Getting "not authorized on admin to execute command"

MongoDB University M310: MongoDB Security
#1

Getting the below error, can anyone suggest what could be the reason.

vagrant@database:~/shared/certs$ mongo -ssl --sslPEMKeyFile client.pem --sslCAFile ca.pem --port 31130 --host database.m310.mongodb.university --authenticationMechanism=MONGODB-X509
MongoDB shell version: 3.2.22
connecting to: database.m310.mongodb.university:31130/test
MongoDB Enterprise myReplSet:PRIMARY> show dbs
2019-08-26T05:27:15.344+0000 E QUERY [thread1] Error: listDatabases failed:{
“ok” : 0,
“errmsg” : “not authorized on admin to execute command { listDatabases: 1.0 }”,
“code” : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:781:19
shellHelper@src/mongo/shell/utils.js:671:15
@(shellhelp2):1:1

MongoDB Enterprise myReplSet:PRIMARY> db.runCommand({‘connectionStatus’:1})
{
“authInfo” : {
“authenticatedUsers” : ,
“authenticatedUserRoles” :
},
“ok” : 1
}
MongoDB Enterprise myReplSet:PRIMARY>

Thanks…

#2

Hey @Dhamodharan_23277

It looks like there is something wrong with your authenication.

Do you have the user setup correctly on the admin database?

#3

Hi,

Thanks for the update. Please find the below.

MongoDB Enterprise myReplSet:PRIMARY> db.getSiblingDB("$external").runCommand({ createUser: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”, role db.getSiblingDB("$external").runCommand({ createUser: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”, roles: [{role: ‘root’, db: ‘admin’} ] })
{ “ok” : 1 }

Thanks…

#4

Hi @Dhamodharan_23277,

Please check your messages.

Kanika

#5

Hi,

Thanks. Rebuilt the vagrant box and having different issue.

net:
ssl:
mode: requireSSL
PEMKeyFile: /home/vagrant/shared/certs/server.pem
CAFile: /home/vagrant/shared/certs/ca.pem
allowConnectionsWithoutCertificates: true
systemLog:
destination: file
path: “/home/vagrant/M310-HW-1.5/r0/mongod.log”
logAppend: true
storage:
dbPath: “/home/vagrant/M310-HW-1.5/r0”
processManagement:
fork: true
net:
bindIp: ‘localhost,database.M310.mongodb.university’
port: 31150
replication:
replSetName: HomeWork5
security:
keyFile: /home/vagrant/mongodb-keyfile
clusterAuthMode: x509
authorization: enabledvagrant@database:~/shared/certs$ mongo --host “HomeWork5/database.M310.mongodb.university:31150”
MongoDB shell version: 3.2.22
connecting to: HomeWork5/database.M310.mongodb.university:31150/test
2019-08-26T11:56:15.371+0000 I NETWORK [thread1] Starting new replica set monitor for HomeWork5/database.M310.mongodb.university:31150
2019-08-26T11:56:15.373+0000 W NETWORK [thread1] No primary detected for set HomeWork5
2019-08-26T11:56:15.375+0000 I NETWORK [ReplicaSetMonitorWatcher] starting
2019-08-26T11:56:15.876+0000 W NETWORK [thread1] No primary detected for set HomeWork5
2019-08-26T11:56:16.379+0000 W NETWORK [thread1] No primary detected for set HomeWork5
2019-08-26T11:56:16.881+0000 W NETWORK [thread1] No primary detected for set HomeWork5
2019-08-26T11:56:17.382+0000 W NETWORK [thread1] No primary detected for set HomeWork5
2019-08-26T11:56:17.884+0000 W NETWORK [thread1] No primary detected for set HomeWork5

2019-08-26T11:56:16.880+0000 I NETWORK [conn8] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2019-08-26T11:56:17.381+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:49674 #9 (1 connection now open)
2019-08-26T11:56:17.382+0000 I NETWORK [conn9] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2019-08-26T11:56:17.884+0000 I NETWORK [initandlisten] connection accepted from 127.0.0.1:49675 #10 (1 connection now open)
2019-08-26T11:56:17.884+0000 I NETWORK [conn10] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections

Thanks.

#6

So you will have to include the ssl info in the connection command
https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/index.html#mongo-shell-configuration-using-ssl-options

1 Like
#7

Thank you. It helped to complete part of it.

