I have a DocDB (MongoDB Instance) running on AWS. I'm using PyMongo and MongoShell for accessing the DB. And, I was able to login with master credentials perfectly fine. I tried to create a new user annd update the permissions.
docdb_admin.command('updateUser', 'svc_ise', roles=[{'db': 'admin', 'role': 'readWrite'}])
I cannot login using the "svc_ise" account.
But, when I tried this - This worked perfectly fine.
docdb_admin.command('updateUser', 'svc_ise', roles=[{'db': 'admin', 'role': 'root'}])
I could login if role is root on both, Pymongo and MongoShell.
But, cannot login if role is "read" or "readWrite" or "dbAdmin" or "UserAdmin" nothing worked.
I need to create a non-writeable or read access only account for this database. Can someone point me any clues for this?
MongoDB server version: 4.0.0 I'm trying authenticate to admin db only everytime.
Mongoshell response:
ravi@PC14737S:~$ mongo --ssl --host abc-docdb-provision-XXXXXX.us-east-1.docdb.amazonaws.com:27017 --sslCAFile rds-combined-ca-bundle.pem --username svc_ise --password
MongoDB shell version v3.6.3
Enter password:
connecting to: mongodb://abc-docdb-provision-XXXXXX.us-east-1.docdb.amazonaws.com:27017/
MongoDB server version: 4.0.0
WARNING: shell and server versions do not match
2023-04-05T18:29:31.807-0400 E QUERY [thread1] Error: Authentication failed. :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1608:20
@(auth):6:1
@(auth):1:2
exception: login failed
Tried multiple roles but failed to login other giving it a root role. Seeking community's help regarding this login issue.
Update:
Recreated another DocDB instance , now it shows i could login. But I run the show users; command.
CLI Logs:
ravi@PC14737S:~$ mongo --ssl --host abc.efgh.ks.us-east-1.docdb.amazonaws.com:27017 --sslCAFile rds-combined-ca-bundle.pem --username svc_ise_read --password
MongoDB shell version v3.6.3
Enter password:
connecting to: mongodb://abc.efgh.ks.us-east-1.docdb.amazonaws.com:27017/
MongoDB server version: 5.0.0
WARNING: shell and server versions do not match
rs0:PRIMARY> use admin;
switched to db admin
rs0:PRIMARY> show users;
2023-04-06T14:13:43.260-0400 E QUERY [thread1] Error: Authorization failure :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.getUsers@src/mongo/shell/db.js:1686:1
shellHelper.show@src/mongo/shell/utils.js:799:9
shellHelper@src/mongo/shell/utils.js:706:15
@(shellhelp2):1:1
Failure Logs from Cloudwatch Audit:
{
"atype": "authenticate",
"ts": 1680740196642,
"remote_ip": "10.XX.XX.XX:3784",
"user": "",
"param": {
"user": "svc_ise",
"mechanism": "",
"success": false,
"message": "Authentication failure",
"error": 18
}
}
By default, MongoDB and DocumentDB's READ role doesn't have ViewUser privilege action on the builtin role. We need to add that action.
I could resolve this issue using an RBAC policy. I created a custom role policy like
db.createRole(
{
role: "CustomViewUsers",
privileges: [
{ resource: { db: "admin", collection: "" }, actions: [ "viewRole", "viewUser"] }
],
roles: [
{ role: "read", db: "admin" }
]
}
)
And attached that role to the user account.
db.grantRolesToUser("svc_ise_read",["CustomViewUsers"])
Then I could run the "UsersInfo" command or the "show users" without any issue.