PyMongo - UserNotFound:找不到用户身份验证的@ admin

时间:2017-06-22 11:55:47

标签: mongodb docker pymongo-3.x

我检查了/etc/mongod.conf的权限:

vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb ls -l /etc/mongod.conf
-rw-r--r-- 1 root root 472 Jun 22 00:09 /etc/mongod.conf

然后,我检查了它的相应内容:

vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb cat /etc/mongod.conf
## mongodb.conf, this file is enforced by puppet.
##
## Note: http://docs.mongodb.org/manual/reference/configuration-options/
##

## where and how to store data.
storage:
  dbPath: /var/lib/mongodb
  journal:
    enabled: true

## where to write logging data.
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

## network interfaces
net:
  port: 27017
  bindIp: 0.0.0.0

## mongodb process
processManagement:
  pidFilePath: /var/run/mongod.pid

## role-based access controls
#security:
#   authorization: enabled

接下来,我添加了一个mongodb用户,调整了mongod.conf,然后重新启动了mongod进程:

vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb sudo mongo mongodb://mongodb:27017 --eval "db.getSiblingDB('admin'); db.createUser({\
    user: 'authenticated',\
    pwd: 'password',\
    roles: [\
        'readWrite',\
        'userAdmin',\
        'dbAdmin',\
        { role: 'readWrite', db: 'dataset' },\
        { role: 'userAdmin', db: 'dataset' },\
        { role: 'dbAdmin', db: 'dataset' },\
    ]\
},\
{ w: 'majority' , wtimeout: 5000 } )" --quiet
sudo docker exec -it mongodb sudo sed -i "/#[[:space:]]*security:/s/^#//g" /etc/mongod.conf
sudo docker exec -it mongodb sudo sed -i "/#[[:space:]]*authorization:[[:space:]]*enabled/s/^#//g" /etc/mongod.conf
sudo docker restart mongodb

现在,我已准备好尝试从docker容器中实现pymongo连接器:

vagrant@trusty64:/vagrant/test$ sudo docker exec -it webserver python
Python 2.7.6 (default, Oct 26 2016, 20:30:19)
[GCC 4.8.4] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pymongo import MongoClient, errors
>>> cur = MongoClient("mongodb://authenticated:password@mongodb:27017/admin")
>>> db = cur['dataset']
>>> col = db['svm']
>>> posts = col.posts
>>> result = posts.insert_one({'one': 'two'})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/pymongo/collection.py", line 654, in insert_one
    with self._socket_for_writes() as sock_info:
  File "/usr/lib/python2.7/contextlib.py", line 17, in __enter__
    return self.gen.next()
  File "/usr/local/lib/python2.7/dist-packages/pymongo/mongo_client.py", line 825, in _get_socket
    with server.get_socket(self.__all_credentials) as sock_info:
  File "/usr/lib/python2.7/contextlib.py", line 17, in __enter__
    return self.gen.next()
  File "/usr/local/lib/python2.7/dist-packages/pymongo/server.py", line 168, in get_socket
    with self.pool.get_socket(all_credentials, checkout) as sock_info:
  File "/usr/lib/python2.7/contextlib.py", line 17, in __enter__
    return self.gen.next()
  File "/usr/local/lib/python2.7/dist-packages/pymongo/pool.py", line 792, in get_socket
    sock_info.check_auth(all_credentials)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/pool.py", line 512, in check_auth
    auth.authenticate(credentials, self)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/auth.py", line 470, in authenticate
    auth_func(credentials, sock_info)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/auth.py", line 450, in _authenticate_default
    return _authenticate_scram_sha1(credentials, sock_info)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/auth.py", line 201, in _authenticate_scram_sha1
    res = sock_info.command(source, cmd)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/pool.py", line 419, in command
    collation=collation)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/network.py", line 116, in command
    parse_write_concern_error=parse_write_concern_error)
  File "/usr/local/lib/python2.7/dist-packages/pymongo/helpers.py", line 210, in _check_command_response
    raise OperationFailure(msg % errmsg, code, response)
pymongo.errors.OperationFailure: Authentication failed.