Updated the parameter “mode” to use “preferSSL” instead of “requireSSL”. Still am unable to auth the X509 user.

vagrant@database:~/shared/certs$ mongo --port 31150 --host database.M310.mongodb.university
MongoDB shell version: 3.2.22
connecting to: database.M310.mongodb.university:31150/test
Welcome to the MongoDB shell.
For interactive help, type “help”.
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
MongoDB Enterprise > rs.initiate()
{
“info2” : “no configuration specified. Using a default configuration for the set”,
“me” : “database.M310.mongodb.university:31150”,
“ok” : 1
}

MongoDB Enterprise HomeWork5:PRIMARY> db.createUser( {user: ‘will’, pwd: ‘$uperAdmin’, roles:[ {role: ‘root’, db: ‘admin’} ]})
Successfully added user: {
“user” : “will”,
“roles” : [
{
“role” : “root”,
“db” : “admin”
}
]
}
MongoDB Enterprise HomeWork5:PRIMARY> db.auth(‘will’, ‘$uperAdmin’)
1
MongoDB Enterprise HomeWork5:PRIMARY> db.system.users.find()
{ “_id” : “admin.will”, “user” : “will”, “db” : “admin”, “credentials” : { “SCRAM-SHA-1” : { “iterationCount” : 10000, “salt” : “5ictLShkputfA81ZvjJ2mg==”, “storedKey” : “5pnBzClFZ14dKOC7UcwwUPWcXIs=”, “serverKey” : “vsGVCnNeYS3ESpK9NXnYTBSJViM=” } }, “roles” : [ { “role” : “root”, “db” : “admin” } ] }
MongoDB Enterprise HomeWork5:PRIMARY> rs.add(“database.m310.mongodb.university:31151”)
{ “ok” : 1 }
MongoDB Enterprise HomeWork5:PRIMARY> rs.add(“database.m310.mongodb.university:31152”)
{ “ok” : 1 }
MongoDB Enterprise HomeWork5:PRIMARY> db.getSiblingDB("$external").runCommand({ createUser: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”, rol db.getSiblingDB("$external").runCommand({ createUser: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”, roles: [{role: ‘userAdminAnyDatabase’, db: ‘admin’} ] })
{ “ok” : 1 }
MongoDB Enterprise HomeWork5:PRIMARY> db.getSiblingDB("$external").auth({ user: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client”, mechanism: “MONGODB-X509” })
Error: Please enable SSL on the client-side to use the MONGODB-X509 authentication mechanism.

vagrant@database:~/shared/certs$ mongo --ssl --sslPEMKeyFile client.pem --sslCAFile ca.pem --host database.m310.mongodb.university --port 31150
MongoDB shell version: 3.2.22
connecting to: database.m310.mongodb.university:31150/test

MongoDB Enterprise HomeWork5:PRIMARY> db.getSiblingDB("$external").auth({ user: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client”, mechanism: “MONGODB-X509” })
Error: Could not find user C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client@$external
0

Please let me know whats wrong still.

Thanks…

#8

Just FYR…

vagrant@database:~/shared/certs$ mongo --ssl --sslPEMKeyFile client.pem --sslCAFile ca.pem --host database.m310.mongodb.university --port 31150
MongoDB shell version: 3.2.22
connecting to: database.m310.mongodb.university:31150/test

MongoDB Enterprise HomeWork5:PRIMARY> db.getSiblingDB("$external").auth({ user: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client”, mechanism: “MONGODB-X509” }


MongoDB Enterprise HomeWork5:PRIMARY> db.getSiblingDB("$external").system.users.findOne()
2019-08-27T06:04:01.785+0000 E QUERY [thread1] Error: error: {
“ok” : 0,
“errmsg” : “not authorized on $external to execute command { find: “system.users”, filter: {}, limit: 1.0, singleBatch: true }”,
“code” : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DBCommandCursor@src/mongo/shell/query.js:689:1
DBQuery.prototype._exec@src/mongo/shell/query.js:118:28
DBQuery.prototype.hasNext@src/mongo/shell/query.js:276:5
DBCollection.prototype.findOne@src/mongo/shell/collection.js:289:10
@(shell):1:1

Thanks…

#9

Hi @Dhamodharan_23277,

I would request you to please follow the lab instructions carefully here.

The port for Homework 1.3 is 31130, 31131 and 31132.

Also, as I mentioned in my messages that your createUser command was wrong.

Kanika

#10

Hi,

I could add the user successfully, but unable to authenticate. Please give any clue why it is.

MongoDB Enterprise myReplSet:PRIMARY> use admin
switched to db admin
MongoDB Enterprise myReplSet:PRIMARY> db.createUser( {
… user: “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”,
… pwd: “Basketball10”,
… roles: [ { role: “root”, db: “admin” } ]
… });
Successfully added user: {
“user” : “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”,
“roles” : [
{
“role” : “root”,
“db” : “admin”
}
]
}
MongoDB Enterprise myReplSet:PRIMARY>
MongoDB Enterprise myReplSet:PRIMARY> db.auth({ mechanism:“MONGODB-X509”, user:“C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”, pwd:"Basketball10 db.auth({ mechanism:“MONGODB-X509”, user:“C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client”, pwd:“Basketball10”})
Error: Username “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client, OU=kernelUser,CN=client” does not match the provided client certificate user “C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client”
0
MongoDB Enterprise myReplSet:PRIMARY>

Thanks…

#11

You needed to create user on $external database instead of admin.

Then use auth command like this to authenticate using X509 mechanism.

Kanika

#12