[DOCS-2003] Remove userSource from x.509 docs in 2.6 release notes. Created: 26/Sep/13 Updated: 11/Jan/17 Resolved: 27/Sep/13 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 01112017-cleanup |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Bernie Hackett | Assignee: | Kay Kim (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | 26qa | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Participants: | |||||
| Days since reply: | 10 years, 18 weeks, 1 day ago | ||||
| Description |
|
The release notes currently say:
The userSouce field is no longer valid. The server now figures out if you are adding an admin or regular user based on roles. The part before the addUser call should say "use $external". |
| Comments |
| Comment by auto [ 15/Oct/13 ] | ||||||||||||||||||||||||||||
|
Author: {u'username': u'kay-kim', u'name': u'kay', u'email': u'kay.kim@10gen.com'}Message: 2.6 relnotes | ||||||||||||||||||||||||||||
| Comment by Kay Kim (Inactive) [ 27/Sep/13 ] | ||||||||||||||||||||||||||||
|
Currently in the next branch: http://docs.10gen.cc/manual-internal/next/release-notes/2.6/ | ||||||||||||||||||||||||||||
| Comment by Spencer Brody (Inactive) [ 27/Sep/13 ] | ||||||||||||||||||||||||||||
|
Try this:
If you specify the role just as a string, the source for that role is taken to be the db the command was run on, in this case $external, but the "readWriteAnyDatabase" role is only defined on the "admin" DB, so you need to use the document form for the role and specify the source as "admin". | ||||||||||||||||||||||||||||
| Comment by Andreas Nilsson [ 27/Sep/13 ] | ||||||||||||||||||||||||||||
|
It seems I cannot get command to run either. Was sure Spencer showed me how to do this yesterday. Either I get the pwd field required or "ouldn't add user: readAnyDatabase@$external does not name an existing role at src/mongo/shell/db.js:989" Looks like a potential bug to me. Will talk to Spencer as soon as he gets in. | ||||||||||||||||||||||||||||
| Comment by Andreas Nilsson [ 27/Sep/13 ] | ||||||||||||||||||||||||||||
|
The first example was not intended for X509 specifically but a general comment. Did you try to provide $external as part of the user document like the second example. Will double-check if I did a typo somewhere. | ||||||||||||||||||||||||||||
| Comment by Bernie Hackett [ 27/Sep/13 ] | ||||||||||||||||||||||||||||
|
andreas.nilsson@10gen.com, your first example doesn't make any sense. This is MONGODB-X509 auth, there is no password. Your second example doesn't actually work. Reposting in this comment from my first comment above...:
If you read my comment previous to this you will see that I finally figured out how to add an admin user, but it appears that you can't use a simple list of admin roles (e.g. ['readWriteAnyDatabase', 'clusterAdmin']), you have to use this new list of documents format. spencer, may have to answer this question, but why is that? The list of built-in roles appears to work for all other database, but not for $external:
Is this a bug or by design? | ||||||||||||||||||||||||||||
| Comment by Andreas Nilsson [ 27/Sep/13 ] | ||||||||||||||||||||||||||||
|
behackett the format of the addUser command has changed as part of spencer's changes to the role management and the release notes are incorrect at the moment. The following works as you found out yesterday:
More generally the new parameters can also be specified on the roles as below. Not that I have omitted the pwd field since the source is $external.
Sorry about any delays to the testing, please let me and Spencer know what we can do to assist. | ||||||||||||||||||||||||||||
| Comment by Bernie Hackett [ 27/Sep/13 ] | ||||||||||||||||||||||||||||
|
Success through much trial and error:
This was just a wild guess. It seems there is a lot of documentation required here. This whole roles format is totally new. It's not clear to me what hasRole and canDelegate really mean, or why I have to say the role I want exists on the admin db. This is really confusing. | ||||||||||||||||||||||||||||
| Comment by Bernie Hackett [ 27/Sep/13 ] | ||||||||||||||||||||||||||||
|
OK, I think I'm starting to understand this. I guess "admin" users can't be defined in $external? So admin users can't authenticate with MONGODB-X509? Normal user roles appear to work:
| ||||||||||||||||||||||||||||
| Comment by Bernie Hackett [ 27/Sep/13 ] | ||||||||||||||||||||||||||||
|
That last one is particularly confusing since "source" is "$external". | ||||||||||||||||||||||||||||
| Comment by Bernie Hackett [ 26/Sep/13 ] | ||||||||||||||||||||||||||||
|
Actually, I can't figure out how to add a user with roles to $external in current builds. Here's a few attempts:
spencer, andreas.nilsson@10gen.com, is this a server bug? Is there some totally new, undocumented format for this? |