Homework 1.5 Difficulties

Well, I think I am stuck.

I have started 3 nodes in a replica set with SSL allowed. I can connect with user ‘will’. I have permissions as expected. I can db.auth to the x.509 account I created, and I see I have permissions - for example I can call db.getUsers().

Even with these successes, the validation script fails. Upon investigation, if I try to connect to mongo using the x.509 account it has no permissions. No error is generated, but I cannot do anything. So, it seems using the ‘auth’ command I get permissions but connecting to mongo shell directly using the x.509 credentials it fails.

Any pointers where to look?

Also, when I run the following…

use admin;
db.getUsers();

I do not see the x.509 user account.

MongoDB Enterprise myReplSet:PRIMARY> db.getUsers()
[
        {
                "_id" : "admin.will",
                "user" : "will",
                "db" : "admin",
                "roles" : [
                        {
                                "role" : "root",
                                "db" : "admin"
                        }
                ]
        }
]

… so I try to create it again but get an error stating it already exists…

MongoDB Enterprise myReplSet:PRIMARY> db.getSiblingDB("$external").runCommand({createUser: "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client", roles: [{role: "userAdminAnyDatabase", db: "admin"}]})
{
        "ok" : 0,
        "errmsg" : "User \"C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client@$external\" already exists",
        "code" : 11000
}

Oh, wait, my user is now in $external, not in admin…

2 Likes
MongoDB Enterprise myReplSet:PRIMARY> use $external
switched to db $external
MongoDB Enterprise myReplSet:PRIMARY> db.getUsers()
[
        {
                "_id" : "$external.C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client",
                "user" : "C=US,ST=New York,L=New York City,O=MongoDB,OU=University2,CN=M310 Client",
                "db" : "$external",
                "roles" : [
                        {
                                "role" : "userAdminAnyDatabase",
                                "db" : "admin"
                        }
                ]
        }
]
1 Like

Actually, upon thinking - the x.509 user should be in database $external.

1 Like

You’re on a roll! :smiley: Doing great!

Sometimes it really helps you get your thoughts sorted out, by simply Rubber Duckying with someone.

Thanks Tess,

I was able to run the validate script and pass the homework, still I have concerns. My command to connect to mongo shell does not have any permissions. I can db.auth() using the cert subject and can gain access, but I was expecting to connect to mongo shell and use my credentials right-away. Is this not possible?

My Mongo Shell command:

mongo $external --host database.m310.mongodb.university:31150 --ssl --sslPEMKeyFile /home/vagrant/shared/certs/client.pem --sslCAFile /home/vagrant/shared/certs/ca.pem --authenticationMechanism MONGODB-X509

Hmm… good question! I’ll have to try that out RSN™. I’ll keep you posted.

For starters though, I would not add “$external” as the database you want to use. Instead, point it at whatever db you do want.

EDIT:
Right, I’m back… I can heartily recommend the MongoDB online reference materials. They’re really good!

According to this article ->

https://docs.mongodb.com/manual/core/security-x.509/#client-x-509-certificates

No, you cannot authenticate in one single step from the commandline. You will need to first start the shell and then use db.auth(). Oh well.