Menu
okay so we we have the mongodump tool, it has --password option. Everything works great except this plain password is visible in ps output to everybody.
our database has plain user/password authentication.
The only thing that I found to work is doing like this
echo secretpwd | mongodump --username backup --oplog
no trace of password in ps and still working.
Is there any better way?
819
mongodump overwrites output files if they exist in the backup data folder. Before running the mongodump command multiple times, either ensure that you no longer need the files in the output folder (the default is the dump/ folder) or rename the folders or files. mongodump is initiated when a resharding operation is in progress.
If the data set is larger than the system memory, the mongodump utility will push the working set out of memory. If access control is configured to access the MongoDB database, users must have enough privileges to each database to make backups.
The mongodump utility allows us to create an archive file. The –archive option can be used to specify the file. If no file is specified the output will be written to standard output (stdout). The –archive option cannot be used in conjunction with the –out option.
See Authentication Database. If you do not specify an authentication database, mongodump assumes that the database specified to export holds the user's credentials. If you do not specify an authentication database or a database to export, mongodump assumes the admin database holds the user's credentials.
Old post, but it looks like recent versions of mongodump do explicitly support reading the password from standard in. I didn't see anything about it in the documentation, but when I use a similar command to the one in the OP, mongodump generates output like:
reading password from standard input
I'm not sure if it's any better than using echo like in the OP, but I store the password in a file and then use it like this: mongodb --username backup < /path/to/password.txt
138
From the docs:
Changed in version 3.0.2: If you wish mongodump to prompt the user for the password, pass the --username option without --password or specify an empty string as the --password value, as in --password "" .
Seems like what you are doing is the recommended way.
Also, this can help further:
If the secret doesn't change between executions, use a special configuration file, ".appsecrets". Set the permissions of the file to be read-only by owner. Inside the file set an environment variable to the secret. The file needs to be in the home directory of the user running the command.
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
