I’m running the service inside a container. I followed the instructions here to create a user and password and update the mongod.conf file. If I try to log in with authentication but I use the wrong password, I’m blocked. If I use the right password, it works. But if I use no authentication at all I can get in and make changes.
If you can login without credentials and make changes then authentication is not enabled.
This is quite a different scenario from topic(The poster explains a “Server Information Disclosure”). Please create a new topic, post your docker config(compose file/docker run), mongo.conf.
The output of mongosh --eval 'db.serverCmdLineOpts()' --quiet
could be useful to see what is going on also.
Welcome to the MongoDB Community @amb83 !
As @chris noted, your question is different than the older topic you replied on so I have moved this to a new topic focused on your question.
It sounds like you have created a user but have perhaps missed a step like restarting the mongod
process after enabling access control in the mongod
configuration file. Another possibility would be that you have started mongod
manually (without using a service
definition), in which case you would also have to explicitly specify a path to a configuration file (eg mongod --config /path/to/mongod.conf
) or include the --auth
option to enable access control.
Running db.serverCmdLineOpts()
in the MongoDB shell will show command line options that were used, including either a configuration file or access control parameter.
For more information on available security measures please see the MongoDB Security Checklist.
Regards,
Stennie