我在 OpenShift 云上使用 StrongLoop 和 MongoDB 磁带,我无法使用 Explorer 界面来查询和操作我的集合中的资源。
我创建了一个简单的模型定义并将所有内容部署在 OpenShift 上。MongoDB 版本是 2.4.9。MongoDB 使用命令行启动:
mongod --auth -f /var/lib/openshift/<openshift-account>/mongodb//conf/mongodb.conf run
上面引用的 .conf 文件是:
# mongodb.conf
bind_ip = <redacted>
#port = 27017
dbpath=/var/lib/openshift/<redacted>/mongodb/data/
pidfilepath=/var/lib/openshift/<redacted>/mongodb/pid/mongodb.pid
# Enables periodic logging of CPU utilization and I/O wait
#cpu = false
# Turn on/off security. Off is currently the default
#noauth = true
# Verbose logging output.
#verbose = true
# Inspect all client data for validity on receipt (useful for
# developing drivers)
#objcheck = true
# Enable db quota management
#quota = true
# Set oplogging level where n is
# 0=off (default)
# 1=W
# 2=R
# 3=both
# 7=W+some reads
#oplog = 0
# Diagnostic/debugging option
#nocursors = true
# Ignore query hints
#nohints = true
# Disable the HTTP interface (Defaults to localhost:27018).
nohttpinterface = true
# Turns off server-side scripting. This will result in greatly limited
# functionality
#noscripting = true
# Turns off table scans. Any query that would do a table scan fails.
#notablescan = true
# Disable data file preallocation.
noprealloc = true
# Specify .ns file size for new databases.
# nssize = <size>
# Accout token for Mongo monitoring server.
#mms-token = <token>
# Server name for Mongo monitoring server.
#mms-name = <server-name>
# Ping interval for Mongo monitoring server.
#mms-interval = <seconds>
# Replication Options
# in replicated mongo databases, specify here whether this is a slave or master
#slave = true
#source = master.example.com
# Slave only: specify a single database to replicate
#only = master.example.com
# or
#master = true
#source = slave.example.com
# Address of a server to pair with.
#pairwith = <server:port>
# Address of arbiter server.
#arbiter = <server:port>
# Automatically resync if slave data is stale
#autoresync
# Custom size for replication operation log.
#oplogSize = 10
# Size limit for in-memory storage of op ids.
#opIdMem = <bytes>
# Specific configuration for openshift cartridge
smallfiles = true
quiet = true
使用探索 UI,我正在尝试获取所有对象。我希望收到一个空结果,但我收到了访问控制错误。
{
"error": {
"name": "MongoError",
"status": 500,
"message": "not authorized for query on admin.ACL",
"stack": "MongoError: not authorized for query on admin.ACL\n at Object.toError (/var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/utils.js:114:11)\n at /var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/cursor.js:700:54\n at Cursor.close (/var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/cursor.js:989:5)\n at commandHandler (/var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/cursor.js:700:21)\n at /var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/db.js:1916:9\n at Server.Base._callHandler (/var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/connection/base.js:448:41)\n at /var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/connection/server.js:481:18\n at MongoReply.parseBody (/var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/responses/mongo_reply.js:68:5)\n at null.<anonymous> (/var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/connection/server.js:439:20)\n at emit (events.js:95:17)"
}
}
以下是请求提示的 mongodb 日志文件的摘录:
Thu Oct 30 08:06:56.633 [conn9] assertion 16550 not authorized for query on <redacted>.ACL ns:<redacted>.ACL query:{ $query: { model: "Media", property: { $in: [ "find", "*" ] }, accessType: { $in: [ "READ", "*" ] } }, orderby: { _id: 1 } }
Thu Oct 30 08:07:13.949 [conn13] authenticate db: admin { authenticate: 1, user: "admin", nonce: "<redacted>", key: "<redacted>" }
Thu Oct 30 08:07:14.717 [conn13] command admin.$cmd command: { listDatabases: 1 } ntoreturn:1 keyUpdates:0 locks(micros) R:458 W:106047 r:48 reslen:285 136ms
Thu Oct 30 08:07:14.826 [conn13] command admin.$cmd command: { $eval: CodeWScope( function (){ return db.getCollectionNames(); }, {}), args: {} } ntoreturn:1 keyUpdates:0 locks(micros) W:106944 reslen:92 106ms
Thu Oct 30 08:07:14.918 [conn14] authenticate db: admin { authenticate: 1, user: "admin", nonce: "<redacted>", key: "<redacted>" }
尝试使用资源管理器界面在集合中创建资源时收到相同的错误。请注意,它正在验证的用户名是 admin,这不是我在 datasources.json 中包含的用户名和凭据:
{
"db": {
"name": "db",
"connector": "memory"
},
"cloudMongoDB": {
"host": "<redacted>",
"port": "27017",
"url": "mongodb://<redacted:27017/<redacted",
"username": "<not-user-admin>",
"password": "<redacted>",
"name": "cloudMongoDB",
"connector": "mongodb",
"database": "<redacted>"
}
}
一个令人困惑的元素是 datasources.json 中使用的用户名和凭据不是管理员(如错误日志中所列),而是另一个对持有所查询集合的数据库具有读写角色的用户。管理员用户是根据 openshift 盒式默认设置设置的。因此管理员用户无权访问目标数据库。
我可以使用我在 datasources.json 中使用的相同凭据从 Mongo 客户端工具浏览数据库,包括向数据库添加数据。
因此,datasources.json 中的用户名和密码似乎没有集成到 Strongloop 身份验证中。我是否需要将凭据显式添加到 url 中才能使用它们进行身份验证?
我有兴趣了解该消息的含义。我需要采取哪些用户管理步骤来配置 StrongLoop 以从资源管理器应用程序访问 MongoDB?
兆瓦
更新解决方案:当我将 datasources.json 中的 url 更改为“mongodb://username:password@...StrongLoop 身份验证为我的非管理员用户并继续前进时。我发现我的角色有错字授予用户(“正确的角色是 readWrite,而我最初授予了 readwrite”)。一旦我修复了角色定义,我现在可以将 StrongLoop explorer 与 MongoDB 一起使用。
然后我从我的 datasources.json 中删除了 url 参数,发现 StrongLoop 使用数据库、用户名、密码来构建自己的 URL 并按预期连接。似乎 url 字段覆盖了数据源定义中的其他字段。目前,一切正常。