How to shutdown when x.509

Kim_Hakseon · July 21, 2020, 1:56am

I made user - db.getSiblingDB("$external").runCommand(~~)

I authenticated - db.getSiblingDB("$external").auth(~~)

I checked - db.runCommand({‘connectionStatus’ : 1})

{
"authInfo" : 
               {"authenticatedUsers" : [{ "user" : "~~", "db" : "$external" }],
                "authenticatedUserRoles" : [{"role" : "root","db" : "admin"}]
        },
        "ok" : 1
}

lastly I want - use admin - db.shutdownServer()
but, this message appears.

uncaught exception: Error: shutdownServer failed: {
        "ok" : 0,**
        "errmsg" : "shutdown must run from localhost when running db without auth",**
        "code" : 13,
        "codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.shutdownServer@src/mongo/shell/db.js:426:19
@(shell):1:1

how to shutdown when x.509

Pavel_Duchovny · July 21, 2020, 5:27am

Hi @Kim_Hakseon,

According to the error it seems you have not enabled auth at all.

Without auth we require a shutdown from a local connection only.

Perhaps your configuration does not take place. Can you share the guide and configuration you have for your auth mechanism.

Thanks,
Pavel

Kim_Hakseon · July 21, 2020, 1:42pm

# mongod.conf

# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/

# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /mongodb/log/mongodb.log

# Where and how to store data.
storage:
dbPath: /mongodb/data
journal:
enabled: true
# engine:
# wiredTiger:

# how the process runs
processManagement:
fork: true # fork and run in background
pidFilePath: /mongodb/mongod.pid #location of pidfile

# network interfaces
net:
port: 27017
bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
tls:
mode: requireTLS
certificateKeyFile: /mongodb/key/server.pem
CAFile: /mongodb/key/ca.crt

# security

This is my config file.

Do I have to do <authorization: “enabled”> even though I set up TLS?

Pavel_Duchovny · July 21, 2020, 7:23pm

Hi @Kim_Hakseon,

Ssl configuration does not imply authorization and this is just an authentication method.

Autherzation, is who is allowed to do what according to the specified roles. Our best practice is to set at least one Autherzation (users/LDAP etc.).

Otherwise we allow shutdown only from local host.

Kind regards,
Pavel

Kim_Hakseon · July 22, 2020, 2:04am

Is it different from this authorization?

db.getSiblingDB(“$external”).runCommand(
{
createUser: “CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry”,
roles: [
{ role: “root”, db: “admin” }
]
}
)

db.getSiblingDB(“$external”).auth(
{
mechanism: “MONGODB-X509”
}
)

Kim_Hakseon · July 22, 2020, 4:49am

So I tried, modified the config file like this,

security:
keyFile: /key/mongodb-keyfile
authorization: “enabled”

and typed this.

>db.createUser({user:“admin”,pwd:“admin”,roles:[{role:“root”,db:“admin”}]})

but,

uncaught exception: Error: couldn’t add user: command createUser requires authentication :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.createUser@src/mongo/shell/db.js:1343:11
@(shell):1:1

I tried, modified the config file like this,

#security:
#keyFile: /key/mongodb-keyfile
#authorization: “enabled”

and typed this.

>use admin
>db.createUser({user:“admin”,pwd:“admin”,roles:[{role:“root”,db:“admin”}]})
Successfully added user: {
“user” : “admin”,
“roles” : [
{
“role” : “root”,
“db” : “admin”
}
]
}
> db.auth(“admin”,“admin”)
1

but, I tried this command… I’m so sad

>db.shutdownServer()
Error: shutdownServer failed: {
“ok” : 0,
“errmsg” : “shutdown must run from localhost when running db without auth”,
“code” : 13,
“codeName” : “Unauthorized”
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.shutdownServer@src/mongo/shell/db.js:426:19
@(shell):1:1

Pavel_Duchovny · July 22, 2020, 5:06am

Hi @Kim_Hakseon,

First you can ssh to the box and perform a regular kill or windows service stop which will result in a graceful shutdown.

If you need a user/pwd auth you need to create the user before you enable auth. Afterwards you have to authenticate with that user.

Please note that x509 associated roles are autherzation as well, perhaps you do the authentication wrong.

Best regards,
Pavel

Pavel_Duchovny · July 22, 2020, 5:10am

Please verify you do everything according

Kim_Hakseon · July 22, 2020, 5:14am

I was inspired by your answer and tried it.

Annotate Security Section
Run server
Create Users
Shutdown the server
Activate Security Section
Run server
Login

I finally succeeded.
I knew I had to do it all at once.
Thank you…