mongo认证机制导致的连接失败

故障场景

• 2020.12.23.由于代码上使用老版本(1.7.0.4714)的驱动，而 authSchema 的 currentVersion 默认版本为5（认证机制SCRAM-SHA-1），导致 C# 连接 mongodb 报错：Invalid credentials for database 'admin'，详细如下：

2020/12/23 10:44:10 Invalid credentials for database 'Device'.
MongoDB.Driver.MongoAuthenticationException: Invalid credentials for database 'Device'. ---> MongoDB.Driver.MongoCommandException: Command 'authenticate' failed: auth failed (response: { "ok" : 0.0, "errmsg" : "auth failed", "code" : 18, "codeName" : "AuthenticationFailed" })

• 2022.11.24，迁移mongo库到新的实例，java代码连接mongodb报错：{"ok": 0.0, "errmsg": "Authentication failed.", "code": 18, "codeName": "AuthenticationFailed"}

Caused by: com.mongodb.MongoCommandException: Command failed with error 18 (AuthenticationFailed): 'Authentication failed.' on server 127.0.0.1:27017. The full response is {"ok": 0.0, "errmsg": "Authentication failed.", "code": 18, "codeName": "AuthenticationFailed"}
...
Caused by: com.mongodb.MongoSecurityException: Exception authenticating MongoCredential{mechanism=SCRAM-SHA-1, userName='user_xxx', source='xxx', password=<hidden>, mechanismProperties=<hidden>}

确认过程

• 确认 mongodb 版本为 3.4.20，且 authSchema 的 currentVersion 版本为5

[root@localhost]# cd /usr/local/mongodb/bin/
[root@localhost]# mongo -uroot -p --authenticationDatabase admin --host 127.0.0.1 --port 3717 admin
MongoDB shell version v3.4.20
connecting to: mongodb://127.0.0.1:3717/admin
MongoDB server version: 3.4.20

> use admin
switched to db admin

> db.system.version.find()
{ "_id" : "featureCompatibilityVersion", "version" : "3.4" }
{ "_id" : "authSchema", "currentVersion" : 5 }

> exit
bye

解决方案

• 第1步，修改mongo配置，关闭auth验证（即注释掉 security: 及 authorization: 或 auth= ）

[root@localhost]# cat /data/mongo_3717/mongod_3717.conf | egrep "(security|authorization|auth)"
#auth=true

• 第2步，重启mongodb进程

ps aux | fgrep 'mongo' | grep -v grep | awk '{print $2}' | xargs kill -s 9

sudo -u mongodb numactl --interleave=all /usr/local/mongodb/bin/mongod -f /data/mongo_3717/mongod_3717.conf

• 第3步，无密码登录mongodb，执行如下脚本，修改验证版本，删掉老账号并重建

use admin
var schema = db.system.version.findOne({"_id":"authSchema"})
schema.currentVersion = 3
db.system.version.save(schema)

use xxx
db.dropUser("user_xxx")
db.createUser({user:"user_xxx",pwd:"123456",roles:[{"role":"readWrite","db":"xxx"}]});
exit

详细过程，记录如下：

[root@localhost]# /usr/local/mongodb/bin/mongo
MongoDB shell version v3.4.20
connecting to: mongodb://127.0.0.1:3717
MongoDB server version: 3.4.20

> show dbs
admin               0.000GB
xxx                 0.810GB
local               0.000GB

> use admin
switched to db admin

> db.system.version.find()
{ "_id" : "featureCompatibilityVersion", "version" : "3.4" }
{ "_id" : "authSchema", "currentVersion" : 5 }

> var schema = db.system.version.findOne({"_id":"authSchema"})
> schema.currentVersion = 3
3
> db.system.version.save(schema)
WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })

> db.system.version.find()
{ "_id" : "featureCompatibilityVersion", "version" : "3.4" }
{ "_id" : "authSchema", "currentVersion" : 3 }

> use xxx
switched to db xxx
> db.dropUser("user_xxx")
true
> db.createUser({user:"user_xxx",pwd:"123456",roles:[{"role":"readWrite","db":"xxx"}]});
Successfully added user: {
        "user" : "user_xxx",
        "roles" : [
                {
                        "role" : "readWrite",
                        "db" : "xxx"
                }
        ]
}
> exit
bye

• 第4步，修改mongo配置，开启auth验证（即取消注释 security: 及 authorization: 或 auth= ）

[root@localhost]# cat /data/mongo_3717/mongod_3717.conf | egrep "(security|authorization|auth)"
auth=true

• 第5步，重启mongodb进程

ps aux | fgrep 'mongo' | grep -v grep | awk '{print $2}' | xargs kill -s 9

sudo -u mongodb numactl --interleave=all /usr/local/mongodb/bin/mongod -f /data/mongo_3717/mongod_3717.conf

若启动报错 ERROR: child process failed, exited with error number 100，可尝试删掉 journal、mongod.lock、WiredTiger.lock，若仍报错，再修改一下目录属性

[root@localhost]# sudo -u mongodb numactl --interleave=all /usr/local/mongodb/bin/mongod -f /data/mongo_3717/mongod_3717.conf
2022-11-24T08:16:00.447-0500 I CONTROL  [main] note: noprealloc may hurt performance in many applications
about to fork child process, waiting until server is ready for connections.
forked process: 28698
ERROR: child process failed, exited with error number 100

[root@localhost]# rm -rf /data/mongo_3717/data/journal
[root@localhost]# rm -f /data/mongo_3717/data/mongod.lock
[root@localhost]# rm -f /data/mongo_3717/data/WiredTiger.lock

[root@localhost]# sudo -u mongodb numactl --interleave=all /usr/local/mongodb/bin/mongod -f /data/mongo_3717/mongod_3717.conf
2022-11-24T08:18:03.502-0500 I CONTROL  [main] note: noprealloc may hurt performance in many applications
about to fork child process, waiting until server is ready for connections.
forked process: 29445
ERROR: child process failed, exited with error number 100

[root@localhost]# chown -R mongodb.mongodb /data/mongo_3717

[root@localhost]# sudo -u mongodb numactl --interleave=all /usr/local/mongodb/bin/mongod -f /data/mongo_3717/mongod_3717.conf
2022-11-24T08:18:36.685-0500 I CONTROL  [main] note: noprealloc may hurt performance in many applications
about to fork child process, waiting until server is ready for connections.
forked process: 29651
child process started successfully, parent exiting

• 第6步，登录验证，确认authSchema 的 currentVersion 版本为3

[root@localhost]# /usr/local/mongodb/bin/mongo -uroot -p --authenticationDatabase admin --host 127.0.0.1 --port 3717 admin
MongoDB shell version v3.4.20
connecting to: mongodb://127.0.0.1:3717/admin
MongoDB server version: 3.4.20

> use admin
switched to db admin
> db.system.version.find()
{ "_id" : "featureCompatibilityVersion", "version" : "3.4" }
{ "_id" : "authSchema", "currentVersion" : 3 }

> use xxx
switched to db xxx

> show users;
{
        "_id" : "xxx.user_xxx",
        "user" : "user_xxx",
        "db" : "xxx",
        "roles" : [
                {
                        "role" : "readWrite",
                        "db" : "xxx"
                }
        ]
}
> exit
bye