How to set authorization for mongo-query-router (mongos)?

Hi all,
I have setup Mongo shard using 5 nodes:
mongo-query-router
mongo-config
mongo-shard-1
mongo-shard-2
mongo-shard-3
those are all connected together and working properly, now on i want to set authorization on mongo-query-router to secure accessibility to dbs, but i dont know how?!
i have created a keyfile using openssl and copy that to all nodes, and set : "security : keyFile: "
all nodes can restart and activate except mongos, what should i do?!

What error are you getting when mongos is started?
What command was used to start mongos and some mongos config file details needed

I will share all nodes configuration:

shard nodes at </etc/mongod.conf> :

net:
  port: 27017
  bindIp: 192.168.11.153

security:
  authorization: enabled
  keyFile: /var/mongo/keyfile

replication:
  replSetName: "shard3"

sharding:
  clusterRole: shardsvr

config node at </etc/mongod.conf> :

net:
  port: 27019
  bindIp: 192.168.11.151

security:
  authorization: enabled
  keyFile: /var/mongo/keyfile

replication:
  replSetName: configReplSet

sharding:
  clusterRole: "configsvr"

and this is mongos config at </etc/mongos.conf> :

net:
  port: 27017
  bindIp: 192.168.11.149

#security:
#  authorization: enabled
#  keyFile: /var/mongo/keyfile

sharding:
  configDB: configReplSet/192.168.11.151:27019

If I comment security option in all nodes, I can connect to mongos from every node in my local network using “mongo 192.168.11.149:27017”, but when I uncomment security option and try to connect to query-router, i get this error

MongoDB shell version v5.0.6
connecting to: mongodb://192.168.11.149:27017/test?compressors=disabled&gssapiServiceName=mongodb
Error: couldn’t connect to server 192.168.11.149:27017, connection attempt failed: SocketException: Error connecting to 192.168.11.149:27017 :: caused by :: Connection refused :
connect@src/mongo/shell/mongo.js:372:17
@(connect):2:6
exception: connect failed
exiting with code 1

when I uncomment security option in mongos.conf and restart service using "sudo systemctl restart mongos.service ", I face this status code:

● mongos.service - Mongo Cluster Router
Loaded: loaded (/lib/systemd/system/mongos.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2022-03-14 13:56:28 UTC; 8s ago
Process: 3225231 ExecStart=/usr/bin/mongos --config /etc/mongos.conf (code=exited, status=2)
Main PID: 3225231 (code=exited, status=2)

Mar 14 13:56:28 mongo-query-router systemd[1]: Started Mongo Cluster Router.
Mar 14 13:56:28 mongo-query-router mongos[3225231]: Unrecognized option: security.authorization
Mar 14 13:56:28 mongo-query-router mongos[3225231]: try ‘/usr/bin/mongos --help’ for more information
Mar 14 13:56:28 mongo-query-router systemd[1]: mongos.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Mar 14 13:56:28 mongo-query-router systemd[1]: mongos.service: Failed with result ‘exit-code’.

Don’t use authorization param
Just use keyfile under security

I just used
"security: keyFile: /var/mongo/keyfile " in mongos node(mongo-query-router), service started but I cant connect to mongos using : “mongo 192.168.11.149:27017”, I faced thsi error:

MongoDB shell version v4.4.13
connecting to: mongodb://192.168.11.149:27017/test?compressors=disabled&gssapiServiceName=mongodb
Error: couldn't connect to server 192.168.11.149:27017, connection attempt failed: SocketException: Error connecting to 192.168.11.149:27017 :: caused by :: Connection refused :
connect@src/mongo/shell/mongo.js:374:17
@(connect):2:6
exception: connect failed
exiting with code 1

Note : I disabled security line in mongos.conf (and mongod.conf on other nodes) and entered mongo shell and created user/roles, I want to use this credentials to access db.

You have already used port 27017 for shared node.How you are using the same port for mongos?
Also try to use all IPs while connecting instead of using just primary address

sorry I cant get you, I have configured this shard cluster just like digitalOccean, it seems there is no problem if you use same port for shards and router.
please tell me how should I run mongos
can I set user/pass like mongod? I also got error on connecting to mongos when security keyfile is enabled

Thanks

1 Like

How you are connecting to mongos?like the command used
Does mongos.log show more details?

From any node in the my network, I can connect mongos using : $mongo :27017
In this situation there is no authentication and everyone can manipulate data in cluster
If I set security.keyfile in any shards-node, config-node or query-router, mongo engine start but can’t connect to mongos! error shown 4 message before. anymore from log file?

After setting security you have to login with authenticated user
Did you try with user/pwd you created with authentication database as admin?

Yes I have a user created by:

db.createUser({user: ‘admin’, pwd:‘adminpass’, roles:[{role: ‘root’}]})

security enabled on all nodes except query-router, config node. try to connect mongos using:

mongo 192.168.11.149:27017 --username admin --password adminpass

I got an error : Error: command getParameter requires authentication :
connect@src/mongo/shell/mongo.js:372:17
whlie if I use:

mongo 192.168.11.149:27017

I can connect monogs, “use admin”, then “db.auth(‘admin’, ‘adminpass’)”
now if I write “show dbs” it returns : uncaught exception: Error: listDatabases failed:{
“ok” : 0,
“errmsg” : “Could not find host matching read preference { mode: “primary” } for set shard1”,

Can you show rs.status() output
Can you connect to each node of shard3 replicaset and replicaset as a whole using --host replicaset/n1,n2,n3
Is keyfile present in all the config files or not?
Also check this link

Could not find host matching read preference { mode: “primary” } for set