How to shutdown when x.509

I made user - db.getSiblingDB("$external").runCommand(~~)

I authenticated - db.getSiblingDB("$external").auth(~~)

I checked - db.runCommand({‘connectionStatus’ : 1})

{
"authInfo" : 
               {"authenticatedUsers" : [{ "user" : "~~", "db" : "$external" }],
                "authenticatedUserRoles" : [{"role" : "root","db" : "admin"}]
        },
        "ok" : 1
}

lastly I want - use admin - db.shutdownServer()
but, this message appears.

uncaught exception: Error: shutdownServer failed: {
        "ok" : 0,**
        "errmsg" : "shutdown must run from localhost when running db without auth",**
        "code" : 13,
        "codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.shutdownServer@src/mongo/shell/db.js:426:19
@(shell):1:1

how to shutdown when x.509

Hi @Kim_Hakseon,

According to the error it seems you have not enabled auth at all.

Without auth we require a shutdown from a local connection only.

Perhaps your configuration does not take place. Can you share the guide and configuration you have for your auth mechanism.

Thanks,
Pavel

# mongod.conf

# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/

# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /mongodb/log/mongodb.log

# Where and how to store data.
storage:
dbPath: /mongodb/data
journal:
enabled: true
# engine:
# wiredTiger:

# how the process runs
processManagement:
fork: true # fork and run in background
pidFilePath: /mongodb/mongod.pid #location of pidfile

# network interfaces
net:
port: 27017
bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
tls:
mode: requireTLS
certificateKeyFile: /mongodb/key/server.pem
CAFile: /mongodb/key/ca.crt

# security


This is my config file.

Do I have to do <authorization: “enabled”> even though I set up TLS?

Hi @Kim_Hakseon,

Ssl configuration does not imply authorization and this is just an authentication method.

Autherzation, is who is allowed to do what according to the specified roles. Our best practice is to set at least one Autherzation (users/LDAP etc.).

Otherwise we allow shutdown only from local host.

Kind regards,
Pavel

Is it different from this authorization?

db.getSiblingDB("$external").runCommand(
{
createUser: “CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry”,
roles: [
{ role: “root”, db: “admin” }
]
}
)

db.getSiblingDB("$external").auth(
{
mechanism: “MONGODB-X509”
}
)

So I tried, modified the config file like this,

security:
keyFile: /key/mongodb-keyfile
authorization: “enabled”

and typed this.

>db.createUser({user:“admin”,pwd:“admin”,roles:[{role:“root”,db:“admin”}]})

but,

uncaught exception: Error: couldn’t add user: command createUser requires authentication :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.createUser@src/mongo/shell/db.js:1343:11
@(shell):1:1


I tried, modified the config file like this,

#security:
#keyFile: /key/mongodb-keyfile
#authorization: “enabled”

and typed this.

>use admin
>db.createUser({user:“admin”,pwd:“admin”,roles:[{role:“root”,db:“admin”}]})
Successfully added user: {
“user” : “admin”,
“roles” : [
{
“role” : “root”,
“db” : “admin”
}
]
}
> db.auth(“admin”,“admin”)
1

but, I tried this command… I’m so sad

>db.shutdownServer()
Error: shutdownServer failed: {
“ok” : 0,
“errmsg” : “shutdown must run from localhost when running db without auth”,
“code” : 13,
“codeName” : “Unauthorized”
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.shutdownServer@src/mongo/shell/db.js:426:19
@(shell):1:1

Hi @Kim_Hakseon,

First you can ssh to the box and perform a regular kill or windows service stop which will result in a graceful shutdown.

If you need a user/pwd auth you need to create the user before you enable auth. Afterwards you have to authenticate with that user.

Please note that x509 associated roles are autherzation as well, perhaps you do the authentication wrong.

Best regards,
Pavel

Please verify you do everything according

https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/#procedures

I was inspired by your answer and tried it.

  1. Annotate Security Section
  2. Run server
  3. Create Users
  4. Shutdown the server
  5. Activate Security Section
  6. Run server
  7. Login

I finally succeeded.
I knew I had to do it all at once.
Thank you… :frowning:

1 Like