Hello, I set up a 3 Mongodb instance with Replica set, after i enforce Access control my client still able to associate with the primary instance of mongodb without any credentials.
Currently using Mongodb version 4.4.1
I did a test case with a non replica set mongodb, after i enable the configuration setting me client need to add credentials before it can associate with Mongodb.
Is there any different between a single Percona-Mongodb and a Replica set Percona Mongodb?
Hi Hao Yong.
As you have set the config option below it will require users to authenticate. There are some others options such as the “keyfile” that will turn it on implicitly too. But nothing will turn it off if you have included this.
This applies whether it is a standalone node or a replica set node. And if it is replica set node that is a part of cluster too of course.
I suspect you may be observing one of two things and misinterpreting it.
- You can make a TCP connection without authorizing. If you try to run some commands that the drivers use ‘behind the scenes’ such as db.isMaster() you can get a response because that doesn’t require authorization. But if you try to run a command such as listDatabases (“show dbs”) you will be rejected.
- A new standalone or replica set allows the localhost exception until the first user is created.
Typically on the first node in a replicaset I run:
- rs.initiate() as the first command
- use admin; db.createUser(…)
- Authentication and authorization are now enforced and I would get an error if I most commands, eg. “show dbs”, rs.status(), db.collection.find(). So I log out, log back in again as that user I just created. (You can also stay in the shell and run db.auth(…, …) instead.)
Important tip: when creating the first user make sure they have the “userAdminAnyDatabase” role in their role grants, or one of the higher roles that includes it.
Thanks for the explanation, I manage to apply the configuration after created my first user.
Cool, nice to hear. Have a nice day Hao Yong.