Tags: mongo, security


TABLE OF CONTENTS


Overview


Kublr uses MongoDB internally to store cluster metadata.

In some situations it may be necessary to access MongoDB directly to recover from mismanagement and other issues.

It is possible to do using Mongo Shell running in the Mongo pod.


Working with Mongo Shell


Get Mongo DB username and password


MONGO_USERNAME="$(kubectl get secret -n kublr kcp-mongodb-auth \
  -o jsonpath="{.data.username}" | base64 -d)"
MONGO_PASSWORD="$(kubectl get secret -n kublr kcp-mongodb-auth \
  -o jsonpath="{.data.mongodb-root-password}" | base64 -d)"


Note that for Kublr 1.21 and earlier versions the MongoDB password is stored in a different field, so the following command should be used to access it:


MONGO_PASSWORD="$(kubectl get secret -n kublr kcp-mongodb-auth \
  -o jsonpath="{.data.password}" | base64 -d)"



Run Mongo Shell in interactive mode


kubectl exec -it -n kublr kcp-mongodb-0 -- \
  sh -c 'HOME=/tmp mongo "$@"' -- \
  --username "${MONGO_USERNAME}" \
  --password "${MONGO_PASSWORD}" \
  "mongodb://127.0.0.1:27017/kublr-db?authSource=admin&replicaSet=rs0"


If mongodb is running in HA mode with more than 1 replica, other replicas' pods may be provided, such as kcp-mongodb-1, kcp-mongodb-2 etc.


Run Mongo Shell command(s)/script non-interactively


kubectl exec -it -n kublr kcp-mongodb-0 -- \
  sh -c 'HOME=/tmp mongo "$@"' -- \
  --username "${MONGO_USERNAME}" \
  --password "${MONGO_PASSWORD}" \
  "mongodb://127.0.0.1:27017/kublr-db?authSource=admin&replicaSet=rs0" \
  --eval 'db.globalRoles.find()'


Useful Mongo Shell commands


Show records


# show all records in a collection (global roles in this example)
db.globalRoles.find()

# show a specific record in a collection
db.globalRoles.find({"metadata.name":"KublrFullAdmin"})


Insert records


db.globalRoles.insertOne({...})

db.globalRoles.insertOne({
  "metadata":{
    "name": "test",
    "createdtimestamp": ISODate(),
    "updatedtimestamp": ISODate(),
    "labels": {},
    "resourceVersion": 1
  },
  "typemeta": {
    "kind": "GlobalRole",
    "apiversion": ""
  },
  "rules": [
    { "resources" : [ "*" ], "verbs" : [ "*" ] },
    { "resources" : [ ], "verbs" : [ "*" ], "nonResourceURLs" : [ "*" ] }
  ]
})


Delete records


db.globalRoles.deleteOne({...});

db.globalRoles.deleteOne({"metadata.name":"test"});


Examples


Recover accidentally removed KublrFullAdmin(s) role and binding


kubectl exec -it -n kublr kcp-mongodb-0 -- \
  sh -c 'HOME=/tmp mongo "$@"' -- \
  --username "${MONGO_USERNAME}" \
  --password "${MONGO_PASSWORD}" \
  "mongodb://127.0.0.1:27017/kublr-db?authSource=admin" \
  --eval '
db.globalRoles.insertOne({
  "metadata":{
    "name": "KublrFullAdmin",
    "createdtimestamp": ISODate(),
    "updatedtimestamp": ISODate(),
    "labels": {},
    "resourceVersion": 1
  },
  "typemeta": {
    "kind": "GlobalRole",
    "apiversion": ""
  },
  "rules": [
    { "resources" : [ "*" ], "verbs" : [ "*" ] },
    { "resources" : [ ], "verbs" : [ "*" ], "nonResourceURLs" : [ "*" ] }
  ]
});

db.globalRoles.insertOne(
{
  "metadata": {
    "name": "KublrFullAdmins",
    "createdtimestamp": ISODate(),
    "updatedtimestamp": ISODate(),
    "labels": {},
    "resourceVersion": 1
  },
  "typemeta": {
    "kind": "GlobalRoleBinding",
    "apiversion": ""
  },
  "roleref": {"kind": "GlobalRole", "name": "KublrFullAdmin"},
  "subjects": [
    {"kind": "Group", "name": "KublrFullAdmins"}
  ]
});'