How to reset root password in Mongodb?

Question

I have a mongodb sharded cluster, with mongos machines, mongo nodes in replicate sets and config servers. MongoDB version is 3.02

The guy that set this up left the company a while ago and now I cant do simple things like show dbs or show collections

I have OS root in all these Debian machines, so I want to know how to reset mongo's root password so I can admin the database.

The apps that access this db seem to be working fine, using a user that has low privileges. I know the password for this particular user.

This is a production setup, so I can't afford to keep it down for more than a few seconds, tops minutes.

Answer 1

Steps

1. Connect to the machine hosting your MongoDB instance
2. Open the MongoDB configuration file found in /etc/ folder using: sudo nano mongod.conf
3. Comment out the following code like so:

   # security:
   #   authorization: enabled
   

4. Stop the MongoDB service: sudo service mongod stop
5. Start the MongoDB service: sudo service mongod start
6. Connect to the database using Robo3T or equivalent. With a connection to the admin collection, create a new admin superuser:

   db.createUser({ user:"admin", pwd:"password", roles:[{role:"root", db:"admin"}] });
   

7. Go back and uncomment the lines from step 3. Then repeat steps 4 and 5.
8. You should now be able to authenticate with the new user you created in step 6 and have full access to the database.

Troubleshooting

• If for whatever reason, after trying to restart your mongo service, you cannot connect to it, you can make sure the service properly started with: systemctl --type=service --state=active. If it has started, it will be in the list as mongod.service.
• Mongo logs can also be found at /var/log/mongodb/mongodb.log but this is less likely to be helpful in this situation.

Answer 2

It depends on the types of users. For example, if you are using SCRAM, the basic steps to reset password would be:

• Stop the mongod nodes
• Disable authorization in mongod.conf
• Restart the Replica set nodes
• Connect to the replica set primary node using the mongo shell
• Reset the your password by db.changePassword

Answer 3

There are two options here

If you plan to upgrade to 3.4 this can be done without downtime:

• MongoDB 3.4 allows Enforce Keyfile Access Control in a Replica Set without Downtime
• You need to start all your members with --transitionToAuth(This will allow both authenticated and non-authenticated traffic for some duration)
• Login to mongo shell on primary and create a userAdmin
• Logout and login again using userAdmin
• Create rootAdmin
• Store the password in password manager
• Disable transitionToAuth (Allow only authenticated traffic to replica set)

If you need to do this with existing MongoDB without upgrade:

• Stop a secondaries in the replica set in a rolling manner. Disable authentication using keyFile options
• Stepdown a primary and update its configuration to disable authentication.
• Update you're the application to remove username and password from application config
• Restart application
• Create useradmin and rootAdmin in admin DB
• Save passwords in the password manager
• Enable authentication in the replica set
• Start your application with the old config that includes username and password

Answer 4

I think this may work:

1. Stop your MongoDB instance
2. Remove the --auth and/or --keyfile options from your MongoDB config to disable authentication
3. Start the instance without authentication
4. Edit the users as needed
5. Restart the instance with authentication enabled

https://dba.stackexchange.com/questions/62976/how-can-i-enter-mongo-as-a-superuser-or-reset-users

Answer 5

This may not be the perfect answer, because I cannot test it. The base problem is of course that, that you cannot put your system into maintenance mode, where you can change admin password... But there is config file parameter security.transitionToAuth what you can add with rolling matter to your config file(s).

A mongod or mongos running with security.transitionToAuth does not enforce user access controls. Users may connect to your deployment without any access control checks and perform read, write, and administrative operations.