[SERVER-66228] Not possible to automate setup of replicaSet with RBAC - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Done
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:

Operating System:
ALL
Steps To Reproduce:

Hide

For mongodb to support a replicaset it must have in the mongod.conf file:
replication:
replSetName: <someName>

at the same time for RBAC to be enabled it must contain:
security:
authorization: enabled
as well as the mode (ex: x509 or keyfile)

The issue: With Authorization enabled the only thing you can do, and therefore the first thing you must do is to create the admin user with the ability to create other users via the localhost exception. But that's not possible. This is being blocked by mongodb because the replication specification means mongo will always return:
MongoServerError: not primary

this can only be eliminated by first setting up the replicaset. But you can't because that's in conflict with RBAC where the only thing you can first is create a user... but you can't do that because of the replicaset where the only thing you're allowed to do is configure the replicaset and around and around the problem goes.

The only current workaround for this design flaw is to boot with one configuration that leaves out one of these options. Configure the remaining option. Then shut down mongodb and swap out the configuration file with the complete one that has both replicaSet and RBAC enabled then reboot mongo and complete the setup of the other one. This is a very annoying problem and is counter intuitive. Please Fix.

Show
For mongodb to support a replicaset it must have in the mongod.conf file: replication: replSetName: <someName> at the same time for RBAC to be enabled it must contain: security: authorization: enabled as well as the mode (ex: x509 or keyfile) The issue: With Authorization enabled the only thing you can do, and therefore the first thing you must do is to create the admin user with the ability to create other users via the localhost exception. But that's not possible. This is being blocked by mongodb because the replication specification means mongo will always return: MongoServerError: not primary this can only be eliminated by first setting up the replicaset. But you can't because that's in conflict with RBAC where the only thing you can first is create a user... but you can't do that because of the replicaset where the only thing you're allowed to do is configure the replicaset and around and around the problem goes. The only current workaround for this design flaw is to boot with one configuration that leaves out one of these options. Configure the remaining option. Then shut down mongodb and swap out the configuration file with the complete one that has both replicaSet and RBAC enabled then reboot mongo and complete the setup of the other one. This is a very annoying problem and is counter intuitive. Please Fix.

Description

There are requirements to setting up a RBAC. There are requirements to setting up a replica set. These requirements are opposed to each other making it not possible to automate the setup of a mongo server.

Attachments

Activity

People

Assignee:: Chris Kelly

Reporter:: Currn Hyde

Participants:: Chris Kelly, Currn Hyde, Spencer Brown

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: May 05 2022 01:20:39 AM UTC

Updated:: Sep 08 2022 07:27:40 PM UTC

Resolved:: Sep 08 2022 07:27:40 PM UTC