Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-57277

Arbiter nodes, (set to authenticate session against them), continue to expect authentication even after a resync.

    XMLWordPrintableJSON

Details

    • Question
    • Status: Closed
    • Major - P3
    • Resolution: Works as Designed
    • 4.4.5
    • None
    • None
    • None
    • Security 2021-06-28, Security 2021-07-12, Security 2021-07-26, Security 2021-08-09, Security 2021-08-23

    Description

      Some tech team typically deploys manually PSA Replica Sets, authentication enabled, configuring users on all the nodes, Arbiter included, following these steps:

         1) Start arbiter as a standalone process.
         2) Create the user.
         3) Bring the node up as a replica set member.

      Forcing an Initial Sync of Arbiter nodes installed following the above steps, the Arbiter can't longer authenticate sessions against it, but the Initial Sync does not revert the situation to a totally cleaned situation, because e.g. commands like db.shutdownServer() or rs.status() return the warning message:

      2021-05-07T11:03:36.269+0000 E QUERY [js] Error: shutdownServer failed: {"ok" : 0,"errmsg" : "command shutdown requires authentication","code" : 13,"codeName" : "Unauthorized"} :_getErrorWithCode@src/mongo/shell/utils.js:25:13DB.prototype.shutdownServer@src/mongo/shell/db.js:426:19@(shell):1:1

      Arbiter nodes correctly installed, to the command db.shutdownServer() allows to shutdown the process, while the command  rs.status()  returns the expected output.

      The questions are:

      1. Can the unexpected behaviour of these Arbiter nodes lead to other potential health issues for the Replica Set?
          
      2. What's the correct\best way to revert the configuration of Arbiters set to authenticate sessions against them? Is the Initial Sync not enough?

       

      Attachments

        Issue Links

          Activity

            People

              sara.golemon@mongodb.com Sara Golemon
              marco.barbierato@mongodb.com Marco Barbierato
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: