[BUG] Access control is not enabled for the database. #102
Comments
|
Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid. |
|
I should also point out, I discovered this while trying (and failing) to get unifi-network-application to connect to this mongo container. I suspect this issue is at the root of what I'm running into, but I'm not sure. The application container gets these logs, in case that's relevant for seeing what's going on here: |
|
I ran into the same issue. I discovered the behaviour while running a backup of the containers with Duplicati. While in the loop of the Tomcat starting exception, I can run another No idea what's causing this issue. Environment:
Docker Compose file: services:
unifi-network-application:
env_file:
- path: .env
required: true
image: lscr.io/linuxserver/unifi-network-application:latest
hostname: unifi
domainname: domain.com
container_name: unifi-network-application
depends_on:
unifi-db:
condition: service_healthy
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Zurich
- MONGO_USER=unifi
- MONGO_PASS=${MONGO_PASS}
- MONGO_HOST=unifi-db
- MONGO_PORT=27017
- MONGO_DBNAME=UNIFI-DB
- MEM_LIMIT=1024
- MEM_STARTUP=1024
healthcheck:
test: curl -k -f https://localhost:8443
interval: 1m30s
timeout: 30s
retries: 5
start_period: 30s
volumes:
- ./data/unifi-network-application:/config
networks:
mgmt-100:
ipv4_address: 192.168.100.50
internal:
unifi-db:
image: docker.io/mongo:7
container_name: unifi-db
networks:
- internal
volumes:
- ./data/unifi-db-data:/data/db
- ./data/unifi-db-config:/data/configdb
- ./data/unifi-db-init-mongo/init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro
healthcheck:
test: echo 'db.runCommand("ping").ok' | mongosh localhost:27017/test --quiet
interval: 1m30s
timeout: 30s
retries: 5
start_period: 30s
restart: always
networks:
mgmt-100:
external: true
internal:Log: |
|
Authentication on Mongo docker image is only enabled if MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD environment variables are provided Mongo Docker image:
What I do is set the environment variables mentioned and instead of using the init-mongo.js to initialize the database I use a mongo-init.sh file: |
|
I'm attempting to use the JS method, and the instructions for that explicitly say not to use those variables:
|
|
Guess the docs are incomplete You don't have to believe me, all you have to do is look at /usr/local/bin/docker-entrypoint.sh in the Mongo Docker image: |
|
Just tell us how you interpret it. I don't follow what you're trying to say. I'm looking at it and I am not having an aha moment. |
|
In order to have authentication you need the --auth arg to be passed to mongod and that arg is only passed if it has MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD set https://www.mongodb.com/docs/manual/reference/program/mongod/#std-option-mongod.--auth
|
|
My dude, the readme explicitly tells you NOT to set the auth vars if you're relying on the js file we provide. If you set them, our js file does not work. Nobody is arguing with you about how to enable auth in mongodb. That's completely out of scope. If you want to enable auth, go ahead and do so. But you'll have to come up with your own js file or you'll have to create the necessary dbs yourself manually via cli. Nobody's stopping you. Please stop claiming our docs are incorrect just because you're refusing to follow them. |
|
I did follow the docs, that's why I'm saying that they are incomplete not that they are incorrect. It's no the same thing. I know that those vars + init-mongo.js mess up with yours, that's why I said to use .sh instead. All I'm trying to do is help @nickurak with the same problem I had a few months ago, it's literally on the title. In order to have "Access control" you need --auth on mongo, and to have that you need MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD set + a mongo-init.sh. If you don't have that, authentication on the database is disabled, you can try it yourself with mongodb compass. That's my final answer. |
|
I followed the docs exactly as described, and I get the same error: docker-compose.yml: services:
unifi-network-application:
image: lscr.io/linuxserver/unifi-network-application:latest
container_name: unifi-network-application
environment:
- PUID=1000
- PGID=1000
- TZ=CDT/UTC
- MONGO_USER=unifi
- MONGO_PASS=password
- MONGO_HOST=unifi-db
- MONGO_PORT=27017
- MONGO_DBNAME=unifi
- MEM_LIMIT=1024 #optional
- MEM_STARTUP=1024 #optional
volumes:
- /storage/docker/unifi/data:/config
ports:
- 8443:8443
- 3478:3478/udp
- 10001:10001/udp
- 8080:8080
- 1900:1900/udp #optional
- 8843:8843 #optional
- 8880:8880 #optional
- 6789:6789 #optional
- 5514:5514/udp #optional
restart: unless-stopped
unifi-db:
hostname: unifi-db
image: docker.io/mongo:7
container_name: unifi-db
volumes:
- /storage/docker/unifi/mongo/data:/data/db
- /storage/docker/unifi/init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro
ports:
- 27017:27017
restart: unless-stoppedinit-mongo.js: db.getSiblingDB("unifi").createUser({user: "unifi", pwd: "password", roles: [{role: "dbOwner", db: "unifi"}]);
db.getSiblingDB("unifi_stat").createUser({user: "unifi", pwd: "password", roles: [{role: "dbOwner", db: "unifi_stat"}]});and the logs show that the init is getting executed: but it still fails auth |
|
Can't reproduce: #103 |
I appreciate you taking the time to try it out. Now check your unifi-db container logs as well or run mongosh inside the unifi-db container, you will see the following message:
That message means that your init-mongo.js credentials are useless. |
Yes. Role Based Access Control (RBAC) is not enabled, which is the default configuration for mongodb.
