2

我在 OpenShift 云上使用 StrongLoop 和 MongoDB 磁带,我无法使用 Explorer 界面来查询和操作我的集合中的资源。

我创建了一个简单的模型定义并将所有内容部署在 OpenShift 上。MongoDB 版本是 2.4.9。MongoDB 使用命令行启动:

mongod --auth -f /var/lib/openshift/<openshift-account>/mongodb//conf/mongodb.conf run

上面引用的 .conf 文件是:

# mongodb.conf

bind_ip = <redacted>
#port = 27017

dbpath=/var/lib/openshift/<redacted>/mongodb/data/

pidfilepath=/var/lib/openshift/<redacted>/mongodb/pid/mongodb.pid

# Enables periodic logging of CPU utilization and I/O wait
#cpu = false

# Turn on/off security.  Off is currently the default
#noauth = true

# Verbose logging output.
#verbose = true

# Inspect all client data for validity on receipt (useful for
# developing drivers)
#objcheck = true

# Enable db quota management
#quota = true

# Set oplogging level where n is
#   0=off (default)
#   1=W
#   2=R
#   3=both
#   7=W+some reads
#oplog = 0

# Diagnostic/debugging option
#nocursors = true

# Ignore query hints
#nohints = true

# Disable the HTTP interface (Defaults to localhost:27018).
nohttpinterface = true

# Turns off server-side scripting.  This will result in greatly limited
# functionality
#noscripting = true

# Turns off table scans.  Any query that would do a table scan fails.
#notablescan = true

# Disable data file preallocation.
noprealloc = true

# Specify .ns file size for new databases.
# nssize = <size>

# Accout token for Mongo monitoring server.
#mms-token = <token>

# Server name for Mongo monitoring server.
#mms-name = <server-name>

# Ping interval for Mongo monitoring server.
#mms-interval = <seconds>

# Replication Options

# in replicated mongo databases, specify here whether this is a slave or master
#slave = true
#source = master.example.com
# Slave only: specify a single database to replicate
#only = master.example.com
# or
#master = true
#source = slave.example.com

# Address of a server to pair with.
#pairwith = <server:port>
# Address of arbiter server.
#arbiter = <server:port>
# Automatically resync if slave data is stale
#autoresync
# Custom size for replication operation log.
#oplogSize = 10
# Size limit for in-memory storage of op ids.
#opIdMem = <bytes>

# Specific configuration for openshift cartridge
smallfiles = true
quiet = true

使用探索 UI,我正在尝试获取所有对象。我希望收到一个空结果,但我收到了访问控制错误。

{
  "error": {
    "name": "MongoError",
    "status": 500,
    "message": "not authorized for query on admin.ACL",
    "stack": "MongoError: not authorized for query on admin.ACL\n    at Object.toError (/var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/utils.js:114:11)\n    at /var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/cursor.js:700:54\n    at Cursor.close (/var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/cursor.js:989:5)\n    at commandHandler (/var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/cursor.js:700:21)\n    at /var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/db.js:1916:9\n    at Server.Base._callHandler (/var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/connection/base.js:448:41)\n    at /var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/connection/server.js:481:18\n    at MongoReply.parseBody (/var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/responses/mongo_reply.js:68:5)\n    at null.<anonymous> (/var/lib/openshift/544ecf5f4382ec1dcc0002ec/app-root/runtime/repo/node_modules/loopback-connector-mongodb/node_modules/mongodb/lib/mongodb/connection/server.js:439:20)\n    at emit (events.js:95:17)"
  }
}

以下是请求提示的 mongodb 日志文件的摘录:

Thu Oct 30 08:06:56.633 [conn9] assertion 16550 not authorized for query on <redacted>.ACL ns:<redacted>.ACL query:{ $query: { model: "Media", property: { $in: [ "find", "*" ] }, accessType: { $in: [ "READ", "*" ] } }, orderby: { _id: 1 } }
Thu Oct 30 08:07:13.949 [conn13]  authenticate db: admin { authenticate: 1, user: "admin", nonce: "<redacted>", key: "<redacted>" }
Thu Oct 30 08:07:14.717 [conn13] command admin.$cmd command: { listDatabases: 1 } ntoreturn:1 keyUpdates:0 locks(micros) R:458 W:106047 r:48 reslen:285 136ms
Thu Oct 30 08:07:14.826 [conn13] command admin.$cmd command: { $eval: CodeWScope( function (){ return db.getCollectionNames(); }, {}), args: {} } ntoreturn:1 keyUpdates:0 locks(micros) W:106944 reslen:92 106ms
Thu Oct 30 08:07:14.918 [conn14]  authenticate db: admin { authenticate: 1, user: "admin", nonce: "<redacted>", key: "<redacted>" }

尝试使用资源管理器界面在集合中创建资源时收到相同的错误。请注意,它正在验证的用户名是 admin,这不是我在 datasources.json 中包含的用户名和凭据:

{
  "db": {
    "name": "db",
    "connector": "memory"
  },
  "cloudMongoDB": {
    "host": "<redacted>",
    "port": "27017",
    "url": "mongodb://<redacted:27017/<redacted",
    "username": "<not-user-admin>",
    "password": "<redacted>",
    "name": "cloudMongoDB",
    "connector": "mongodb",
    "database": "<redacted>"
  }
}

一个令人困惑的元素是 datasources.json 中使用的用户名和凭据不是管理员(如错误日志中所列),而是另一个对持有所查询集合的数据库具有读写角色的用户。管理员用户是根据 openshift 盒式默认设置设置的。因此管理员用户无权访问目标数据库。

我可以使用我在 datasources.json 中使用的相同凭据从 Mongo 客户端工具浏览数据库,包括向数据库添加数据。

因此,datasources.json 中的用户名和密码似乎没有集成到 Strongloop 身份验证中。我是否需要将凭据显式添加到 url 中才能使用它们进行身份验证?

我有兴趣了解该消息的含义。我需要采取哪些用户管理步骤来配置 StrongLoop 以从资源管理器应用程序访问 MongoDB?

兆瓦


更新解决方案:当我将 datasources.json 中的 url 更改为“mongodb://username:password@...StrongLoop 身份验证为我的非管理员用户并继续前进时。我发现我的角色有错字授予用户(“正确的角色是 readWrite,而我最初授予了 readwrite”)。一旦我修复了角色定义,我现在可以将 StrongLoop explorer 与 MongoDB 一起使用。

然后我从我的 datasources.json 中删除了 url 参数,发现 StrongLoop 使用数据库、用户名、密码来构建自己的 URL 并按预期连接。似乎 url 字段覆盖了数据源定义中的其他字段。目前,一切正常。

4

1 回答 1

0

感谢您的更新,我们也会在我们的文档中澄清最后一部分。

于 2014-10-31T21:13:28.797 回答