Unable to get services to auth against "admin" DB in Mongo; uses Hygieia's DB, instead

[cjchand]

Problem: When attempting to rehome to a new MongoDB, it fails to authenticate. Sniffer capture shows it is not using the admin DB in Mongo to authenticate, rather it is trying to auth against the DB where Hygieia will be storing its data.

Relevant log excerpt:

[{address=REDACTED:27021, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSecurityException: Exception authenticating MongoCredential{mechanism=SCRAM-SHA-1, userName='REDACTED', source='REDACTED_DB_NAME', password=<hidden>, mechanismProperties={}}}, caused by {com.mongodb.MongoCommandException: Command failed with error 18: 'Authentication failed.' on server REDACTED:27021. The full response is { "ok" : 0.0, "errmsg" : "Authentication failed.", "code" : 18, "codeName" : "AuthenticationFailed", 

... where REDACTED_DB_NAME is the name of the DB that Hygieia will store its data, should it be able to auth... which is the same DB I see in the sniffer caps it is trying to perform initial auth to, instead of admin.

I have connected to the same Mongo cluster with the same creds - though using the admin DB to auth, of course - and it works fine.

I did try changing some of the Spring Boot config relevant to this (e.g.: spring.data.mongodb.authentication-database=admin), but no joy.

Is there something I'm missing here, or is the code hardwired to assume that the user lives in Hygieia's DB, instead of admin?

[cjchand]

I should mention that I can take the same setup and point it to a single-box Mongo where I added the user per the directions (e.g.: user lives in the same DB as Hygieia's data) and that works fine.

[rvema]

@cjchand Can you help me understand what is your requirement?

[cjchand]

@rvema Sure!

It is very common practice in Mongo to build users in the admin DB, not the DB where the data lives. This means when you go to authenticate to Mongo, you do so against the admin DB and not the DB for Hygieia.

In fact, there is a Spring property for this: spring.data.mongodb.authentication-database.

What I'm asking for is the ability to specify what DB to auth against. I tried setting spring.data.mongodb.authentication-database=admin in my application.properties, but it ignored that setting.

Hope that helps!

[rvema]

@cjchand Have you tried using dbname=dashboarddb in your properties?

[cjchand]

@rvema Yes, it works if I add my account to the Hygieia DB itself. However, this is not standard practice for many MongoDB installs.

Instead, all users - regardless of the DB(s) they use - are typically added to the admin DB, then granted rights to the DB(s) they need to access. In fact, MongoDB stores all users in the admin DB regardless of what DB you create the account in.

So, the ask here is that there be a property to tell Hygieia services what DB to auth against. You can default it to the same DB Hygieia uses (dashboarddb, etc), but give users the ability to specify a different DB solely for auth, if needed. Again, there is a Spring property for this in the MongoDB class you are using, just to reinforce that what I'm calling out here is indeed common.

Hope that clarifies.

[SohamJ]

@rvema @cjchand is there a workaround for this? Our MongoDB setup follows the same standards and currently, all components are trying to authenticate against the database itself.

[cjchand]

@SohamJ No solution, unfortunately. Just the workaround of adding the user to the Hygieia DB. Based on the interaction thus far, I don't think they are understanding the problem.

[ghost]

Any updates on this?