-->
These old forums are deprecated now and set to read-only. We are waiting for you on our new forums!
More modern, Discourse-based and with GitHub/Google/Twitter authentication built-in.

All times are UTC - 5 hours [ DST ]



Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 10 posts ] 
Author Message
 Post subject: MongoDB in Secure Mode, which roles are needed
PostPosted: Tue Apr 07, 2015 5:12 am 
Newbie

Joined: Thu Nov 20, 2014 10:05 am
Posts: 15
As we want to deploy our app in a production environment, we want our mongod to run in secure mode (--auth). To enable our application the access to mongo we created this user:
Code:
{
        "_id" : "sma.sma",
        "user" : "sma",
        "db" : "sma",
        "roles" : [
                {
                        "role" : "dbAdmin",
                        "db" : "sma"
                },
                {
                        "role" : "userAdminAnyDatabase",
                        "db" : "admin"
                }
        ]
}


We are unsure about the roles, which are needed for OGM, using the role "userAdminAnyDatabase" would be enough to test the access to our mongo, but we get the following exception:

Code:
Caused by: com.mongodb.CommandFailureException: { "serverUsed" : "localhost:27017" , "ok" : 0.0 , "errmsg" : "not authorized on admin to execute command { listDatabases: 1 }" , "code" : 13}
   at com.mongodb.CommandResult.getException(CommandResult.java:76)
   at com.mongodb.CommandResult.throwOnError(CommandResult.java:131)
   at com.mongodb.Mongo.getDatabaseNames(Mongo.java:397)
   at org.hibernate.ogm.datastore.mongodb.impl.MongoDBDatastoreProvider.extractDatabase(MongoDBDatastoreProvider.java:134)
   ... 29 more


Like in mongo doc described (http://docs.mongodb.org/manual/reference/built-in-roles/) the role has the needed right for the "listDatabases" - operation. Maybe you can help me, thank you in advantage.

Best regards Br3aker


Top
 Profile  
 
 Post subject: Re: MongoDB in Secure Mode, which roles are needed
PostPosted: Tue Apr 07, 2015 8:02 am 
Hibernate Team
Hibernate Team

Joined: Fri Sep 09, 2011 3:18 am
Posts: 295
Hi,
May I ask you which Hibernate OGM version are you using?

It seems a bug that should be solved since version 4.1.2.Final
With the latest versions you should be able to connect or at least have a better error message.


Top
 Profile  
 
 Post subject: Re: MongoDB in Secure Mode, which roles are needed
PostPosted: Wed Apr 08, 2015 4:10 am 
Newbie

Joined: Thu Nov 20, 2014 10:05 am
Posts: 15
Thx for fast answer,

ok, i used the 4.1.0.Beta8 version i updated the now:
Code:
      <dependency>
           <groupId>org.hibernate.ogm</groupId>
           <artifactId>hibernate-ogm-core</artifactId>
           <version>4.1.2.Final</version>
         </dependency>
      <dependency>
          <groupId>org.hibernate.ogm</groupId>
          <artifactId>hibernate-ogm-mongodb</artifactId>
          <version>4.1.2.Final</version>
      </dependency>


Starting my application the exception is now a bit different:

