mongo认证机制导致的连接失败

故障场景

  • 2020.12.23.由于代码上使用老版本(1.7.0.4714)的驱动,而 authSchema 的 currentVersion 默认版本为5(认证机制SCRAM-SHA-1),导致 C# 连接 mongodb 报错:Invalid credentials for database 'admin',详细如下:
2020/12/23 10:44:10 Invalid credentials for database 'Device'.
MongoDB.Driver.MongoAuthenticationException: Invalid credentials for database 'Device'. ---> MongoDB.Driver.MongoCommandException: Command 'authenticate' failed: auth failed (response: { "ok" : 0.0, "errmsg" : "auth failed", "code" : 18, "codeName" : "AuthenticationFailed" })
  • 2022.11.24,迁移mongo库到新的实例,java代码连接mongodb报错:{"ok": 0.0, "errmsg": "Authentication failed.", "code": 18, "codeName": "AuthenticationFailed"}
Caused by: com.mongodb.MongoCommandException: Command failed with error 18 (AuthenticationFailed): 'Authentication failed.' on server 127.0.0.1:27017. The full response is {"ok": 0.0, "errmsg": "Authentication failed.", "code": 18, "codeName": "AuthenticationFailed"}
...
Caused by: com.mongodb.MongoSecurityException: Exception authenticating MongoCredential{mechanism=SCRAM-SHA-1, userName='user_xxx', source='xxx', password=<hidden>, mechanismProperties=<hidden>}

确认过程

  • 确认 mongodb 版本为 3.4.20,且 authSchema 的 currentVersion 版本为5
[root@localhost]# cd /usr/local/mongodb/bin/
[root@localhost]# mongo -uroot -p --authenticationDatabase admin --host 127.0.0.1 --port 3717 admin
MongoDB shell version v3.4.20
connecting to: mongodb://127.0.0.1:3717/admin
MongoDB server version: 3.4.20

> use admin
switched to db admin

> db.system.version.find()
{ "_id" : "featureCompatibilityVersion", "version" : "3.4" }
{ "_id" : "authSchema", "currentVersion" : 5 }

> exit
bye

解决方案

  • 第1步,修改mongo配置,关闭auth验证(即注释掉 security: 及 authorization: 或 auth= )
[root@localhost]# cat /data/mongo_3717/mongod_3717.conf | egrep "(security|authorization|auth)"
#auth=true
  • 第2步,重启mongodb进程
ps aux | fgrep 'mongo' | grep -v grep | awk '{print $2}' | xargs kill -s 9

sudo -u mongodb numactl --interleave=all /usr/local/mongodb/bin/mongod -f /data/mongo_3717/mongod_3717.conf
  • 第3步,无密码登录mongodb,执行如下脚本,修改验证版本,删掉老账号并重建
use admin
var schema = db.system.version.findOne({"_id":"authSchema"})
schema.currentVersion = 3
db.system.version.save(schema)

use xxx
db.dropUser("user_xxx")
db.createUser({user:"user_xxx",pwd:"123456",roles:[{"role":"readWrite","db":"xxx"}]});
exit

详细过程,记录如下:

[root@localhost]# /usr/local/mongodb/bin/mongo
MongoDB shell version v3.4.20
connecting to: mongodb://127.0.0.1:3717
MongoDB server version: 3.4.20

> show dbs
admin               0.000GB
xxx                 0.810GB
local               0.000GB

> use admin
switched to db admin

> db.system.version.find()
{ "_id" : "featureCompatibilityVersion", "version" : "3.4" }
{ "_id" : "authSchema", "currentVersion" : 5 }

> var schema = db.system.version.findOne({"_id":"authSchema"})
> schema.currentVersion = 3
3
> db.system.version.save(schema)
WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })

> db.system.version.find()
{ "_id" : "featureCompatibilityVersion", "version" : "3.4" }
{ "_id" : "authSchema", "currentVersion" : 3 }

> use xxx
switched to db xxx
> db.dropUser("user_xxx")
true
> db.createUser({user:"user_xxx",pwd:"123456",roles:[{"role":"readWrite","db":"xxx"}]});
Successfully added user: {
        "user" : "user_xxx",
        "roles" : [
                {
                        "role" : "readWrite",
                        "db" : "xxx"
                }
        ]
}
> exit
bye
  • 第4步,修改mongo配置,开启auth验证(即取消注释 security: 及 authorization: 或 auth= )
[root@localhost]# cat /data/mongo_3717/mongod_3717.conf | egrep "(security|authorization|auth)"
auth=true
  • 第5步,重启mongodb进程
ps aux | fgrep 'mongo' | grep -v grep | awk '{print $2}' | xargs kill -s 9

sudo -u mongodb numactl --interleave=all /usr/local/mongodb/bin/mongod -f /data/mongo_3717/mongod_3717.conf

若启动报错 ERROR: child process failed, exited with error number 100,可尝试删掉 journal、mongod.lock、WiredTiger.lock,若仍报错,再修改一下目录属性

[root@localhost]# sudo -u mongodb numactl --interleave=all /usr/local/mongodb/bin/mongod -f /data/mongo_3717/mongod_3717.conf
2022-11-24T08:16:00.447-0500 I CONTROL  [main] note: noprealloc may hurt performance in many applications
about to fork child process, waiting until server is ready for connections.
forked process: 28698
ERROR: child process failed, exited with error number 100

[root@localhost]# rm -rf /data/mongo_3717/data/journal
[root@localhost]# rm -f /data/mongo_3717/data/mongod.lock
[root@localhost]# rm -f /data/mongo_3717/data/WiredTiger.lock

[root@localhost]# sudo -u mongodb numactl --interleave=all /usr/local/mongodb/bin/mongod -f /data/mongo_3717/mongod_3717.conf
2022-11-24T08:18:03.502-0500 I CONTROL  [main] note: noprealloc may hurt performance in many applications
about to fork child process, waiting until server is ready for connections.
forked process: 29445
ERROR: child process failed, exited with error number 100

[root@localhost]# chown -R mongodb.mongodb /data/mongo_3717

[root@localhost]# sudo -u mongodb numactl --interleave=all /usr/local/mongodb/bin/mongod -f /data/mongo_3717/mongod_3717.conf
2022-11-24T08:18:36.685-0500 I CONTROL  [main] note: noprealloc may hurt performance in many applications
about to fork child process, waiting until server is ready for connections.
forked process: 29651
child process started successfully, parent exiting
  • 第6步,登录验证,确认authSchema 的 currentVersion 版本为3
[root@localhost]# /usr/local/mongodb/bin/mongo -uroot -p --authenticationDatabase admin --host 127.0.0.1 --port 3717 admin
MongoDB shell version v3.4.20
connecting to: mongodb://127.0.0.1:3717/admin
MongoDB server version: 3.4.20

> use admin
switched to db admin
> db.system.version.find()
{ "_id" : "featureCompatibilityVersion", "version" : "3.4" }
{ "_id" : "authSchema", "currentVersion" : 3 }

> use xxx
switched to db xxx

> show users;
{
        "_id" : "xxx.user_xxx",
        "user" : "user_xxx",
        "db" : "xxx",
        "roles" : [
                {
                        "role" : "readWrite",
                        "db" : "xxx"
                }
        ]
}
> exit
bye
Copyright © www.sqlfans.cn 2024 All Right Reserved更新时间: 2024-09-11 12:34:41

results matching ""

    No results matching ""