Ticket: Principle of Least Privilege

A new user is created in Atlas with Read/Write only privs. I am able to connect through mongo shell with the user, but app cannot pass the test at the status page:

— .ini —

Ticket: Connection

Rename this file to .ini after filling in your MFLIX_DB_URI and your SECRET_KEY

Do not surround the URI with quotes

[PROD]
SECRET_KEY = super_secret_key_you_should_change
#MFLIX_DB_URI = mongodb+srv://m220student:m220password@mflix-kuxkx.mongodb.net
MFLIX_DB_URI = mongo “mongodb+srv://m220ReadWrite:readwrite@mflix-kuxkx.mongodb.net”

[TEST]
SECRET_KEY = super_secret_testing_key
#MFLIX_DB_URI = mongodb+srv://m220student:m220password@mflix-kuxkx.mongodb.net
MFLIX_DB_URI = mongo “mongodb+srv://m220ReadWrite:readwrite@mflix-kuxkx.mongodb.net”

I also got the same problem when running on MacOS. I tried to digg in some error messages when pip install -r requirements.txt and recognise one error :
twisted 18.7.0 requires PyHamcrest>=1.9.0, which is not installed.

I decided to add this line to requirements.txt:
twisted==18.7.0

All of these didn’t help.

Frustrated enough even reloading the new db.py.

I tried to set up from scratch (based on the README.rst instruction) in Windows PC, it works fine.

Have you changed the “Advanced Roles/Privileges” to r…w…@mflix ?

Changing the user in your connection URI in the .ini file should be sufficient.

Ensure you are changing it to use the correct, limited user.

What I’ve tried so far (& seems to fail anyway)

Creating a new user with read write over all the DBs

Creating a new custom role & assigning only read & readWrite
also tried adding dbAdmin but that didn’t do anything

Edit1: Yes i updated the URI in .ini file with the new username & password, both [PROD] & [TEST]
Edit2: Also tried after removing read, failed as well

2 Likes

Same here, I guess I repeated everything you’ve tried.

Either read or read/write mflixAppUser/mflixAppPass, apparently properly set in the .ini file as well (any further minor change to the credentials breaks the app on startup), then defining the custom read/write role, didn’t seem to do the job (still stuck with “Principle of Least Privilege: It doesn’t appear you have configured the application user”).

Try to connect with:

MFLIX_DB_URI = mongodb+srv://m220ReadWrite:readwrite@mflix-kuxkx.mongodb.net

I’d prefer to know the required settings instead of using the URI for simply getting the ticket, that would be far more helpful

1 Like

there was such a problem, decided through the indication of Default Privileges

4 Likes

Try this:
[PROD]
SECRET_KEY = super_secret_key_you_should_change
MFLIX_DB_URI = mongo “mongodb+srv://m220ReadWrite:readwrite@mflix-kuxkx.mongodb.net/mflix”

[TEST]
SECRET_KEY = super_secret_testing_key
MFLIX_DB_URI = mongo “mongodb+srv://m220ReadWrite:readwrite@mflix-kuxkx.mongodb.net/mflix”

You must specify the database that the role is inserted into like “mflix” at the end of URI

Hi,

I made changes to all the following and still not working when validating the least privilege:

  1. changed the following file specifying the mflix database
    [PROD]
    MFLIX_DB_URI = mongo “mongodb+srv://newusername:newpwd@mflix-kuxkx.mongodb.net/mflix”

[TEST]
MFLIX_DB_URI = mongo “mongodb+srv://newusername:newpwd@mflix-kuxkx.mongodb.net/mflix”

  1. added user in Atlas via adding custom role with readWrite privileges

  2. even made changes to the connection (new username and pwd) in migration.py

  3. connected to atlas using mongo shell passing the new username and pwd and was successful

  4. deactivate mflix and reactivate mflix

Not sure what it meant by stop and restart the application?

Thanks

I did the following and it seems to be working:

  1. Created the mflixAppUser (via atlas) giving readWrite on mflix
  2. Changed the production URI to login as mflixAppUser

How did I login as mflixAppUser? Instruction said stop and restart the server. How do I do that?

Thanks

To change the to the mflix user, you change the .ini file that we set up to use the mflixAppUser account instead of an Admin,.

The server is the the run.py that we are using to test our application. Stop it ^C works, then restart it. It will read the modified .ini file.

Hey Mr. Gil_11681,

Did you say you changed the [PROD] URI only not including the [TEST] URI?

Hi,

I created the new username and password as instructed in the ticket for “Principle of Least Privilege”. I know my newly created username and password are working correctly because many other tests on the UI turn green. Unfortunately, the last test on the bottom of the UI continue to fail. (The tests for Connection Pooling and Timeouts are also failing; but they are beyond the scope for this topic. So, I post questions for them separately.)

I also created a simple Python script to login and query from a command line. It is also working correctly.

After a few hours spent to debug this issue and to read through this forum, I have exhausted all ideas to get the test on the bottom of the UI working.

Any ideas to debug or hints to resolve this issue are really welcome and appreciated.

Thanks much in advance.

Regards,
McNguyen

Okay I think I created a new user wrongly earlier.

Previously, i created a custom role and created a new user and assumed that custom role.

Now instead, when I add a new user, I click “Add Default Privileges” and select the parameter values i want. Then it worked!

2 Likes

I did the same and it worked for me as well. To stop and restart the server means to stop (^c) the run.py instance running on your virtual env and then after changes to the .ini file have been made, run it again in your virtual environment.

Thanks!
Indeed this worked for me as well.

To summarize:
Do not create a role (and allocate this role to the user) - it wont work.

Instead create the user, and after giving the username and password, click on “Add Default Privileges”.
Then simply select the Role “readWrite”
In the database field, type “mflix”

And that’s it.

2 Likes

Thanks, it works for me!