Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MongoDB user authorization - how-to #1168

Closed
mohierf opened this issue Jun 28, 2018 · 10 comments
Closed

MongoDB user authorization - how-to #1168

mohierf opened this issue Jun 28, 2018 · 10 comments
Milestone

Comments

@mohierf
Copy link

mohierf commented Jun 28, 2018

Expected Behavior

Configuring MONGO_* settings with user authorization should not raise an error if the database does not exist.

First step, configure mongodb

I set-up a recent mongodb instance locally and I create an administrator user:

use admin
db.createUser(
  {
    user: "alignak",
    pwd: "alignak",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

I configure mongo in authorization mode and restart the server:

   sudo vi /etc/mongod.conf
      security:
         authorization: enabled

   # Restart mongo
   sudo systemctl restart mongod.service

As of now, I always need to authenticate for any operation on the databases

$ mongo
   > show dbs
   > # Raises an Unauthorized error!
   > db.auth("alignak", "alignak" )
   1
   > show dbs
   admin   0.000GB
   config  0.000GB
   local   0.000GB

Second step, configure my REST Eve backend:

My configuration file MONGO part

  "MONGO_URI": "mongodb://alignak:alignak@localhost:27017/admin",
  "MONGO_HOST": "localhost",
  "MONGO_PORT": 27017,
  "MONGO_DBNAME": "alignak",
  "MONGO_USERNAME": "alignak",
  "MONGO_PASSWORD": "alignak",

Note: it is a JSON file that is transformed to a python dict...
Also note: that I checked that the same configuration without any authorization is fully functional.

Actual Behavior

Tell us what happens instead.

MongoDB connection string: mongodb://alignak:alignak@localhost:27017/admin
Traceback (most recent call last):
  File "/usr/local/bin/alignak-backend", line 9, in <module>
    load_entry_point('alignak-backend==1.4.11', 'console_scripts', 'alignak-backend')()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 542, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2569, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2229, in load
    return self.resolve()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2235, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python2.7/dist-packages/alignak_backend/main.py", line 8, in <module>
    from alignak_backend.app import app, manifest
  File "/usr/local/lib/python2.7/dist-packages/alignak_backend/app.py", line 2158, in <module>
    static_folder=base_path
  File "/usr/local/lib/python2.7/dist-packages/eve/flaskapp.py", line 176, in __init__
    self.register_resource(resource, settings)
  File "/usr/local/lib/python2.7/dist-packages/eve/flaskapp.py", line 922, in register_resource
    create_index(self, resource, name, list_of_keys, index_options)
  File "/usr/local/lib/python2.7/dist-packages/eve/io/mongo/mongo.py", line 969, in create_index
    db = app.data.pymongo(resource, px).db
  File "/usr/local/lib/python2.7/dist-packages/eve/io/mongo/mongo.py", line 893, in pymongo
    self.driver[px] = PyMongo(self.app, px)
  File "/usr/local/lib/python2.7/dist-packages/flask_pymongo/__init__.py", line 97, in __init__
    self.init_app(app, config_prefix)
  File "/usr/local/lib/python2.7/dist-packages/flask_pymongo/__init__.py", line 283, in init_app
    mechanism=auth_mechanism)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/database.py", line 1274, in authenticate
    connect=True)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/mongo_client.py", line 614, in _cache_credentials
    sock_info.authenticate(credentials)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/pool.py", line 688, in authenticate
    auth.authenticate(credentials, self)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/auth.py", line 542, in authenticate
    auth_func(credentials, sock_info)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/auth.py", line 245, in _authenticate_scram
    res = sock_info.command(source, cmd)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/pool.py", line 579, in command
    unacknowledged=unacknowledged)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/network.py", line 150, in command
    parse_write_concern_error=parse_write_concern_error)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/helpers.py", line 155, in _check_command_response
    raise OperationFailure(msg % errmsg, code, response)
pymongo.errors.OperationFailure: Authentication failed.

It looks like Eve do not consider the authorization parameters I provided to create the database!

I tried almost every parameters combination, with or whitout MONGO_URI. The only solution I found to start correctly is to remove mongo authorization and then restore once my database is created .with a user that is authorized to use this db ...

