All Apps and Add-ons

Why is the Hunk App for MongoDB not returning results and get a "not authorized..." error?

gibu_george
Engager

Hi All,

I am new to Hunk and trying to set up the Hunk App for MongoDB in AWS using the trial version. I have set up a read user for mongo that works when accessing via the mongo client on the same machine as Hunk is set up. When trying with Hunk, I'm getting the following error stack in search.log.

08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -  com.mongodb.MongoException: not authorized for query on flintstones.kids
08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -   at com.mongodb.QueryResultIterator.throwOnQueryFailure(QueryResultIterator.java:214)
08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -   at com.mongodb.QueryResultIterator.init(QueryResultIterator.java:198)
08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -   at com.mongodb.QueryResultIterator.initFromQueryResponse(QueryResultIterator.java:176)
08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -   at com.mongodb.QueryResultIterator.<init>(QueryResultIterator.java:64)
08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -   at com.mongodb.DBCollectionImpl.find(DBCollectionImpl.java:86)
08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -   at com.mongodb.DBCollectionImpl.find(DBCollectionImpl.java:66)
08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -   at com.mongodb.DBCursor._check(DBCursor.java:458)
08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -   at com.mongodb.DBCursor._hasNext(DBCursor.java:546)
08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -   at com.mongodb.DBCursor.hasNext(DBCursor.java:571)
08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -   at com.splunk.erp.mongodb.MongoDBERP.readEventsFromDB(Unknown Source)
08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -   at com.splunk.erp.mongodb.MongoDBERP.getEvents(Unknown Source)
08-23-2016 14:13:46.730 ERROR ERP.local-mongodb -   at com.splunk.erp.mongodb.MongoDBERP.main(Unknown Source)
08-23-2016 14:13:46.745 INFO  ERPSearchResultCollector - ERP peer=local-mongodb is done reading search results.

This is my $SPLUNK_HOME/etc/apps/MongoDBApp/local/index.conf

[provider:local-mongodb]
vix.mongodb.host = 1.3.1.2:1000
vix.output.buckets.max.network.bandwidth = 0
vix.mongodb.auth.mechanism = CR
vix.mongodb.auth.password = barney_read@321
vix.mongodb.auth.username = barney_read
vix.command = /usr/bin/java
vix.command.arg.3 = $SPLUNK_HOME/bin/jars/SplunkMR-h1.jar:$SPLUNK_HOME/etc/apps/MongoDBApp/bin/hunk_mongodb_app.jar:$SPLUNK_HOME/etc/apps/MongoDBApp/bin/lib/*
[mongodb_vix]
vix.input.1.path = /user/cartoons/
vix.mongodb.collection = kids
vix.mongodb.db = flintstones
vix.mongodb.field.time = date
vix.mongodb.field.time.format = ISODate

This is my version of java

java version "1.7.0_111"
OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-x86_64 u111-b01)
OpenJDK 64-Bit Server VM (build 24.111-b01, mixed mode)

Any suggestions?

Thanks in advance
--gibu

0 Karma

rdagan_splunk
Splunk Employee
Splunk Employee

I suspect that the App was written before SCRAM-SHA-1 was introduced to MongoDB (i.e. before MongoDB version 2.8).
Therefore, you most likely have these options:
1) Ask your MongoDB admin to support one of the other options the App provides (Plain, Kerberos, CR, and X509)
2) Use MongoDB with JDBC and Splunk DB Connect
https://docs.mongodb.com/ecosystem/drivers/java/ and http://docs.splunk.com/Documentation/DBX/2.3.0/DeployDBX/Installdatabasedrivers#Install_drivers_for_...
3) Since the Hunk MongoDB App is community supported, feel free to update it and add this new Auth option. The App was built based on these APIs
https://splunkbase.splunk.com/apps/#/page/1/search/hunk/order/relevance (look for Sample ERP source code)

0 Karma

rdagan_splunk
Splunk Employee
Splunk Employee

Looking at this MongoDB page: http://api.mongodb.com/python/current/examples/authentication.html
Have you tried something like: vix.mongodb.auth.mechanism = SCRAM-SHA-1 ?

0 Karma

gibu_george_med
New Member

yup,
when vix.mongodb.auth.mechanism = SCRAM-SHA-1 i getting

 java.lang.IllegalArgumentException: Invalid authentication mechanism for MongoDB

Even tried updating the mongodB java driver to the 3.3.0 at /opt/splunk/etc/apps/MongoDBApp/bin/lib, no luck.

on another note:
Why does splunk answers allow two posts per day?

0 Karma

gibu_george
Engager

I think i have figured out the problem, its to do with the authentication mechanism.

The authentication mechanism for my mongodB is SCRAM-SHA-1. when i set vix.mongodb.auth.mechanism to SCRAM-SHA-1 i get
08-24-2016 12:51:00.177 ERROR ERP.local-mongodb - java.lang.IllegalArgumentException: Invalid authentication mechanism for MongoDB

what is right way to set the authentication mechanism?

--gibu

0 Karma

gibu_george
Engager

I tried with a local standalone mongodB, with authentication turned off, and it works. Only seems to be an issue with authentication turned on for the dB.

Any specifics on the user permissions that have to be given? will a user with only read only permissions do?

0 Karma

gibu_george
Engager

in the mongod.log file all i see is :
2016-08-24T11:36:32.261+0000 I QUERY [conn15] assertion 13 not authorized for query on

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...