Code:
Exception in thread "Thread-3" java.lang.ExceptionInInitializerError
   at hibernate.HibernateUtil.<clinit>(HibernateUtil.java:20)
   at hibernate.HibernateLoad.loadCrawljobs(HibernateLoad.java:70)
   at crawljob.CrawljobStarter.startCrawljobs(CrawljobStarter.java:29)
   at crawljob.CrawljobStarter.run(CrawljobStarter.java:39)
Caused by: org.hibernate.service.spi.ServiceException: OGM000071: Unable to start datatore provider
   at org.hibernate.ogm.datastore.mongodb.impl.MongoDBDatastoreProvider.start(MongoDBDatastoreProvider.java:115)
   at org.hibernate.service.internal.AbstractServiceRegistryImpl.startService(AbstractServiceRegistryImpl.java:329)
   at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:237)
   at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:206)
   at org.hibernate.ogm.dialect.impl.GridDialectInitiator.initiateService(GridDialectInitiator.java:48)
   at org.hibernate.ogm.dialect.impl.GridDialectInitiator.initiateService(GridDialectInitiator.java:32)
   at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.initiateService(StandardServiceRegistryImpl.java:105)
   at org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:251)
   at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:225)
   at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:206)
   at org.hibernate.ogm.dialect.impl.OgmDialectFactoryInitiator$OgmDialectFactory.<init>(OgmDialectFactoryInitiator.java:51)
   at org.hibernate.ogm.dialect.impl.OgmDialectFactoryInitiator.buildServiceInstance(OgmDialectFactoryInitiator.java:33)
   at org.hibernate.ogm.dialect.impl.OgmDialectFactoryInitiator.buildServiceInstance(OgmDialectFactoryInitiator.java:27)
   at org.hibernate.ogm.service.impl.OptionalServiceInitiator.initiateService(OptionalServiceInitiator.java:23)
   at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.initiateService(StandardServiceRegistryImpl.java:105)
   at org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:251)
   at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:225)
   at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:206)
   at org.hibernate.engine.jdbc.internal.JdbcServicesImpl.configure(JdbcServicesImpl.java:95)
   at org.hibernate.ogm.service.impl.OgmJdbcServicesInitiator$OgmJdbcServicesImpl.configure(OgmJdbcServicesInitiator.java:56)
   at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.configureService(StandardServiceRegistryImpl.java:111)
   at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:234)
   at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:206)
   at org.hibernate.cfg.Configuration.buildTypeRegistrations(Configuration.java:1887)
   at org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1845)
   at hibernate.HibernateUtil.<clinit>(HibernateUtil.java:18)
   ... 3 more
Caused by: org.hibernate.HibernateException: OGM001214: Unable to connect to MongoDB instance localhost:27017
   at org.hibernate.ogm.datastore.mongodb.impl.MongoDBDatastoreProvider.extractDatabase(MongoDBDatastoreProvider.java:182)
   at org.hibernate.ogm.datastore.mongodb.impl.MongoDBDatastoreProvider.start(MongoDBDatastoreProvider.java:110)
   ... 28 more
Caused by: com.mongodb.MongoException: not authorized for query on sma.system.namespaces
   at com.mongodb.QueryResultIterator.throwOnQueryFailure(QueryResultIterator.java:214)
   at com.mongodb.QueryResultIterator.init(QueryResultIterator.java:198)
   at com.mongodb.QueryResultIterator.initFromQueryResponse(QueryResultIterator.java:176)
   at com.mongodb.QueryResultIterator.<init>(QueryResultIterator.java:64)
   at com.mongodb.DBCollectionImpl.find(DBCollectionImpl.java:86)
   at com.mongodb.DBCollectionImpl.find(DBCollectionImpl.java:66)
   at com.mongodb.DB.getCollectionNames(DB.java:512)
   at com.mongodb.DB.collectionExists(DB.java:555)
   at org.hibernate.ogm.datastore.mongodb.impl.MongoDBDatastoreProvider.extractDatabase(MongoDBDatastoreProvider.java:173)
   ... 29 more


To give you some additional information here content from my hibernate.cfg.xml:
Code:
<property name="hibernate.transaction.factory_class">org.hibernate.transaction.JTATransactionFactory</property>
       <property name="hibernate.transaction.jta.platform">org.hibernate.service.jta.platform.internal.JBossStandAloneJtaPlatform</property>
       <property name="hibernate.ogm.datastore.provider">mongodb</property>
       <property name="hibernate.ogm.datastore.database">sma</property>
       <property name="hibernate.ogm.mongodb.username">sma</property>
        <property name="hibernate.ogm.mongodb.password">3dn2g4ni9sd8</property>
        <property name="current_session_context_class">thread</property>


