Collection: { acquireCount: { w: 1 } } } 188ms
2017-06-22T17:49:50.397-0400 I COMMAND [conn1] command test.$cmd command: createUser { createUser: "authenticated", pwd: "xxx", roles: [ "readWrite", "userAdmin", "dbAdmin", { role: "readWrite", db: "dataset" }, { role: "userAdmin", db: "dataset" }, { role: "dbAdmin", db: "dataset" } ], digestPassword: false, writeConcern: { w: "majority", wtimeout: 5000.0 } } keyUpdates:0 writeConflicts:0 numYields:0 reslen:22 locks:{ Global: { acquireCount: { r: 4, w: 4 } }, Database: { acquireCount: { W: 4 } }, Collection: { acquireCount: { w: 1 } } } protocol:op_command 703ms
Which may have something related to the successive snippet, from the same log file:
2017-06-22T17:59:38.129-0400 I ACCESS [conn10] SCRAM-SHA-1 authentication failed for authenticated on admin from client 172.18.0.4 ; UserNotFound: Could not find user authenticated@admin