我被Authentication failed拒绝了。我确认我们的/etc/mongod.conf配置文件已根据authorization指令进行了正确调整:

vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb cat /etc/mongod.conf
## mongodb.conf, this file is enforced by puppet.
##
## Note: http://docs.mongodb.org/manual/reference/configuration-options/
##

## where and how to store data.
storage:
  dbPath: /var/lib/mongodb
  journal:
    enabled: true

## where to write logging data.
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log

## network interfaces
net:
  port: 27017
  bindIp: 0.0.0.0

## mongodb process
processManagement:
  pidFilePath: /var/run/mongod.pid

## role-based access controls
security:
   authorization: enabled

同时检查日志以及相应进程的状态:

vagrant@trusty64:/vagrant/test$ sudo docker exec -it webserver sudo telnet mongodb 27017
Trying 172.18.0.2...
Connected to mongodb.
Escape character is '^]'.
telnet> quit
vagrant@trusty64:/vagrant/test$ cat /var/log/mongodb/mongod.log
[LOGS OMITTED...]
vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb cat /var/log/mongodb/mongod.log
2017-06-22T15:47:06.359-0400 I CONTROL  [initandlisten] MongoDB starting : pid=1 port=27017 dbpath=/var/lib/mongodb 64-bit host=4a5966185063
2017-06-22T15:47:06.360-0400 I CONTROL  [initandlisten] db version v3.2.14
2017-06-22T15:47:06.360-0400 I CONTROL  [initandlisten] git version: 92f6668a768ebf294bd4f494c50f48459198e6a3
2017-06-22T15:47:06.360-0400 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014
2017-06-22T15:47:06.360-0400 I CONTROL  [initandlisten] allocator: tcmalloc
2017-06-22T15:47:06.360-0400 I CONTROL  [initandlisten] modules: none
2017-06-22T15:47:06.360-0400 I CONTROL  [initandlisten] build environment:
2017-06-22T15:47:06.360-0400 I CONTROL  [initandlisten]     distmod: ubuntu1404
2017-06-22T15:47:06.360-0400 I CONTROL  [initandlisten]     distarch: x86_64
2017-06-22T15:47:06.360-0400 I CONTROL  [initandlisten]     target_arch: x86_64
2017-06-22T15:47:06.360-0400 I CONTROL  [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "0.0.0.0", port: 27017 }, processManagement: { pidFilePath: "/var/run/mongod.pid" }, storage: { dbPath: "/var/lib/mongodb", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } }
2017-06-22T15:47:06.393-0400 I STORAGE  [initandlisten] wiredtiger_open config: create,cache_size=1G,session_max=20000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),
2017-06-22T15:47:07.211-0400 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2017-06-22T15:47:07.211-0400 I CONTROL  [initandlisten]
2017-06-22T15:47:07.211-0400 I CONTROL  [initandlisten]
2017-06-22T15:47:07.211-0400 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2017-06-22T15:47:07.211-0400 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2017-06-22T15:47:07.211-0400 I CONTROL  [initandlisten]
2017-06-22T15:47:07.211-0400 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2017-06-22T15:47:07.211-0400 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2017-06-22T15:47:07.211-0400 I CONTROL  [initandlisten]
2017-06-22T15:47:07.504-0400 I FTDC     [initandlisten] Initializing full-time diagnostic data capture with directory '/var/lib/mongodb/diagnostic.data'
2017-06-22T15:47:07.504-0400 I NETWORK  [initandlisten] waiting for connections on port 27017
2017-06-22T15:47:07.505-0400 I NETWORK  [HostnameCanonicalizationWorker] Starting hostname canonicalization worker
2017-06-22T15:47:08.713-0400 I NETWORK  [initandlisten] connection accepted from 172.18.0.2:39746 #1 (1 connection now open)
2017-06-22T15:47:09.008-0400 I COMMAND  [conn1] insert admin.system.users ninserted:1 keyUpdates:0 writeConflicts:0 numYields:0 locks:{ Global: { acquireCount: { r: 4, w: 4 } }, Database: { acquireCount: { W: 4 } }, Collection: { acquireCount: { w: 1 } } } 151ms
