Getting "not authorized on admin to execute command"

Getting the below error, can anyone suggest what could be the reason.

vagrant@database:~/shared/certs$ mongo -ssl --sslPEMKeyFile client.pem --sslCAFile ca.pem --port 31130 --host database.m310.mongodb.university --authenticationMechanism=MONGODB-X509
MongoDB shell version: 3.2.22
connecting to: database.m310.mongodb.university:31130/test
MongoDB Enterprise myReplSet:PRIMARY> show dbs
2019-08-26T05:27:15.344+0000 E QUERY [thread1] Error: listDatabases failed:{
“ok” : 0,
“errmsg” : “not authorized on admin to execute command { listDatabases: 1.0 }”,
“code” : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:781:19
shellHelper@src/mongo/shell/utils.js:671:15
@(shellhelp2):1:1

MongoDB Enterprise myReplSet:PRIMARY> db.runCommand({‘connectionStatus’:1})
{
“authInfo” : {
“authenticatedUsers” : ,
“authenticatedUserRoles” :
},
“ok” : 1
}
MongoDB Enterprise myReplSet:PRIMARY>

Thanks…

Hey @Dhamodharan_23277

It looks like there is something wrong with your authenication.

Do you have the user setup correctly on the admin database?

Hi,

Thanks for the update. Please find the below.

MongoDB Enterprise myReplSet:PRIMARY> db.getSiblingDB("$external").runCommand({ createUser: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”, role db.getSiblingDB("$external").runCommand({ createUser: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”, roles: [{role: ‘root’, db: ‘admin’} ] })
{ “ok” : 1 }

Thanks…

Hi @Dhamodharan_23277,

Please check your messages.

Kanika

Hi,

Thanks. Rebuilt the vagrant box and having different issue.

net:
ssl:
mode: requireSSL
PEMKeyFile: /home/vagrant/shared/certs/server.pem
CAFile: /home/vagrant/shared/certs/ca.pem
allowConnectionsWithoutCertificates: true
systemLog:
destination: file
path: “/home/vagrant/M310-HW-1.5/r0/mongod.log”
logAppend: true
storage:
dbPath: “/home/vagrant/M310-HW-1.5/r0”
processManagement:
fork: true
net:
bindIp: ‘localhost,database.M310.mongodb.university’
port: 31150
replication:
replSetName: HomeWork5
security:
keyFile: /home/vagrant/mongodb-keyfile
clusterAuthMode: x509
authorization: enabledvagrant@database:~/shared/certs$ mongo --host “HomeWork5/database.M310.mongodb.university:31150”
MongoDB shell version: 3.2.22
connecting to: HomeWork5/database.M310.mongodb.university:31150/test
2019-08-26T11:56:15.371+0000 I NETWORK [thread1] Starting new replica set monitor for HomeWork5/database.M310.mongodb.university:31150
2019-08-26T11:56:15.373+0000 W NETWORK [thread1] No primary detected for set HomeWork5
2019-08-26T11:56:15.375+0000 I NETWORK [ReplicaSetMonitorWatcher] starting
2019-08-26T11:56:15.876+0000 W NETWORK [thread1] No primary detected for set HomeWork5
2019-08-26T11:56:16.379+0000 W NETWORK [thread1] No primary detected for set HomeWork5
2019-08-26T11:56:16.881+0000 W NETWORK [thread1] No primary detected for set HomeWork5
2019-08-26T11:56:17.382+0000 W NETWORK [thread1] No primary detected for set HomeWork5
2019-08-26T11:56:17.884+0000 W NETWORK [thread1] No primary detected for set HomeWork5

2019-08-26T11:56:16.880+0000 I NETWORK [conn8] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2019-08-26T11:56:17.381+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:49674 #9 (1 connection now open)
2019-08-26T11:56:17.382+0000 I NETWORK [conn9] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2019-08-26T11:56:17.884+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:49675 #10 (1 connection now open)
2019-08-26T11:56:17.884+0000 I NETWORK [conn10] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections

Thanks.

So you will have to include the ssl info in the connection command
https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/index.html#mongo-shell-configuration-using-ssl-options

1 Like

Thank you. It helped to complete part of it.

