auth-server not connecting to secure mongodb replicated cluster

[mihirv0ra]

Configured the auth-server same as the example with details modified to connect to my replicated mongodb cluster, we are seeing the following error,

Failed to create auth server: not authorized for query on dockdb.auth
{"log":"F0302 15:49:50.027015       1 main.go:46] Failed to create auth server: not authorized for query on

The mongodb cluster has internal authentication and my other java app is able to connect to the same without issues using the credentials, unable to do that through docker-auth.

Anyone has any experience with mongo auth ?

[carsonoid]

I wrote the auth portion of the mongo integration. We use it daily with
both authentication and a replica set without issues. Care to share your
configuration? (with usernames and passwords obscured of course)

On Wed, Mar 2, 2016 at 8:59 AM, mv012004 notifications@github.com wrote:

Configured the auth-server same as the example with details modified to
connect to my replicated mongodb cluster, we are seeing the following error,

`

Failed to create auth server: not authorized for query on dockyard.auth
{"log":"F0302 15:49:50.027015 1 main.go:46] Failed to create auth
server: not authorized for query on

`

The mongodb cluster has internal authentication and my other java app is
able to connect to the same without issues using the credentials, unable to
do that through docker-auth.

Anyone has any experience with mongo auth ?

—
Reply to this email directly or view it on GitHub
#69.

[mihirv0ra]

This is the config that we have set, the mongo schema version is 3 and uses MONGODB-CR for auth.

server:
  addr: :5001
  certificate: ""
  key: ""
token:
  issuer: Auth Service
  expiration: 900
  certificate: "/config/server.pem"
  key: "/config/server.key"
# Static user map.
users:
  "": {}  # Allow anonymous (no "docker login") access.

ldap_auth:

  addr: xxxxx.yyy.zzz.com:389
  # Setup tls connection method to be
  # "" or "none": the communication won't be encrypted
  # "always": setup LDAP over SSL/TLS
  # "starttls": sets StartTLS as the encryption method
  tls: ""
  bind_dn: <binddn>
  bind_password_file: /config/ldap_password.txt
  base: <bindou>
  filter: (&(objectClass=person)(objectClass=user)(sAMAccountName=${account}))
acl:
  # This will allow Docker Registry V2 catalog API to work for search
  - match:
      account: ""
      type: "registry"
      name: "catalog"
    actions: ["*"]
    comment: "Anonymous can execute search API"

  # This will allow anonymous users to pull
  - match:
      account: ""
    actions: ["pull"]
    comment: "Anonymous can pull all images."
# (optional) Define to query ACL from a MongoDB server.
acl_mongo:
  # Essentially all options are described here: https://godoc.org/gopkg.in/mgo.v2#DialInfo
  dial_info:
    # The MongoDB hostnames or IPs to connect to.
    addrs: ["localhost:11555"]
    # The time to wait for a server to respond when first connecting and on
    # follow up operations in the session. If timeout is zero, the call may
    # block forever waiting for a connection to be established.
    # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
    timeout: "10s"
    # Database name that will be used on the MongoDB server.
    database: "docker_auth"
    # The username with which to connect to the MongoDB server.
    user: "admin"
    # Path to the text file with the password in it.
    password_file: "/config/adminpass.txt"
  # Name of the collection in which ACLs will be stored in MongoDB.
  collection: "auth"
  # Specify how long an ACL remains valid before they will be fetched again from
  # the MongoDB server.
  # (See https://golang.org/pkg/time/#ParseDuration for a format description.)
  cache_ttl: "1m"

[carsonoid]

It looks like you put your mongo auth information underneath the acl_mongo section. The only auth I see here is ldap_auth so the error you are getting is likely coming from there.

Just to clarify: Are you trying to do auth with ldap and acls with mongo? Or are you trying to do auth with both mongo and ldap?

[mihirv0ra]

OK.. so we are doing user authentication through LDAP, and then the authorization/acls on the repository/namespaces based on the mongo data.

[mihirv0ra]

@carsonoid can you help ?

[carsonoid]

The fact that the logs says "failed to create auth server" makes me think that i'ts your ldap configuration that is causing the crash.. What happens when you comment it out the ldap_auth section and run the server?

[mihirv0ra]

I will try that out, however the LDAP auth + Mongo DB connectivity seems to work fine if we clear out out the username/password and get rid of the auth from Mongo.

not authorized for query on dockdb.auth
So i feel that the auth server fails to initialize due to mongo not authenticating. Will confirm in a bit on what happens when i comment the LDAP out.