2017-06-22T15:47:09.008-0400 I COMMAND  [conn1] command test.$cmd command: createUser { createUser: "authenticated", pwd: "xxx", roles: [ "readWrite", "userAdmin", "dbAdmin", { role: "readWrite", db: "dataset" }, { role: "userAdmin", db: "dataset" }, { role: "dbAdmin", db: "dataset" } ], digestPassword: false, writeConcern: { w: "majority", wtimeout: 5000.0 } } keyUpdates:0 writeConflicts:0 numYields:0 reslen:22 locks:{ Global: { acquireCount: { r: 4, w: 4 } }, Database: { acquireCount: { W: 4 } }, Collection: { acquireCount: { w: 1 } } } protocol:op_command 280ms
2017-06-22T15:47:09.198-0400 I NETWORK  [conn1] end connection 172.18.0.2:39746 (0 connections now open)
2017-06-22T15:47:09.744-0400 I CONTROL  [signalProcessingThread] got signal 15 (Terminated), will terminate after current cmd ends
2017-06-22T15:47:09.749-0400 I FTDC     [signalProcessingThread] Shutting down full-time diagnostic data capture
2017-06-22T15:47:09.753-0400 I CONTROL  [signalProcessingThread] now exiting
2017-06-22T15:47:09.753-0400 I NETWORK  [signalProcessingThread] shutdown: going to close listening sockets...
2017-06-22T15:47:09.753-0400 I NETWORK  [signalProcessingThread] closing listening socket: 6
2017-06-22T15:47:09.753-0400 I NETWORK  [signalProcessingThread] closing listening socket: 7
2017-06-22T15:47:09.753-0400 I NETWORK  [signalProcessingThread] removing socket file: /tmp/mongodb-27017.sock
2017-06-22T15:47:09.754-0400 I NETWORK  [signalProcessingThread] shutdown: going to flush diaglog...
2017-06-22T15:47:09.754-0400 I NETWORK  [signalProcessingThread] shutdown: going to close sockets...
2017-06-22T15:47:09.754-0400 I STORAGE  [signalProcessingThread] WiredTigerKVEngine shutting down
2017-06-22T15:47:10.044-0400 I STORAGE  [signalProcessingThread] shutdown: removing fs lock...
2017-06-22T15:47:10.045-0400 I CONTROL  [signalProcessingThread] dbexit:  rc: 0
2017-06-22T15:47:10.825-0400 I CONTROL  [main] ***** SERVER RESTARTED *****
2017-06-22T15:47:10.922-0400 I CONTROL  [initandlisten] MongoDB starting : pid=1 port=27017 dbpath=/var/lib/mongodb 64-bit host=4a5966185063
2017-06-22T15:47:10.922-0400 I CONTROL  [initandlisten] db version v3.2.14
2017-06-22T15:47:10.922-0400 I CONTROL  [initandlisten] git version: 92f6668a768ebf294bd4f494c50f48459198e6a3
2017-06-22T15:47:10.922-0400 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014
2017-06-22T15:47:10.922-0400 I CONTROL  [initandlisten] allocator: tcmalloc
2017-06-22T15:47:10.922-0400 I CONTROL  [initandlisten] modules: none
2017-06-22T15:47:10.922-0400 I CONTROL  [initandlisten] build environment:
2017-06-22T15:47:10.922-0400 I CONTROL  [initandlisten]     distmod: ubuntu1404
2017-06-22T15:47:10.922-0400 I CONTROL  [initandlisten]     distarch: x86_64
2017-06-22T15:47:10.922-0400 I CONTROL  [initandlisten]     target_arch: x86_64
2017-06-22T15:47:10.923-0400 I CONTROL  [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "0.0.0.0", port: 27017 }, processManagement: { pidFilePath: "/var/run/mongod.pid" }, security: { authorization: "enabled" }, storage: { dbPath: "/var/lib/mongodb", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } }
2017-06-22T15:47:10.940-0400 I -        [initandlisten] Detected data files in /var/lib/mongodb created by the 'wiredTiger' storage engine, so setting the active storage engine to 'wiredTiger'.
2017-06-22T15:47:10.940-0400 I STORAGE  [initandlisten] wiredtiger_open config: create,cache_size=1G,session_max=20000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),
