MongoDB user authorization - how-to

[mohierf]

Expected Behavior

Configuring MONGO_* settings with user authorization should not raise an error if the database does not exist.

First step, configure mongodb

I set-up a recent mongodb instance locally and I create an administrator user:

use admin
db.createUser(
  {
    user: "alignak",
    pwd: "alignak",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

I configure mongo in authorization mode and restart the server:

   sudo vi /etc/mongod.conf
      security:
         authorization: enabled

   # Restart mongo
   sudo systemctl restart mongod.service

As of now, I always need to authenticate for any operation on the databases

$ mongo
   > show dbs
   > # Raises an Unauthorized error!
   > db.auth("alignak", "alignak" )
   1
   > show dbs
   admin   0.000GB
   config  0.000GB
   local   0.000GB

Second step, configure my REST Eve backend:

My configuration file MONGO part

  "MONGO_URI": "mongodb://alignak:alignak@localhost:27017/admin",
  "MONGO_HOST": "localhost",
  "MONGO_PORT": 27017,
  "MONGO_DBNAME": "alignak",
  "MONGO_USERNAME": "alignak",
  "MONGO_PASSWORD": "alignak",

Note: it is a JSON file that is transformed to a python dict...
Also note: that I checked that the same configuration without any authorization is fully functional.

Actual Behavior

Tell us what happens instead.

MongoDB connection string: mongodb://alignak:alignak@localhost:27017/admin
Traceback (most recent call last):
  File "/usr/local/bin/alignak-backend", line 9, in <module>
    load_entry_point('alignak-backend==1.4.11', 'console_scripts', 'alignak-backend')()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 542, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2569, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2229, in load
    return self.resolve()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2235, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python2.7/dist-packages/alignak_backend/main.py", line 8, in <module>
    from alignak_backend.app import app, manifest
  File "/usr/local/lib/python2.7/dist-packages/alignak_backend/app.py", line 2158, in <module>
    static_folder=base_path
  File "/usr/local/lib/python2.7/dist-packages/eve/flaskapp.py", line 176, in __init__
    self.register_resource(resource, settings)
  File "/usr/local/lib/python2.7/dist-packages/eve/flaskapp.py", line 922, in register_resource
    create_index(self, resource, name, list_of_keys, index_options)
  File "/usr/local/lib/python2.7/dist-packages/eve/io/mongo/mongo.py", line 969, in create_index
    db = app.data.pymongo(resource, px).db
  File "/usr/local/lib/python2.7/dist-packages/eve/io/mongo/mongo.py", line 893, in pymongo
    self.driver[px] = PyMongo(self.app, px)
  File "/usr/local/lib/python2.7/dist-packages/flask_pymongo/__init__.py", line 97, in __init__
    self.init_app(app, config_prefix)
  File "/usr/local/lib/python2.7/dist-packages/flask_pymongo/__init__.py", line 283, in init_app
    mechanism=auth_mechanism)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/database.py", line 1274, in authenticate
    connect=True)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/mongo_client.py", line 614, in _cache_credentials
    sock_info.authenticate(credentials)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/pool.py", line 688, in authenticate
    auth.authenticate(credentials, self)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/auth.py", line 542, in authenticate
    auth_func(credentials, sock_info)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/auth.py", line 245, in _authenticate_scram
    res = sock_info.command(source, cmd)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/pool.py", line 579, in command
    unacknowledged=unacknowledged)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/network.py", line 150, in command
    parse_write_concern_error=parse_write_concern_error)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/helpers.py", line 155, in _check_command_response
    raise OperationFailure(msg % errmsg, code, response)
pymongo.errors.OperationFailure: Authentication failed.

It looks like Eve do not consider the authorization parameters I provided to create the database!

I tried almost every parameters combination, with or whitout MONGO_URI. The only solution I found to start correctly is to remove mongo authorization and then restore once my database is created .with a user that is authorized to use this db ...

Perharps I did something not correctly ... but what I expect is that Eve manages the DB creation by itself 😉

Environment

• Python version: 2.7, 3.5
• Eve version: 0.7.9

[nicolaiarocci]

What happens if you use a db other than admin in your MONGO_URI? Or no db at all?

[lemccarthy]

I'm experiencing the same issue. I have Eve connected to a mongodb replica set, and that was working up until I enabled auth. Now when I altered my URI to include username and password, I get that exact same error. I have tried the exact URI that I give to eve directly on Mongo and it works properly:

mongodb://user:password@host/db?replicaSet=rs&authSource=admin
I have tried just about every workaround, including using APP.config to set the parameters directly.

Just for kicks, I also tried creating a MongoClient object with the same URI, and it was able to succesfully connect to Mongo, so I think the problem is with eve.

EDIT:

After much struggle, and making use of several options not mentioned directly in the documents, I managed to get it to work, using the following options:

MONGO_PASSWORD = "pass"
MONGO_HOST = "pod-1.mongo,pod-2.mongo,pod-3.mongo"
MONGO_AUTH_SOURCE = "admin"
MONGO_REPLICA_SET = "rsname"
MONGO_DBNAME = "my-db"

And making absolutely sure that MONGO_URI was never defined anywhere in the application.

Part of the problem was that the application error was always the same "Authentication Failed", but when I would look at the response.json() from the request I had made, it would have a more informative failure message.

[joanitad]

I am having the same issue. Trying to use the mongo_srv protocol with eve. I can manually connect to pymongo in my Eve app but I get the same "Authentication Failed' error.
This is a link to a post I just made in google groups:https://groups.google.com/forum/#!topic/python-eve/9eJjCSy7wy0
pyMongo version: 3.6

Does that mean I can't currently use the mongo+srv protocol with Eve?

[nicolaiarocci]

v0.7.10 pinned the PyMongo dependency, see #1172. Can you guys please let me know if this is still a problem with Eve 0.7.10+?

[xibriz]

I was experiencing the same problems and added MONGO_AUTH_SOURCE = "admin" and MONGO_REPLICA_SET = "rsname" as @lemccarthy suggested. It works like a charm.

I am running Eve 0.8.

[nicolaiarocci]

Thanks, everyone, for looking into it. It would be nice if the docs were updated somehow to account for this scenario. Anyone up for the task?

[nicolaiarocci]

Actually, the configuration page does list MONGO_AUTH_SOURCE already.

@xibriz was adding MONGO_REPLICA_SET necessary in order for auth to work? Also, are you using MONGO_URI at all?

[xibriz]

@nicolaiarocci Testet now, MONGO_REPLICA_SET is NOT necessary.

I don't use the MONGO_URI. My settings are:

MONGO_HOST="sweet-ostrich-mongodb.dev.svc.cluster.local"
MONGO_PORT=27017
MONGO_DBNAME="eve"
MONGO_USERNAME="root"
MONGO_PASSWORD=os.environ["MONGO_PASSWORD"]
MONGO_AUTH_SOURCE = "admin"

I only read the Quickstart docs so it would be nice if it was reflected there since it has an example with MONGO_USERNAME and MONGO_PASSWORD: http://python-eve.org/quickstart.html#database-interlude

[lidanger]

I think MONGO_AUTH_SOURCE = "admin" is actually not the right config. MONGO_AUTH_SOURCE should be the name of the database on which the user can be authenticated.While the description in the document section "Database Interlude" may cause misunderstanding.

@nicolaiarocci

[nicolaiarocci]

@lidanger Yes, I think you are correct. Feel free to submit a PR I will be happy to review it.