Failed to create auth server: not authorized for query on dockdb.auth
{"log":"F0302 15:49:50.027015       1 main.go:46] Failed to create auth server: not authorized for query on

[duyanghao]

I have the similar problem @carsonoid @mv012004
I want to query ACL and Auth from the MongoDB backend.

Here is the auth server configuration:

server:
  addr: ":5001"
  certificate: "/root/docker_auth/domain.crt"
  key: "/root/docker_auth/domain.key"

token:
  issuer: "Acme auth server"  # Must match issuer in the Registry config.
  expiration: 900

mongo_auth:
  dial_info:
    addrs: ["localhost"]
    timeout: "10s"
    database: "admin"
    user: "root"
    password_file: "/root/docker_auth/password"
  collection: "users"

acl_mongo:
  dial_info:
    addrs: ["localhost"]
    timeout: "10s"
    database: "admin"
    user: "root"
    password_file: "/root/docker_auth/password"
  collection: "acl"
  cache_ttl: "1m"

the "root" user has root privilege in the admin database!
> show users
{
"_id" : "admin.root",
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}

we are seeing the following error:
[root@TENCENT64_site ~/docker_auth]# ./auth_server auth_config.yml
F0329 17:40:43.586969 13262 main.go:46] Failed to create auth server: not authorized on admin to execute command { createIndexes: "acl", indexes: [ { name: "seq_1", ns: "admin.acl", key: { seq: 1 }, unique: true } ] }

the mongodb client and server version are both 3.2.4 as below:
MongoDB shell version: 3.2.4

2016-03-29T18:02:06.971+0800 I CONTROL [initandlisten] db version v3.2.4

[duyanghao]

If I run mongodb without auth,auth server can successfully run! @carsonoid @mv012004
At the same time,here is my auth server configuration:

server:
  addr: ":5001"
  certificate: "/root/docker_auth/domain.crt"
  key: "/root/docker_auth/domain.key"

token:
  issuer: "Acme auth server"  # Must match issuer in the Registry config.
  expiration: 900

mongo_auth:
  dial_info:
    addrs: ["localhost"]
    timeout: "10s"
    database: "admin"
    user: ""
    password_file: ""
  collection: "users"

acl_mongo:
  dial_info:
    addrs: ["localhost"]
    timeout: "10s"
    database: "admin"
    user: ""
    password_file: ""
  collection: "acl"
  cache_ttl: "1m"

[carsonoid]

You probably shouldn't be using the admin database for actual data. It
seems to be reserved for internal Mongo use and may have special
protections. Have you tried creating a dedicated db for docker_auth and
giving your admin user root access to it?

On Tue, Mar 29, 2016 at 4:20 AM, fightingdu notifications@github.com
wrote:

If I run mongodb without auth,auth server can successfully run!
Here is my auth server configuration:

server:
addr: ":5001"
certificate: "/root/docker_auth/domain.crt"
key: "/root/docker_auth/domain.key"

token:
issuer: "Acme auth server" # Must match issuer in the Registry config.
expiration: 900

mongo_auth:
dial_info:
addrs: ["localhost"]
timeout: "10s"
database: "admin"
user: ""
password_file: ""
collection: "users"

acl_mongo:
dial_info:
addrs: ["localhost"]
timeout: "10s"
database: "admin"
user: ""
password_file: ""
collection: "acl"
cache_ttl: "1m"

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#69 (comment)

[duyanghao]

I have tried according to what you said above,but,the problem is that there is no "root" role in docker_auth db,I want to create the use "root" to have root access to docker_auth db,but the error happens as below:

> db.createUser(
... {
... user:"root",
... pwd:"fightingdu",
... roles : [ { role: "root", db: "admin" },
... { role: "root", db: "docker_auth" }
... ]
... }
... )
2016-03-30T09:15:47.207+0800 E QUERY    [thread1] Error: couldn't add user: No role named root@docker_auth :
_getErrorWithCode@src/mongo/shell/utils.js:23:13
DB.prototype.createUser@src/mongo/shell/db.js:1230:11
@(shell):1:1

Have you tried using the docker_auth db with user and password_file on the side of auth server?
Could you give me a detailed configurations about how to use MongoDB auth? urgently!!! @carsonoid

[carsonoid]