Top
 Profile  
 
 Post subject: Re: MongoDB in Secure Mode, which roles are needed
PostPosted: Wed Apr 08, 2015 5:20 am 
Hibernate Team
Hibernate Team

Joined: Fri Sep 09, 2011 3:18 am
Posts: 295
Username and password should be set using the following properties:

Code:
hibernate.ogm.datastore.username
hibernate.ogm.datastore.password


Hope this help,
Davide


Top
 Profile  
 
 Post subject: Re: MongoDB in Secure Mode, which roles are needed
PostPosted: Wed Apr 08, 2015 6:56 am 
Newbie

Joined: Thu Nov 20, 2014 10:05 am
Posts: 15
That was it :), nice!

I can now turn on secure mode, and access the database with my user. It works well now thy!


Top
 Profile  
 
 Post subject: Re: MongoDB in Secure Mode, which roles are needed
PostPosted: Wed Apr 08, 2015 7:38 am 
Hibernate Team
Hibernate Team

Joined: Fri Sep 09, 2011 3:18 am
Posts: 295
Cool :)


Top
 Profile  
 
 Post subject: Re: MongoDB in Secure Mode, which roles are needed
PostPosted: Thu Apr 30, 2015 8:01 am 
Newbie

Joined: Thu Nov 20, 2014 10:05 am
Posts: 15
Hello guys, i am back again with a new issue.

Our project partners try to deploy our application, which works fine with mongodb version 2.6. But they use the newest version 3.0 and here the issue comes.
Since MongoDB Version 3.X they changed their Credentials from MONGODB-CR to SCRAM-SHA-1, as our database user trys to connect to the mongo service, the following lines appear at the mongo console:

2015-04-30T09:55:20.471+0100 I ACCESS [conn33] authenticate db: sma { authenticate: 1, user: "sma", nonce: "xxx", key: "xxx" }
2015-04-30T09:55:20.471+0100 I ACCESS [conn33] Failed to authenticate sma@sma with mechanism MONGODB-CR: AuthenticationFailed MONGODB-CR credentials missing in the user document

Is there any workaround? Their documentation says nothing about credentials when creating a user:
http://docs.mongodb.org/manual/reference/method/db.createUser/

Best Regards!


Top
 Profile  
 
 Post subject: Re: MongoDB in Secure Mode, which roles are needed
PostPosted: Mon May 04, 2015 7:32 am 
Hibernate Team
Hibernate Team

Joined: Sun Sep 14, 2003 3:54 am
Posts: 7256
Location: Paris, France
We have identified this problem and plan on fixing it for OGM 4.2
https://hibernate.atlassian.net/browse/OGM-791

There is a workaround on the mongodb side in the mean time as described in https://hibernate.atlassian.net/browse/OGM-740?focusedCommentId=66876&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-66876

_________________
Emmanuel


Top
 Profile  
 
 Post subject: Re: MongoDB in Secure Mode, which roles are needed
PostPosted: Wed May 06, 2015 3:24 am 
Newbie

Joined: Thu Nov 20, 2014 10:05 am
Posts: 15
Thank you i will look forward to teh next release then, as long it takes we did downgrade on a lower version of mongo and now it seems to work ;).


Top
 Profile  
 
 Post subject: Re: MongoDB in Secure Mode, which roles are needed
PostPosted: Thu May 07, 2015 2:18 am 
Hibernate Team
Hibernate Team

Joined: Sun Sep 14, 2003 3:54 am
Posts: 7256
Location: Paris, France
If you are adventurous, can you try this pull request and tell us if that fixes the problem on your side https://github.com/hibernate/hibernate-ogm/pull/526

_________________
Emmanuel


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 10 posts ] 

All times are UTC - 5 hours [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
cron
© Copyright 2014, Red Hat Inc. All rights reserved. JBoss and Hibernate are registered trademarks and servicemarks of Red Hat, Inc.