Do me a favor and change the password in unifi's system.properties to an incorrect one and restart the container. See if it's able to still connect to the database. If so, you can open a new issue and report it as a bug or a security issue. If not, then please refrain from making wild and sensational claims that are simply not true. Without a root user and password for mongodb, and without RBAC, local users (connecting from inside the mongodb container, from 127.0.0.1) can administer the mongodb instance, which is how the js file we provide is able to create the unifi dbs and the user. That behavior has nothing to do with remote connections such as unifi connecting from a different container, and the credentials used. RBAC is beyond the scope of our documentation. I'm not a fan of repeating myself but I will do so one last time: |
|
RBAC is what OP is asking for, it's literally in the title of this issue. Although I do agree that this is out of scope of this project. I said it's useless because you are able to connect to the database without credentials, e.g. with MongoDB Compass. If you are able to login without credentials, what's the point of using them? I'm perfectly happy with my RBAC setup, all I had to do was set those vars and use the .sh file I posted above, no manual setup was required for the database. At the end of the day, unifi-db container usually isn't exposed to the local network, so who cares. I see no point in arguing any further. Have a nice day 😃 |
|
You're right, the initial question was on rbac, but it quickly turned into I may have been overly sensitive and I apologize. It's just that ever since this image was released, we have been getting swamped with The current behavior (lack of root user/pass, and direct access from inside the container) matches the previous image's behavior where mongodb ran inside unifi and was installed from the Ubuntu repo. Access into the container requires root access. I'm not familiar with compass at all, can it connect to the mongodb instance remotely (from outside of the container) without credentials? If so, that's a security issue. But if it needs to run inside the container or perhaps need direct access to the db files, we wouldn't consider that a security issue. Unifi keeps the db credentials in plain text in its system.properties file anyway. |
|
No worries mate, I've been using this image almost since day 1 and is rock solid. I appreciate all the effort that has been put into this image. 🙂 The readme example is perfectly fine, maybe I didn't express myself well and I apologize for that, my concerns were regards this issue and that specific use case was not clear on the docs. I think the problem is that a lot of people are used to SQL authentication which is veeery different from what Mongo does.
Yes, you can try it yourself. Expose the port 27017 on your unifi-db and just connect with compass: As I said before, unifi-db container usually isn't exposed to the local network, so it's not that big of a deal. Maybe just leave a note to not expose those ports. |
|
Ugh!!!! Just tried compass and it is able to connect remotely as admin without any credentials over the port. WTF mongodb?!? Unfortunately our users do often map the ports and may even publish it publicly (accidentally when running it on a VPS). So yeah, we'll have to modify our instructions. Thanks for the heads up. |
|
Yeah, MongoDB does its own thing. 🙃 Thank you and everyone in the team for doing the hard work, I'm glad to help. This may not be the best example but here's is my current setup, If it helps: docker-compose (empty values are set from portainer environment variables): services:
unifi-network-application:
image: linuxserver/unifi-network-application:8.3.32
container_name: unifi-network-application
environment:
PUID: 1000
PGID: 1000
TZ: Etc/UTC
MEM_LIMIT: 1024
MEM_STARTUP: 1024
MONGO_USER:
MONGO_PASS:
MONGO_HOST:
MONGO_PORT:
MONGO_DBNAME:
volumes:
- conf:/config
restart: unless-stopped
depends_on:
- unifi-db
networks:
default:
shared-lan:
ipv4_address: 192.168.88.193
unifi-db:
image: mongo:7.0.12
container_name: unifi-db
environment:
MONGO_INITDB_ROOT_USERNAME:
MONGO_INITDB_ROOT_PASSWORD:
#env_file:
# - stack.env
volumes:
- db:/data/db
- db_conf:/data/configdb
# - /srv/docker/unifi/mongo-init.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro
restart: unless-stopped
volumes:
conf:
db:
db_conf:
networks:
shared-lan:
external: truemongo-init.sh: set -e
mongosh << EOF
db.getSiblingDB("${MONGO_DBNAME}").createUser(
{
user: "${MONGO_USER}",
pwd: "${MONGO_PASS}",
roles: [
{ role: "dbOwner", db: "${MONGO_DBNAME}" },
{ role: "dbOwner", db: "${MONGO_DBNAME}_stat" }
]
}
);
db.getSiblingDB("${MONGO_DBNAME}_stat").createUser(
{
user: "${MONGO_USER}",
pwd: "${MONGO_PASS}",
roles: [{role: "dbOwner", db: "${MONGO_DBNAME}_stat"}]
}
);
EOF |
First, thanks to everybody involved for pushing through the confusion and ambiguity and unknowns here, and thanks for all the work that's already gone into this packaging. Second, in light of ^, should this issue be re-opened, or would it be better tracked in a different issue? |
Is there an existing issue for this?
Current Behavior
After starting the mongo container as documented, with mongo 7.0, and then connecting to the database with mongosh, the following error is displayed:
I have the following
init-mongo.js:Note: In case it's relevant, I'm using podman instead of docker.
Expected Behavior
No such warning should occur.
Steps To Reproduce
mkdir -p ~/unifi/db~/unifi/init-mongo.jsas above.podman exec -it unifidb mongosh, looking forAccess control is not enabled for the database. Read and write access to data and configuration is unrestrictedmessageEnvironment
CPU architecture
x86-64
Docker creation
The text was updated successfully, but these errors were encountered: