[SERVER-5696] Auth failed on sharding Created: 24/Apr/12  Updated: 15/Aug/12  Resolved: 29/May/12

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.0.4
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Nikolay Molchanov Assignee: Spencer Brody (Inactive)
Resolution: Cannot Reproduce Votes: 0
Labels: authenticate, authentication, mongos, sharding
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

2 shard servers, 1 config server, 1 user db, 1 shard coll


Attachments: Text File router.log     Text File router.log     Text File router_20120518.log    
Operating System: Linux
Participants:

 Description   

mongod and other component started with --keyFile option.

1. When I try to find something by mongoshell I have "unathorized".
User with rw grants are in config db and in user db on both servers.

>mongo userdb
>db.auth('...','...');
1
>var p = db.usercoll.find();
unathorized

2. Also when I try to connect to mongos by JasperReportsServer, I got this "unathorized" error.
3. When I connect to mongos by JMongoBrowser I also have this error.

In my java client I don't have problem with auth, and did not have error.

Mongo mongo1 = new Mongo( "127.0.0.1" );
DB db = mongo1.getDB("userdb");
db.authenticate("...");
db.getCollection("...").find()...



 Comments   
Comment by Spencer Brody (Inactive) [ 18/May/12 ]

I am also unclear what the problem is with the 2.0.4 shell. I have not been able to reproduce.

2.2 should be coming out sometime early this summer. In the meantime you can either use the shell from the 2.1.x series or use another driver such as java or python.

Comment by Nikolay Molchanov [ 18/May/12 ]

Yes, it's working! I don't see dev release, and I have downloaded wrong version.

./mongo config
MongoDB shell version: 2.1.2-pre-
connecting to: config
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
> set verbose
set verbose to true
> var p =db.system.users.find();
> p
error:

{ "$err" : "unauthorized", "code" : 15845 }

> db.auth('dba','');
1
> db.system.users.find();

{ "_id" : ObjectId("4f98330c1d8a80e758c02313"), "user" : "dba", "readOnly" : false, "pwd" : "f92058d2f3f20f1f5473e0c2baa77edb" }

Fetched 1 record(s) in 1ms
> var p = db.system.users.find();
> p

{ "_id" : ObjectId("4f98330c1d8a80e758c02313"), "user" : "dba", "readOnly" : false, "pwd" : "f92058d2f3f20f1f5473e0c2baa77edb" }

Fetched 1 record(s) in 1ms
> db.system.users.find();

{ "_id" : ObjectId("4f98330c1d8a80e758c02313"), "user" : "dba", "readOnly" : false, "pwd" : "f92058d2f3f20f1f5473e0c2baa77edb" }

Fetched 1 record(s) in 1ms

When will this fix be include in stable release?
And I don't understand where in the old shell was the problem.

Thanks.

Comment by Spencer Brody (Inactive) [ 18/May/12 ]

Looks like you're running the 2.0.6 nightly instead of something from 2.1.x. Can you try it with the shell from 2.1.1 (available for download here: http://www.mongodb.org/downloads)

Comment by Nikolay Molchanov [ 18/May/12 ]

I am in confusing.

./mongo config
MongoDB shell version: 2.0.6-rc0-pre-
connecting to: config
> set verbose;
Fri May 18 19:45:03 SyntaxError: missing ; before statement (shell):1
> set verbose
Fri May 18 19:45:07 SyntaxError: missing ; before statement (shell):1
> set verbose 1
Fri May 18 19:45:11 SyntaxError: missing ; before statement (shell):1
> "set verbose";
set verbose
> set verbose
Fri May 18 19:46:16 SyntaxError: missing ; before statement (shell):1

Comment by Spencer Brody (Inactive) [ 18/May/12 ]

Can you attach the shell output as well? Using verbose mode ("set verbose") on the nightly shell should cause it to print some more information on what its doing after each query.

Comment by Tad Marshall [ 18/May/12 ]

Sorry, I closed the wrong ticket.

Comment by Nikolay Molchanov [ 18/May/12 ]

There are errors on servers side? or mongo shell?

Comment by Nikolay Molchanov [ 18/May/12 ]

I have downloaded night build at 17 may.
I have same error.