Perharps I did something not correctly ... but what I expect is that Eve manages the DB creation by itself 😉

Environment

  • Python version: 2.7, 3.5
  • Eve version: 0.7.9
@nicolaiarocci
Copy link
Member

What happens if you use a db other than admin in your MONGO_URI? Or no db at all?

@lemccarthy
Copy link

lemccarthy commented Jul 24, 2018

I'm experiencing the same issue. I have Eve connected to a mongodb replica set, and that was working up until I enabled auth. Now when I altered my URI to include username and password, I get that exact same error. I have tried the exact URI that I give to eve directly on Mongo and it works properly:

mongodb://user:password@host/db?replicaSet=rs&authSource=admin
I have tried just about every workaround, including using APP.config to set the parameters directly.

Just for kicks, I also tried creating a MongoClient object with the same URI, and it was able to succesfully connect to Mongo, so I think the problem is with eve.

EDIT:

After much struggle, and making use of several options not mentioned directly in the documents, I managed to get it to work, using the following options:

MONGO_PASSWORD = "pass"
MONGO_HOST = "pod-1.mongo,pod-2.mongo,pod-3.mongo"
MONGO_AUTH_SOURCE = "admin"
MONGO_REPLICA_SET = "rsname"
MONGO_DBNAME = "my-db"

And making absolutely sure that MONGO_URI was never defined anywhere in the application.

Part of the problem was that the application error was always the same "Authentication Failed", but when I would look at the response.json() from the request I had made, it would have a more informative failure message.

@joanitad
Copy link

joanitad commented Jul 31, 2018

I am having the same issue. Trying to use the mongo_srv protocol with eve. I can manually connect to pymongo in my Eve app but I get the same "Authentication Failed' error.
This is a link to a post I just made in google groups:https://groups.google.com/forum/#!topic/python-eve/9eJjCSy7wy0
pyMongo version: 3.6

Does that mean I can't currently use the mongo+srv protocol with Eve?

@nicolaiarocci
Copy link
Member

v0.7.10 pinned the PyMongo dependency, see #1172. Can you guys please let me know if this is still a problem with Eve 0.7.10+?

@xibriz
Copy link

xibriz commented Aug 15, 2018

I was experiencing the same problems and added MONGO_AUTH_SOURCE = "admin" and MONGO_REPLICA_SET = "rsname" as @lemccarthy suggested. It works like a charm.

I am running Eve 0.8.

@nicolaiarocci
Copy link
Member

Thanks, everyone, for looking into it. It would be nice if the docs were updated somehow to account for this scenario. Anyone up for the task?

@nicolaiarocci nicolaiarocci added this to the 0.8.1 milestone Aug 27, 2018
@nicolaiarocci
Copy link
Member

Actually, the configuration page does list MONGO_AUTH_SOURCE already.

@xibriz was adding MONGO_REPLICA_SET necessary in order for auth to work? Also, are you using MONGO_URI at all?

@xibriz
Copy link

xibriz commented Aug 29, 2018

@nicolaiarocci Testet now, MONGO_REPLICA_SET is NOT necessary.

I don't use the MONGO_URI. My settings are:

MONGO_HOST="sweet-ostrich-mongodb.dev.svc.cluster.local"
MONGO_PORT=27017
MONGO_DBNAME="eve"
MONGO_USERNAME="root"
MONGO_PASSWORD=os.environ["MONGO_PASSWORD"]
MONGO_AUTH_SOURCE = "admin"

I only read the Quickstart docs so it would be nice if it was reflected there since it has an example with MONGO_USERNAME and MONGO_PASSWORD: http://python-eve.org/quickstart.html#database-interlude

@lidanger
Copy link

lidanger commented Apr 30, 2019

I think MONGO_AUTH_SOURCE = "admin" is actually not the right config. MONGO_AUTH_SOURCE should be the name of the database on which the user can be authenticated.While the description in the document section "Database Interlude" may cause misunderstanding.

@nicolaiarocci

@nicolaiarocci
Copy link
Member

@lidanger Yes, I think you are correct. Feel free to submit a PR I will be happy to review it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants