Reputation: 4067
Can't authenticate to dockerized mongodb instance with user created in script
I have a mongo instance configured inside my docker-compose.yml as such (the variables come from my .env file, and I have no problem using the admin account so I don't think they are the cause of the issue):
services:
mongo:
build: ./docker/mongo
container_name: pname_mongo
environment:
- MONGO_INITDB_DATABASE=${MONGO_DATABASE}
- MONGO_INITDB_ROOT_USERNAME=${MONGO_USERNAME}
- MONGO_INITDB_ROOT_PASSWORD=${MONGO_PASSWORD}
ports:
- 27017:27017
restart: unless-stopped
volumes:
- ./data/mongo:/data/db
Then inside docker/mongo is the following Dockerfile:
FROM mongo
WORKDIR /docker-entrypoint-initdb.d/
COPY graylog-user.js ./
The contents of graylog-user.js are thus:
db.createUser({
pwd: "redacted-password",
roles: [{
db: "graylog",
role: "readWrite"
}],
user: "graylog"
});
After deleting the contents of data/mongo the database appears to be initialized correctly when I run docker-compose up:
mongo_1 | Successfully added user: {
mongo_1 | "user" : "pname",
mongo_1 | "roles" : [
mongo_1 | {
mongo_1 | "role" : "root",
mongo_1 | "db" : "admin"
mongo_1 | }
mongo_1 | ]
mongo_1 | }
mongo_1 | Error saving history file: FileOpenFailed Unable to open() file /home/mongodb/.dbshell: No such file or directory
mongo_1 | {"t":{"$date":"2020-10-02T21:43:01.568+00:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn2","msg":"Connection ended","attr":{"remote":"127.0.0.1:55612","connectionId":2,"connectionCount":0}}
mongo_1 |
mongo_1 | /usr/local/bin/docker-entrypoint.sh: running /docker-entrypoint-initdb.d/graylog-user.js
mongo_1 | {"t":{"$date":"2020-10-02T21:43:01.627+00:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"127.0.0.1:55616","connectionId":3,"connectionCount":1}}
mongo_1 | {"t":{"$date":"2020-10-02T21:43:01.628+00:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn3","msg":"client metadata","attr":{"remote":"127.0.0.1:55616","client":"conn3","doc":{"application":{"name":"MongoDB Shell"},"driver":{"name":"MongoDB Internal Client","version":"4.4.1"},"os":{"type":"Linux","name":"Ubuntu","architecture":"x86_64","version":"18.04"}}}}
mongo_1 | Successfully added user: {
mongo_1 | "roles" : [
mongo_1 | {
mongo_1 | "db" : "graylog",
mongo_1 | "role" : "readWrite"
mongo_1 | }
mongo_1 | ],
mongo_1 | "user" : "graylog"
mongo_1 | }
mongo_1 | {"t":{"$date":"2020-10-02T21:43:01.679+00:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn3","msg":"Connection ended","attr":{"remote":"127.0.0.1:55616","connectionId":3,"connectionCount":0}}
However, I haven't managed to be able to log on with this user no matter what I do. Here you can see me trying to log on using the cli inside the mongo container:
> use graylog
switched to db graylog
> db.auth({
... user: "graylog",
... pwd: "redacted-password",
... digestPassword: false
... })
Error: Authentication failed.
0
> db.auth({
... user: "graylog",
... pwd: "redacted-password",
... digestPassword: true
... })
Error: Authentication failed.
0
When I log in, however, with the admin account I can see that the user is actually created (I've redacted all the hashes, salts, etc. I suppose they would change when deploying to production but better safe than sorry, right?):
> use admin
switched to db admin
> db.auth('pname', 'redacted-admin-password')
1
> show collections
system.users
system.version
> db.system.users.find()
{ "_id" : "admin.pname", "userId" : UUID("a8f150a6-83f6-4fef-8457-a6afae5e6b72"), "user" : "pname", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "redacted", "storedKey" : "redacted", "serverKey" : "redacted" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "redacted", "storedKey" : "redacted", "serverKey" : " to production" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
{ "_id" : "pname.graylog", "userId" : UUID("4d13d6d6-1f19-4f7c-97ba-6aef11f88587"), "user" : "graylog", "db" : "pname", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "redacted", "storedKey" : "redacted", "serverKey" : "redacted" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "redacted", "storedKey" : "redacted", "serverKey" : "redacted" } }, "roles" : [ { "role" : "readWrite", "db" : "graylog" } ] }
What am I missing? Have I skipped a step?
Upvotes: 0
Views: 262
Answers (1)
Reputation: 28366
The user graylog was created in database pname, and given readWrite permission to only db graylog.
That user will need to set authentication database to pname when connecting, but I don't think it is permitted to have a user created in a specific database to be granted permission to a different database.
You might try changing graylog-user.js to create the user in the graylog database:
db.getSiblingDB("graylog").createUser({
Upvotes: 1
Related Questions
- Unable to authenticate mongo user created with docker env variables
- MongoDB Authentication failed despite correct credentials
- Unable to auth against mongo docker container
- MongoDB Docker authentication problem "Error: Authentication failed"
- authenticate user to mongo db on docker
- User not found on MongoDB Docker image with authentication
- MongoDB with Docker Authentication
- How to add a user to a mongoDB database running in a docker container?
- shell commands in mongo inside Docker fails for Authentication
- Mongo Docker not creating user