Mongo db shell authentication

Hi,

I am attempting to do some housekeeping on our database (see below). With v4+'s database authenticated access control enabled, I am able to get what I assume is an authenticated shell with cryosparcm mongo, but issuing a subsequent compact command returns an error: not authorized on meteor to execute command.

Apologies for the naive question, but is there a way of getting around this short of temporarily disabling CRYOSPARC_DB_ENABLE_AUTH? Perhaps an additional undocumented authentication step?

Cheers,
Yang

Does this happen inside a mongo shell that you just opened with
cryosparcm mongo?
If so, what was the full command executed?

Hi @wtempel,

Thanks.

Yes.

I attempted to copy-and-paste the commands listed in the linked post. I am attaching an example stdout stream (identifying info deleted):

$ cryosparcm mongo
MongoDB shell version v3.6.23
connecting to: mongodb://<hostname_deleted>:65501/meteor?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("<deleted>") }
MongoDB server version: 3.6.23
meteor:PRIMARY> db.runCommand({compact:'projects', force: true})
{
	"operationTime" : Timestamp(1670200242, 1),
	"ok" : 0,
	"errmsg" : "not authorized on meteor to execute command { compact: \"projects\", force: true, lsid: { id: UUID(\"<deleted>\") }, $clusterTime: { clusterTime: Timestamp(1670199973, 2), signature: { hash: BinData(0, <deleted>), keyId: <deleted> } }, $db: \"meteor\" }",
	"code" : 13,
	"codeName" : "Unauthorized",
	"$clusterTime" : {
		"clusterTime" : Timestamp(1670200242, 1),
		"signature" : {
			"hash" : BinData(0,"<deleted>"),
			"keyId" : NumberLong("<deleted>")
		}
	}
}

For reference, I am logged in as the linux owner of the cryoSPARC installation prior to issuing cryosparcm mongo. Also, db.stats() returns the expected output in the db shell.

Just in case it’s relevant, below are the contents of cryosparcm/config.sh. It seems to have carried over from v3.3.2 rather than being updated to a v4-like form. (The CRYOSPARC_DB_ENABLE_AUTH variable was manually added after updating to v4.)

export CRYOSPARC_LICENSE_ID="<deleted>"
export CRYOSPARC_MASTER_HOSTNAME="<hostname_deleted>"
export CRYOSPARC_DB_ENABLE_AUTH=true
export CRYOSPARC_DB_PATH="/<deleted>/cryosparc2/db"
export CRYOSPARC_BASE_PORT=65500
export CRYOSPARC_DEVELOP=false
export CRYOSPARC_INSECURE=false
export CRYOSPARC_CLICK_WRAP=true
export CRYOSPARC_SUPERVISOR_SOCK_FILE="/tmp/<deleted>.sock"

Cheers,
Yang

Hi @leetleyang,

Thanks for bringing this to our attention. To run admin commands on the database with access control enabled, you can use the following commands:

eval $(cryosparcm env)

mongo_uri=$(python -c "from cryosparc_compute import database_management; print(database_management.get_mongo_uri('admin'))")

mongo $mongo_uri

Hope this helps,

Nicholas Wong

Hi @nwong,

Thanks for the help. It seems to be returning a similar error though. It’s not the compact command that requires a different syntax, is it?

$ eval $(cryosparcm env)
$ mongo_uri=$(python -c "from cryosparc_compute import database_management; print(database_management.get_mongo_uri('admin'))")
$ mongo $mongo_uri
MongoDB shell version v3.6.23
connecting to: mongodb:/<hostname_redacted>:65501/admin?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("<redacted>") }
MongoDB server version: 3.6.23
meteor:PRIMARY> db.runCommand({compact:'projects', force: true})
{
	"operationTime" : Timestamp(1670368747, 4),
	"ok" : 0,
	"errmsg" : "not authorized on admin to execute command { compact: \"projects\", force: true, lsid: { id: UUID(\"<redacted>\") }, $clusterTime: { clusterTime: Timestamp(1670368744, 1), signature: { hash: BinData(0, <redacted>), keyId: <redacted> } }, $db: \"admin\" }",
	"code" : 13,
	"codeName" : "Unauthorized",
	"$clusterTime" : {
		"clusterTime" : Timestamp(1670368747, 4),
		"signature" : {
			"hash" : BinData(0,"<redacted>"),
			"keyId" : NumberLong("<redacted>")
		}
	}
}

Interestingly, db.stats() returns an unauthorized error now as well unless first switching to db meteor (use meteor).

Cheers,
Yang

Hi @leetleyang,

Apologies, I forgot to include a parameter in my last reply. Could you please try it again using:

mongo_uri=$(python -c "from cryosparc_compute import database_management; print(database_management.get_mongo_uri('admin', admin=True))")

The argument admin=True is necessary to use admin credentials when connecting to the database.

Alternatively, you can also set CRYOSPARC_DB_ENABLE_AUTH=false in config.sh and restart CryoSPARC to launch the database without access control.

2 Likes

Hi @nwong,

Brilliant! That does the trick.

Cheers,
Yang

2 Likes