Updated the parameter “mode” to use “preferSSL” instead of “requireSSL”. Still am unable to auth the X509 user.

vagrant@database:~/shared/certs$ mongo --port 31150 --host database.M310.mongodb.university
MongoDB shell version: 3.2.22
connecting to: database.M310.mongodb.university:31150/test
Welcome to the MongoDB shell.
For interactive help, type “help”.
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
MongoDB Enterprise > rs.initiate()
{
“info2” : “no configuration specified. Using a default configuration for the set”,
“me” : “database.M310.mongodb.university:31150”,
“ok” : 1
}

MongoDB Enterprise HomeWork5:PRIMARY> db.createUser( {user: ‘will’, pwd: ‘$uperAdmin’, roles:[ {role: ‘root’, db: ‘admin’} ]})
Successfully added user: {
“user” : “will”,
“roles” : [
{
“role” : “root”,
“db” : “admin”
}
]
}
MongoDB Enterprise HomeWork5:PRIMARY> db.auth(‘will’, ‘$uperAdmin’)
1
MongoDB Enterprise HomeWork5:PRIMARY> db.system.users.find()
{ “_id” : “admin.will”, “user” : “will”, “db” : “admin”, “credentials” : { “SCRAM-SHA-1” : { “iterationCount” : 10000, “salt” : “5ictLShkputfA81ZvjJ2mg==”, “storedKey” : “5pnBzClFZ14dKOC7UcwwUPWcXIs=”, “serverKey” : “vsGVCnNeYS3ESpK9NXnYTBSJViM=” } }, “roles” : [ { “role” : “root”, “db” : “admin” } ] }
MongoDB Enterprise HomeWork5:PRIMARY> rs.add(“database.m310.mongodb.university:31151”)
{ “ok” : 1 }
MongoDB Enterprise HomeWork5:PRIMARY> rs.add(“database.m310.mongodb.university:31152”)
{ “ok” : 1 }
MongoDB Enterprise HomeWork5:PRIMARY> db.getSiblingDB("$external").runCommand({ createUser: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”, rol db.getSiblingDB("$external").runCommand({ createUser: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”, roles: [{role: ‘userAdminAnyDatabase’, db: ‘admin’} ] })
{ “ok” : 1 }
MongoDB Enterprise HomeWork5:PRIMARY> db.getSiblingDB("$external").auth({ user: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client”, mechanism: “MONGODB-X509” })
Error: Please enable SSL on the client-side to use the MONGODB-X509 authentication mechanism.

vagrant@database:~/shared/certs$ mongo --ssl --sslPEMKeyFile client.pem --sslCAFile ca.pem --host database.m310.mongodb.university --port 31150
MongoDB shell version: 3.2.22
connecting to: database.m310.mongodb.university:31150/test

MongoDB Enterprise HomeWork5:PRIMARY> db.getSiblingDB("$external").auth({ user: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client”, mechanism: “MONGODB-X509” })
Error: Could not find user C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client@$external
0

Please let me know whats wrong still.

Thanks…

Just FYR…

vagrant@database:~/shared/certs$ mongo --ssl --sslPEMKeyFile client.pem --sslCAFile ca.pem --host database.m310.mongodb.university --port 31150
MongoDB shell version: 3.2.22
connecting to: database.m310.mongodb.university:31150/test

MongoDB Enterprise HomeWork5:PRIMARY> db.getSiblingDB("$external").auth({ user: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client”, mechanism: “MONGODB-X509” }


MongoDB Enterprise HomeWork5:PRIMARY> db.getSiblingDB("$external").system.users.findOne()
2019-08-27T06:04:01.785+0000 E QUERY [thread1] Error: error: {
“ok” : 0,
“errmsg” : “not authorized on $external to execute command { find: “system.users”, filter: {}, limit: 1.0, singleBatch: true }”,
“code” : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DBCommandCursor@src/mongo/shell/query.js:689:1
DBQuery.prototype._exec@src/mongo/shell/query.js:118:28
DBQuery.prototype.hasNext@src/mongo/shell/query.js:276:5
DBCollection.prototype.findOne@src/mongo/shell/collection.js:289:10
@(shell):1:1

Thanks…

Hi @Dhamodharan_23277,

I would request you to please follow the lab instructions carefully here.

The port for Homework 1.3 is 31130, 31131 and 31132.

Also, as I mentioned in my messages that your createUser command was wrong.

Kanika

Hi,

I could add the user successfully, but unable to authenticate. Please give any clue why it is.

MongoDB Enterprise myReplSet:PRIMARY> use admin
switched to db admin
MongoDB Enterprise myReplSet:PRIMARY> db.createUser( {
… user: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”,
… pwd: “Basketball10”,
… roles: [ { role: “root”, db: “admin” } ]
… });
Successfully added user: {
“user” : “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”,
“roles” : [
{
“role” : “root”,
“db” : “admin”
}
]
}
MongoDB Enterprise myReplSet:PRIMARY>
MongoDB Enterprise myReplSet:PRIMARY> db.auth({ mechanism:“MONGODB-X509”, user:“C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”, pwd:"Basketball10 db.auth({ mechanism:“MONGODB-X509”, user:“C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”, pwd:“Basketball10”})
Error: Username “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client” does not match the provided client certificate user “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client”
0
MongoDB Enterprise myReplSet:PRIMARY>

Thanks…

You needed to create user on $external database instead of admin.

Then use auth command like this to authenticate using X509 mechanism.

Kanika