5

Deployed the Strimzi Kafka, Strimzi Zookeeper and Debezium mongodb connector, and configured the Debezium mongodb,

curl 'http://my-connect-cluster-connect-api:8083/connectors' -X POST -i -H "Content-Type:application/json" -d '{
  "name": "mongodb-connector", 
  "config": {
    "connector.class": "io.debezium.connector.mongodb.MongoDbConnector",
    "mongodb.hosts": "MainRepSet/mongod-0.mongodb-service.kafka.svc.cluster.local:27017,mongod-1.mongodb-service.kafka.svc.cluster.local:27017,mongod-2.mongodb-service.kafka.svc.cluster.local:27017", 
    "mongodb.name": "MainRepSet", 
    "collection.whitelist": "springdatabase[.]*",
    "mongodb.user": "springuser",
    "mongodb.password": "password"
  }
}'

But got the authentication exception,

2019-01-29 13:13:40,170 ERROR Error while reading the 'shards' collection in the 'config' database: Timed out after 30000 ms while waiting to connect. Client view of cluster state is {type=UNKNOWN, servers=[{address=mongod-2.mongodb-service.kafka.svc.cluster.local:27017, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSecurityException: Exception authenticating MongoCredential{mechanism=null, userName='springuser', source='admin', password=<hidden>, mechanismProperties={}}}, caused by {com.mongodb.MongoCommandException: Command failed with error 18: 'Authentication failed.' on server mongod-2.mongodb-service.kafka.svc.cluster.local:27017. The full response is { "operationTime" : { "$timestamp" : { "t" : 1548767616, "i" : 1 } }, "ok" : 0.0, "errmsg" : "Authentication failed.", "code" : 18, "codeName" : "AuthenticationFailed", "$clusterTime" : { "clusterTime" : { "$timestamp" : { "t" : 1548767616, "i" : 1 } }, "signature" : { "hash" : { "$binary" : "M7qA9dMzPj1sC8lfT681vT57oPw=", "$type" : "00" }, "keyId" : { "$numberLong" : "6651444731228192769" } } } }}},

And the mongodb account I created by below statement,

db.createUser({user:"springuser",pwd:"password",roles:[{role:"readWrite",db:"springdatabase"}]})

After analyze the exception, the Debezium mongodb authSource is used by default "source='admin'", but the authSource of my mongodb account is 'springdatabase', I think it is the reason the authentication failed.

The one of the workaround is to create the mongodb account by using default 'admin'. But our production mongodb account already created, so we cannot change it.

So is there any configuration property to set up 'authSource'?

Robin Moffatt
  • 30,382
  • 3
  • 65
  • 92
user3661933
  • 91
  • 3
  • 7

2 Answers2

2

Indeed Debezium hard codes the admin connection, this was possibly due to convenience since it requires to read from the oplog.

I see you have created a bug in the project itself, but if you want to have - for now - a secure amount of permissions necessary you can:

// Create a role which allows to list the databases
db.runCommand({createRole:"listDatabases",privileges:[{resource:{cluster:true},
           actions:["listDatabases"]}],roles:[]})

// Create a user which can, list the databases, read the oplog (local db), and read the source database (for initial syncs)
db.createUser({
"user" : "debezium_read_only",
    "roles" : [
        {
            "role" : "justListDatabases",
            "db" : "admin"
        },
        {
            "role" : "read",
            "db" : "database_where_collections_are"
        },
        {
            "role" : "read",
            "db" : "local"
        }
    ]
})

I hope this helps to secure your setup until better login options become available within Debezium.

Renato Mefi
  • 2,131
  • 1
  • 18
  • 27
0

I am afraid this is hrad-coded. Could you please raise a Jira feature reuqest so we can take a look?

Jiri Pechanec
  • 1,816
  • 7
  • 8