I know that the auth_server works for sure with a dedicated db, user, and
password file because I use it every day in production. However I used
compose.io to set up the mongo server and user so I can't tell you what the
commands are. Use the dbAdmin role when granting access to a specific db.
root seems way too powerful for this kind of access requirement and is
also only allowed for the admin db. This mongo command works for me:

use docker_auth
db.createUser( {
user:"root",
pwd:"pass",
roles:[
{ role: "root", db: "admin" },
"dbAdmin" ]
}
)

On Tue, Mar 29, 2016 at 7:30 PM, fightingdu notifications@github.com
wrote:

I have tried according to what you said above,but,the problem is that
there is no "root" role in docker_auth db,I want to create the use "root"
to have root access to docker_auth db,but the error happens as below:

db.createUser(
... {
... user:"root",
... pwd:"fightingdu",
... roles : [ { role: "root", db: "admin" },
... { role: "root", db: "docker_auth" }
... ]
... }
... )
2016-03-30T09:15:47.207+0800 E QUERY [thread1] Error: couldn't add user: No role named root@docker_auth :
_getErrorWithCode@src/mongo/shell/utils.js:23:13
DB.prototype.createUser@src/mongo/shell/db.js:1230:11
@(shell):1:1

Have you tried using the docker_auth db with user and password_file on the
side of auth server?
Could you give me a detailed configurations about how to use MongoDB auth?
urgently!!! @carsonoid https://github.com/carsonoid

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#69 (comment)

[johnrengelman]

Also having the exact same auth problem.
I'm running Mongo 3.2 in a Docker container, I created a standalone DB and am using the admin user to connect.
I verified that I can connect with the credentials from a remote host using the mongo client.
So, it's definitely something in the codebase.

[johnrengelman]

Also, I am not replicating.

[carsonoid]

If that is indeed the case you need to post your auth server logs. Run it
with -v 7 -logtostderr and then post the results.

On Wed, Mar 30, 2016 at 5:16 PM, John Engelman notifications@github.com
wrote:

Also, I am not replicating.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#69 (comment)

[johnrengelman]

3/30/2016 6:43:25 PMI0330 23:43:25.485873       1 main.go:43] Config from /config/server/auth.yml (0 users, 0 ACL static entries)
3/30/2016 6:43:25 PMI0330 23:43:25.485963       1 mgo_session.go:64] Creating MongoDB session (operation timeout 10s)
3/30/2016 6:43:25 PMF0330 23:43:25.488525       1 main.go:46] Failed to create auth server: not authorized on auth to execute command { createIndexes: "acl", indexes: [ { name: "seq_1", ns: "auth.acl", key: { seq: 1 }, unique: true } ] }

[carsonoid]

Are you sure that your mongo user is a dbAdmin on the destination database?

On Wed, Mar 30, 2016 at 5:48 PM, John Engelman notifications@github.com
wrote:

3/30/2016 6:43:25 PMI0330 23:43:25.485873 1 main.go:43] Config from /config/server/auth.yml (0 users, 0 ACL static entries)
3/30/2016 6:43:25 PMI0330 23:43:25.485963 1 mgo_session.go:64] Creating MongoDB session (operation timeout 10s)
3/30/2016 6:43:25 PMF0330 23:43:25.488525 1 main.go:46] Failed to create auth server: not authorized on auth to execute command { createIndexes: "acl", indexes: [ { name: "seq_1", ns: "auth.acl", key: { seq: 1 }, unique: true } ] }

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#69 (comment)

[johnrengelman]

yes.
Though I am looking at it this might be because the network isn't ready by the time the process starts. I'm running in a Docker cluster (Rancher) and linking in the mongo DB.
I'm testing now if putting a pause in the container startup has an effect. Will post back shortly.

[carsonoid]

If that doesn't work can you post the results of db.getUsers() in the
auth database?

On Wed, Mar 30, 2016 at 5:55 PM, John Engelman notifications@github.com
wrote:

yes.
Though I am looking at it this might be because the network isn't ready by
the time the process starts. I'm running in a Docker cluster (Rancher) and
linking in the mongo DB.
I'm testing now if putting a pause in the container startup has an effect.
Will post back shortly.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#69 (comment)

[johnrengelman]

> db.getUsers()
[
        {
                "_id" : "auth.auth",
                "user" : "auth",
                "db" : "auth",
                "roles" : [
                        {
                                "role" : "dbOwner",
                                "db" : "auth"
                        }
                ]
        }
]

[johnrengelman]

It's not network related. I launched the container in a shell mode, verified the connection, the tried to run the app and get the same error.

I've also tried downgrading to Mongo 3.0, same error.

[carsonoid]

Can you log in as the auth user to that database and create the index
manually?