2017-06-22T15:47:13.466-0400 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2017-06-22T15:47:13.467-0400 I CONTROL  [initandlisten]
2017-06-22T15:47:13.468-0400 I CONTROL  [initandlisten]
2017-06-22T15:47:13.468-0400 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2017-06-22T15:47:13.468-0400 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2017-06-22T15:47:13.468-0400 I CONTROL  [initandlisten]
2017-06-22T15:47:13.468-0400 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2017-06-22T15:47:13.468-0400 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2017-06-22T15:47:13.468-0400 I CONTROL  [initandlisten]
2017-06-22T15:47:13.876-0400 I FTDC     [initandlisten] Initializing full-time diagnostic data capture with directory '/var/lib/mongodb/diagnostic.data'
2017-06-22T15:47:13.876-0400 I NETWORK  [initandlisten] waiting for connections on port 27017
2017-06-22T15:47:13.876-0400 I NETWORK  [HostnameCanonicalizationWorker] Starting hostname canonicalization worker
2017-06-22T15:48:13.362-0400 I NETWORK  [initandlisten] connection accepted from 172.18.0.6:39426 #1 (1 connection now open)
2017-06-22T15:48:13.492-0400 I NETWORK  [initandlisten] connection accepted from 172.18.0.6:39428 #2 (2 connections now open)
2017-06-22T15:48:13.528-0400 I ACCESS   [conn2] SCRAM-SHA-1 authentication failed for authenticated on admin from client 172.18.0.6 ; UserNotFound: Could not find user authenticated@admin
2017-06-22T15:48:30.488-0400 I NETWORK  [initandlisten] connection accepted from 172.18.0.6:39454 #3 (3 connections now open)
2017-06-22T15:48:30.493-0400 I NETWORK  [initandlisten] connection accepted from 172.18.0.6:39456 #4 (4 connections now open)
2017-06-22T15:48:30.495-0400 I ACCESS   [conn4] SCRAM-SHA-1 authentication failed for authenticated on admin from client 172.18.0.6 ; UserNotFound: Could not find user authenticated@admin
2017-06-22T15:48:34.065-0400 I NETWORK  [conn2] end connection 172.18.0.6:39428 (3 connections now open)
2017-06-22T15:48:34.065-0400 I NETWORK  [conn1] end connection 172.18.0.6:39426 (2 connections now open)
2017-06-22T15:48:44.930-0400 I NETWORK  [conn4] end connection 172.18.0.6:39456 (1 connection now open)
2017-06-22T15:48:44.930-0400 I NETWORK  [conn3] end connection 172.18.0.6:39454 (0 connections now open)
2017-06-22T15:48:46.287-0400 I NETWORK  [initandlisten] connection accepted from 172.18.0.6:39484 #5 (1 connection now open)
2017-06-22T15:48:46.291-0400 I NETWORK  [initandlisten] connection accepted from 172.18.0.6:39486 #6 (2 connections now open)
2017-06-22T15:48:46.293-0400 I ACCESS   [conn6] SCRAM-SHA-1 authentication failed for authenticated on admin from client 172.18.0.6 ; UserNotFound: Could not find user authenticated@admin
2017-06-22T15:48:58.031-0400 I NETWORK  [conn6] end connection 172.18.0.6:39486 (1 connection now open)
2017-06-22T15:48:58.032-0400 I NETWORK  [conn5] end connection 172.18.0.6:39484 (0 connections now open)
2017-06-22T15:49:02.907-0400 I NETWORK  [initandlisten] connection accepted from 172.18.0.6:39512 #7 (1 connection now open)
2017-06-22T15:49:02.912-0400 I NETWORK  [initandlisten] connection accepted from 172.18.0.6:39514 #8 (2 connections now open)
2017-06-22T15:49:02.915-0400 I ACCESS   [conn8] SCRAM-SHA-1 authentication failed for authenticated on admin from client 172.18.0.6 ; UserNotFound: Could not find user authenticated@admin
2017-06-22T15:49:10.806-0400 I NETWORK  [conn8] end connection 172.18.0.6:39514 (1 connection now open)
2017-06-22T15:49:10.807-0400 I NETWORK  [conn7] end connection 172.18.0.6:39512 (0 connections now open)

vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb netstat -ntlup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:27017           0.0.0.0:*               LISTEN      1/mongod
tcp        0      0 127.0.0.11:44122        0.0.0.0:*               LISTEN      -
udp        0      0 127.0.0.11:49005        0.0.0.0:*           

我以为我是根据上述步骤创建了一个用户的。我是否在本地数据库上创建了用户?我可以使用authenticated用户(而不是特定数据库)成功登录:

vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb mongo --port 27017 -u authenticated -p password
MongoDB shell version: 3.2.14
connecting to: 127.0.0.1:27017/test
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
        http://docs.mongodb.org/
Questions? Try the support group
        http://groups.google.com/group/mongodb-user
>

注意:我有一个相应的github issue,用于跟踪此问题的进度。

也许,我需要特别注意以下/var/log/mongodb/mongod.log中的以下子代码段:

2017-06-22T17:49:49.663-0400 I NETWORK  [initandlisten] connection accepted from 172.18.0.2:40926 #1 (1 connection now open)
2017-06-22T17:49:50.180-0400 I COMMAND  [conn1] update admin.system.version query: { _id: "authSchema" } update: { $set: { currentVersion: 5 } } keysExamined:0 docsExamined:0 nMatched:1 nModified:1 upsert:1 keyUpdates:0 writeConflicts:0 numYields:0 locks:{ Global: { acquireCount: { r: 2, w: 2 } }, Database: { acquireCount: { W: 2 } } } 428ms
2017-06-22T17:49:50.397-0400 I COMMAND  [conn1] insert admin.system.users ninserted:1 keyUpdates:0 writeConflicts:0 numYields:0 locks:{ Global: { acquireCount: { r: 4, w: 4 } }, Database: { acquireCount: { W: 4 } }, Collection: { acquireCount: { w: 1 } } } 188ms
2017-06-22T17:49:50.397-0400 I COMMAND  [conn1] command test.$cmd command: createUser { createUser: "authenticated", pwd: "xxx", roles: [ "readWrite", "userAdmin", "dbAdmin", { role: "readWrite", db: "dataset" }, { role: "userAdmin", db: "dataset" }, { role: "dbAdmin", db: "dataset" } ], digestPassword: false, writeConcern: { w: "majority", wtimeout: 5000.0 } } keyUpdates:0 writeConflicts:0 numYields:0 reslen:22 locks:{ Global: { acquireCount: { r: 4, w: 4 } }, Database: { acquireCount: { W: 4 } }, Collection: { acquireCount: { w: 1 } } } protocol:op_command 703ms

这可能与连续代码段相关,来自同一个日志文件:

2017-06-22T17:59:38.129-0400 I ACCESS   [conn10] SCRAM-SHA-1 authentication failed for authenticated on admin from client 172.18.0.4 ; UserNotFound: Could not find user authenticated@admin

1 个答案:

答案 0 :(得分:0)

我之前在IRC上与您交谈过。

问题在于,当您使用

行创建用户时
vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb sudo mongo mongodb://mongodb:27017 --eval "db.getSiblingDB('admin'); db.createUser(...

您实际上并未将db变量设置为兄弟(admin)数据库。您只是调用一个返回数据库的函数。

您需要在shell中使用命令db = db.getSiblingDB('admin');将当前数据库设置为“admin”数据库。

您也可以使用简写use admin

或者您可以在您的mongod调用中包含admin数据库,并完全放弃eval'd db开关。数据库名称通常是mongod可执行文件的第一个参数。我不是100%肯定它将如何转换为您的docker命令。

也许vagrant@trusty64:/vagrant/test$ sudo docker exec -it mongodb sudo mongo admin mongodb://mongodb:27017 --eval "db.createUser(...

干杯!