I have attached log.

Comment by Spencer Brody (Inactive) [ 09/May/12 ]

Sorry about that, didn't notice the attachment.

There are no errors on the mongos side. This seems like the problem must be on the shell side of things (especially since the java driver is working). Can you try downloading the 2.1 nightly shell from http://www.mongodb.org/downloads and running:

> set verbose
> var p =db.system.users.find();
> db.auth('dba','<password>');
> db.system.users.find();
> var p = db.system.users.find();
> db.system.users.find();

Comment by Nikolay Molchanov [ 09/May/12 ]

There are router.log at 4 may. Look in attachments.

Comment by Spencer Brody (Inactive) [ 08/May/12 ]

Can you attach the full mongos log? That excerpt only covers one of the calls to db.system.users.find()

Comment by Nikolay Molchanov [ 04/May/12 ]

My last test (debug level 5)

./mongo config
MongoDB shell version: 2.0.4
connecting to: config
> var p =db.system.users.find();
unauthorized
> db.auth('dba','...');
1
> db.system.users.find();

{ "_id" : ObjectId("4f98330c1d8a80e758c02313"), "user" : "dba", "readOnly" : false, "pwd" : "" }

> var p =db.system.users.find();
unauthorized
> db.getLastError();
unauthorized

Mongos log:

Fri May 4 16:31:48 BackgroundJob starting: ConnectBG
Fri May 4 16:31:48 [conn2] connected connection!
Fri May 4 16:31:48 [conn2] calling onCreate auth for 192.168.2.68:27019
Fri May 4 16:31:48 [conn2] initializing shard connection to 192.168.2.68:27019
Fri May 4 16:31:48 [conn2] initial sharding settings : { setShardVersion: "", init: true, configdb: "192.168.2.68:27019", serverID: ObjectId('4fa3cb288fd46$
Fri May 4 16:31:48 [conn2] initial sharding result :

{ initialized: true, ok: 1.0 }

Fri May 4 16:31:50 [Balancer] _inBalancingWindow: now: 2012-May-04 16:31:50 startTime: 2012-May-04 00:00:00 stopTime: 2012-May-04 00:00:00
Fri May 4 16:31:50 [Balancer] skipping balancing round because balancing is disabled
Fri May 4 16:32:20 [PeriodicTask::Runner] task: DBConnectionPool-cleaner took: 0ms
Fri May 4 16:32:20 [PeriodicTask::Runner] task: DBConnectionPool-cleaner took: 0ms
Fri May 4 16:32:20 [WriteBackListener-192.168.2.68:27019] 192.168.2.68:27019 is not a shard node
Fri May 4 16:32:20 [Balancer] _inBalancingWindow: now: 2012-May-04 16:32:20 startTime: 2012-May-04 00:00:00 stopTime: 2012-May-04 00:00:00
Fri May 4 16:32:20 [Balancer] skipping balancing round because balancing is disabled
Fri May 4 16:32:27 [conn2] Request::process ns: config.$cmd msg id:2 attempt: 0
Fri May 4 16:32:27 [conn2] single query: config.$cmd

{ getlasterror: 1.0, w: 1.0 }

ntoreturn: -1 options : 0
Fri May 4 16:32:27 [conn2] Request::process ns: admin.$cmd msg id:3 attempt: 0
Fri May 4 16:32:27 [conn2] single query: admin.$cmd

{ replSetGetStatus: 1, forShell: 1 }

ntoreturn: 1 options : 0
Fri May 4 16:32:50 [Balancer] _inBalancingWindow: now: 2012-May-04 16:32:50 startTime: 2012-May-04 00:00:00 stopTime: 2012-May-04 00:00:00
Fri May 4 16:32:50 [Balancer] skipping balancing round because balancing is disabled
Fri May 4 16:33:08 [conn2] Request::process ns: config.$cmd msg id:4 attempt: 0
Fri May 4 16:33:08 [conn2] single query: config.$cmd