On Wed, Mar 30, 2016 at 6:31 PM, John Engelman notifications@github.com
wrote:

It's not network related. I launched the container in a shell mode,
verified the connection, the tried to run the app and get the same error.

I've also tried downgrading to Mongo 3.0, same error.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#69 (comment)

[johnrengelman]

Not sure the exact command to run here, but:

connecting to: auth
> db.acl.createIndex({seq: 1})
{
        "createdCollectionAutomatically" : false,
        "numIndexesBefore" : 1,
        "numIndexesAfter" : 2,
        "ok" : 1
}

[carsonoid]

Can you share your auth_server.yaml so I can test against it?

On Wed, Mar 30, 2016 at 6:41 PM, John Engelman notifications@github.com
wrote:

Not sure the exact command to run here, but:

connecting to: auth

db.acl.createIndex({seq: 1})
{
"createdCollectionAutomatically" : false,
"numIndexesBefore" : 1,
"numIndexesAfter" : 2,
"ok" : 1
}

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#69 (comment)

[johnrengelman]

          server:
            addr: ":5001"
          token:
            issuer: "Registry Auth Server"
            expiration: 900
            certificate: /config/pem/server.pem
            key: /config/key/server.key
          mongo_auth:
            dial_info:
              addrs:
                - mongo
              database: auth
              user: auth
              password: changeme
            collection: users
          acl_mongo:
            dial_info:
              addrs:
                - mongo
              database: auth
              user: auth
              password: changeme
            collection: acl
            cache_ttl: "1m"

[johnrengelman]

Note, i'm using password instead of password_file, but I tried that too with the same outcome.

[carsonoid]

I finally got it! Our sample configs have a bad name. You need to use "username" instead of "user" under the mongo sections of the config. So the server isn't actually authenticating at all, its just using the default user. That's on us. I'll submit a PR with the fix tomorrow.

For future reference that everything under the dial_info section slurps all config options as defined at https://godoc.org/labix.org/v2/mgo#DialInfo, The names are converted to lower case of course.

[duyanghao]

thandyou! @carsonoid , my problem has been solved!

[johnrengelman]

@carsonoid fixed mine too! I should have seen that!.

[carsonoid]

@rojer Looks like you can close this.

[rojer]

thank you!

[duyanghao]

I have an additional question.I want to use docker auth as the token-based authentication and authorization server in my company,so I want to know the performance and stability of docker auth and how many companies are using it at present,Could you please give me a detailed description about the above questions? Looking forward to your reply！ @carsonoid @rojer
And I know there is another implement for token based authentication system, calling Portus!
https://github.com/SUSE/Portus
So,what's about this implement compared to the docker auth?

[carsonoid]

@rojer can probably speak more to it's DL stats from docker hub and about it's adoption. But I can say for sure that it's very stable. I use it every day in production with lots of users and ACLs and it's performed beautifully.

I'll admit that Portus boasts a few more features and a GUI. However the mongo support in docker_auth has been a big deal for me. I actually run multiple docker_auths and load balance between them since all our users/ACLs are in mongo and all the images are on S3.

Portus also seems to want to know a lot about your registry in order to render the gui and has more overhead in regards to configuration and maintenance. docker_auth takes a much more hands off approach; it really just does auth and does it well.

[rojer]

i should note that docker_auth is not our company's main product and not something i spend a lot of my time on. hardly any, really. it's something i wrote almost off-the cuff, just because the traditional nginx + auth v1 setup seemed weird and awkward and no other solutions were available at the time (portus either did not exist or i didn't find it). we're not competing with portus, i haven't even looked at it.

it's been working ok for us, no crashes. we are a small shop though, it doesn't see much load.
my own expectation is that, especially in the static configuration but also for Mongo, it should scale well, because queries will not cause additional requests to any backends. it will scale linearly with number of rules in the ACL and you might see some load from use of bcrypt-ed paswords (it's an intentionally slow hash). LDAP backend is a bit more expensive per request as at present it does a bind and issues a query per each auth request and does not use any kind of caching.

judging by the company names of those who starred the project, it does get some use, and the fetch count of the repo on the docker hub is in the hundreds of thousands.

[duyanghao]

Many thanks for your kind response!
I know that Portus has achieved the function of searching images,so i want to know whether there is a way to query the images and tags if i use docker auth.
Have you ever thought of this question? @carsonoid @rojer ,

[rojer]

docker_auth is about auth and auth only, it doesn't provide any indexing or search capabilities.

[duyanghao]

Ok,I will make it by myself!