{ getnonce: 1.0 }

ntoreturn: -1 options : 0
Fri May 4 16:33:08 [conn2] Request::process ns: config.$cmd msg id:5 attempt: 0
Fri May 4 16:33:08 [conn2] single query: config.$cmd { authenticate: 1.0, user: "dba", nonce: "1171e776d436c958", key: "c899e5c219d98b9c9382be257ac98840" $
Fri May 4 16:33:08 [conn2] authenticate:

{ authenticate: 1.0, user: "dba", nonce: "1171e776d436c958", key: "c899e5c219d98b9c9382be257ac98840" }

Fri May 4 16:33:08 [conn2] Request::process ns: admin.$cmd msg id:6 attempt: 0
Fri May 4 16:33:08 [conn2] single query: admin.$cmd

{ replSetGetStatus: 1, forShell: 1 }

ntoreturn: 1 options : 0
Fri May 4 16:33:20 [PeriodicTask::Runner] task: DBConnectionPool-cleaner took: 0ms
Fri May 4 16:33:20 [PeriodicTask::Runner] task: DBConnectionPool-cleaner took: 0ms
Fri May 4 16:33:20 [WriteBackListener-192.168.2.68:27019] 192.168.2.68:27019 is not a shard node
Fri May 4 16:33:20 [Balancer] _inBalancingWindow: now: 2012-May-04 16:33:20 startTime: 2012-May-04 00:00:00 stopTime: 2012-May-04 00:00:00
Fri May 4 16:33:20 [Balancer] skipping balancing round because balancing is disabled
Fri May 4 16:33:28 [conn2] Request::process ns: config.system.users msg id:7 attempt: 0
Fri May 4 16:33:28 [conn2] single query: config.system.users {} ntoreturn: 0 options : 0
Fri May 4 16:33:28 [conn2] Request::process ns: admin.$cmd msg id:8 attempt: 0
Fri May 4 16:33:28 [conn2] single query: admin.$cmd

{ replSetGetStatus: 1, forShell: 1 }

ntoreturn: 1 options : 0
Fri May 4 16:33:31 [conn2] Request::process ns: config.$cmd msg id:9 attempt: 0
Fri May 4 16:33:31 [conn2] single query: config.$cmd

{ getlasterror: 1.0, w: 1.0 }

ntoreturn: -1 options : 0
Fri May 4 16:33:31 [conn2] Request::process ns: admin.$cmd msg id:10 attempt: 0
Fri May 4 16:33:31 [conn2] single query: admin.$cmd

{ replSetGetStatus: 1, forShell: 1 }

ntoreturn: 1 options : 0
Fri May 4 16:33:50 [Balancer] _inBalancingWindow: now: 2012-May-04 16:33:50 startTime: 2012-May-04 00:00:00 stopTime: 2012-May-04 00:00:00
Fri May 4 16:33:50 [Balancer] skipping balancing round because balancing is disabled
Fri May 4 16:34:20 [PeriodicTask::Runner] task: DBConnectionPool-cleaner took: 0ms
Fri May 4 16:34:20 [PeriodicTask::Runner] task: DBConnectionPool-cleaner took: 0ms
Fri May 4 16:34:20 [WriteBackListener-192.168.2.68:27019] 192.168.2.68:27019 is not a shard node
Fri May 4 16:34:20 [Balancer] _inBalancingWindow: now: 2012-May-04 16:34:20 startTime: 2012-May-04 00:00:00 stopTime: 2012-May-04 00:00:00
Fri May 4 16:34:20 [Balancer] skipping balancing round because balancing is disabled
Fri May 4 16:34:50 [Balancer] _inBalancingWindow: now: 2012-May-04 16:34:50 startTime: 2012-May-04 00:00:00 stopTime: 2012-May-04 00:00:00
Fri May 4 16:34:50 [Balancer] skipping balancing round because balancing is disabled

Comment by Spencer Brody (Inactive) [ 02/May/12 ]

Hmm, that is weird.
Can you please up the log level on the mongos to 5, then start a new shell and in it run:

> var p =db.system.users.find();
> db.auth('dba','<password>');
> db.system.users.find();
> var p = db.system.users.find();

And attach the full mongos log?

Comment by Nikolay Molchanov [ 02/May/12 ]

OK. Thanks!

What about mongo shell with my message

> db.system.users.find();

{ "_id" : ObjectId("4f98330c1d8a80e758c02313"), "user" : "dba", "readOnly" : false, "pwd" : "" }

> var p = db.system.users.find();
unauthorized

???

Comment by Spencer Brody (Inactive) [ 02/May/12 ]

Based on this thread http://jasperforge.org/plugins/espforum/view.php?group_id=112&forumid=102&topicid=92362, it seems like JasperServer may not currently have support for connecting to a MongoDB cluster that is using authentication. I'd follow up with the JasperServer community to confirm if that is the case.

Comment by Nikolay Molchanov [ 02/May/12 ]

In the last clear test I didn't create user in admin db. There are not "admin db".
When I was connection to "./mongo config" I was using localhost connection to config and I didn't have errors.

Then:

./mongo admin
MongoDB shell version: 2.0.4
connecting to: admin
mongos> db
admin
mongos> var p =db.system.users.find();
mongos> p
mongos> db.addUser('dba','...');
db.addUser('dba','');

{ "singleShard" : "192.168.2.68:27019", "n" : 0, "connectionId" : 4, "err" : null, "ok" : 1 } { "user" : "dba", "readOnly" : false, "pwd" : "...", "_id" : ObjectId("4fa15ede63ddf5ed65fb163e") } > var p =db.system.users.find(); unauthorized > db.auth('dba','...'); 1 mongos> var p =db.system.users.find(); mongos> p { "_id" : ObjectId("4fa15ede63ddf5ed65fb163e"), "user" : "dba", "readOnly" : false, "pwd" : "" }

mongos> exit

OK. No errors!
After I created admin db I got:

./mongo config
MongoDB shell version: 2.0.4
connecting to: config
> var p =db.system.users.find();
unauthorized
> db.auth('dba','');
1
> db.system.users.find();

{ "_id" : ObjectId("4f98330c1d8a80e758c02313"), "user" : "dba", "readOnly" : false, "pwd" : "" }

> var p = db.system.users.find();
unauthorized

There are no errors in mongos log.
Error in JasperServer is still.

I break my head! HELP!

Comment by Nikolay Molchanov [ 02/May/12 ]

For clear test I recreate sharding cluster without user db.
There are only config db, 2 shards, 1 mongos on primary shard and 1 config server.

When I try connect to mongos by JasperStudio (mongodb://192.168.2.68:27017/config) I have same error. LogLevel 5.
Wed May 2 19:59:04 [conn10] User Assertion: 15845:unauthorized
Wed May 2 19:59:04 [conn10] AssertionException while processing op type : 2004 to : config.system.namespaces :: caused by :: 15845 unauthorized

By "./mongo config" I connect successfully.
db.system.namespaces.find(); – running without erorrs.
By my java app too without errors.

Comment by Nikolay Molchanov [ 27/Apr/12 ]

In my first message name of "userdb" is "test".
In logs there are errors about test.system.namespace.

Comment by Nikolay Molchanov [ 26/Apr/12 ]

Yes, I have one mongos.

Comment by Eliot Horowitz (Inactive) [ 26/Apr/12 ]

The java driver and shell are connecting to the same mongos?

Comment by Nikolay Molchanov [ 25/Apr/12 ]

Log shard server there are no errors
Log config server there are no errors
Log mongos server there are:

Wed Apr 25 21:56:00 [conn2] Request::process ns: test.system.namespaces msg id:7 attempt: 0
Wed Apr 25 21:56:00 [conn2] single query: test.system.namespaces {} ntoreturn: 0 options : 0
Wed Apr 25 21:56:00 [conn2] User Assertion: 15845:unauthorized
Wed Apr 25 21:56:00 [conn2] AssertionException while processing op type : 2004 to : test.system.namespaces :: caused by :: 15845 unauthorized

Log Jasper report server:

net.sf.jasperreports.engine.JRException: unauthorized
at com.jaspersoft.mongodb.connection.MongoDbConnection.setDatabase(MongoDbConnection.java:102)
at com.jaspersoft.mongodb.connection.MongoDbConnection.<init>(MongoDbConnection.java:70)

My java client successful logged into test db.

Generated at Thu Feb 08 03:09:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.