[DOCS-2003] Remove userSource from x.509 docs in 2.6 release notes. Created: 26/Sep/13  Updated: 11/Jan/17  Resolved: 27/Sep/13

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: 01112017-cleanup

Type: Bug Priority: Major - P3
Reporter: Bernie Hackett Assignee: Kay Kim (Inactive)
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Participants:
Days since reply: 10 years, 18 weeks, 1 day ago

 Description   

The release notes currently say:

Add the value of the subject, omitting the spaces, from the certificate as a user. For example, in the mongo shell, to add the user to the test database:
use test
db.addUser({
            user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry",
            userSource: '$external',
            roles: ['readAnyDatabase', 'readWriteAnyDatabase']
          })

The userSouce field is no longer valid. The server now figures out if you are adding an admin or regular user based on roles. The part before the addUser call should say "use $external".



 Comments   
Comment by auto [ 15/Oct/13 ]

Author:

{u'username': u'kay-kim', u'name': u'kay', u'email': u'kay.kim@10gen.com'}

Message: 2.6 relnotes DOCS-2003 update example in x.509
Branch: master
https://github.com/mongodb/docs/commit/00a48b05c4182e0104f97b0458c740fff52ba737

Comment by Kay Kim (Inactive) [ 27/Sep/13 ]

Currently in the next branch:

http://docs.10gen.cc/manual-internal/next/release-notes/2.6/

Comment by Spencer Brody (Inactive) [ 27/Sep/13 ]

Try this:

> use $external
> db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: [{name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, canDelegate: false}]})

If you specify the role just as a string, the source for that role is taken to be the db the command was run on, in this case $external, but the "readWriteAnyDatabase" role is only defined on the "admin" DB, so you need to use the document form for the role and specify the source as "admin".

Comment by Andreas Nilsson [ 27/Sep/13 ]

It seems I cannot get command to run either. Was sure Spencer showed me how to do this yesterday. Either I get the pwd field required or "ouldn't add user: readAnyDatabase@$external does not name an existing role at src/mongo/shell/db.js:989"

Looks like a potential bug to me. Will talk to Spencer as soon as he gets in.

Comment by Andreas Nilsson [ 27/Sep/13 ]

The first example was not intended for X509 specifically but a general comment. Did you try to provide $external as part of the user document like the second example. Will double-check if I did a typo somewhere.

Comment by Bernie Hackett [ 27/Sep/13 ]

andreas.nilsson@10gen.com, your first example doesn't make any sense. This is MONGODB-X509 auth, there is no password.

Your second example doesn't actually work. Reposting in this comment from my first comment above...:

> use $external
switched to db $external
>  db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: [{name: 'readWriteAnyDatabase', source: '$external', hasRole: true, canDelegate: false}]})
2013-09-26T16:15:35.156-0700 couldn't add user: readWriteAnyDatabase@$external does not name an existing role at src/mongo/shell/db.js:989
>
> use admin
switched to db admin
> db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: [{name: 'readWriteAnyDatabase', source: '$external', hasRole: true, canDelegate: false}]})
2013-09-26T16:16:55.141-0700 couldn't add user: Must provide a 'pwd' field for all user documents, except those with '$external' as the user's source at src/mongo/shell/db.js:989
>

If you read my comment previous to this you will see that I finally figured out how to add an admin user, but it appears that you can't use a simple list of admin roles (e.g. ['readWriteAnyDatabase', 'clusterAdmin']), you have to use this new list of documents format. spencer, may have to answer this question, but why is that? The list of built-in roles appears to work for all other database, but not for $external:

> db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: ['clusterAdmin']})
2013-09-26T15:50:14.608-0700 couldn't add user: clusterAdmin@$external does not name an existing role at src/mongo/shell/db.js:989

Is this a bug or by design?

Comment by Andreas Nilsson [ 27/Sep/13 ]

behackett the format of the addUser command has changed as part of spencer's changes to the role management and the release notes are incorrect at the moment. The following works as you found out yesterday:

db.addUser({
    user:"CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
    pwd:"anypwd",
    roles:["readWrite","dbAdmin"]
})

More generally the new parameters can also be specified on the roles as below. Not that I have omitted the pwd field since the source is $external.

db.addUser({user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry", 
                     roles: [{name:'readAnyDatabase',source:'$external',hasRole:true,canDelegate:false},
                                {name:'readWriteAnyDatabase',source:'$external',hasRole:true,canDelegate:false}
]}) 

Sorry about any delays to the testing, please let me and Spencer know what we can do to assist.

Comment by Bernie Hackett [ 27/Sep/13 ]

Success through much trial and error:

> db
$external
> db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: [{name:'readWriteAnyDatabase', source: 'admin', hasRole: true, canDelegate: false}]})
{
        "user" : "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
        "roles" : [
                {
                        "name" : "readWriteAnyDatabase",
                        "source" : "admin",
                        "hasRole" : true,
                        "canDelegate" : false
                }
        ]
}
>

This was just a wild guess. It seems there is a lot of documentation required here. This whole roles format is totally new. It's not clear to me what hasRole and canDelegate really mean, or why I have to say the role I want exists on the admin db. This is really confusing.

Comment by Bernie Hackett [ 27/Sep/13 ]

OK, I think I'm starting to understand this. I guess "admin" users can't be defined in $external? So admin users can't authenticate with MONGODB-X509?

Normal user roles appear to work:

> use $external
switched to db $external
> db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: ['readWrite']})
{
        "user" : "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
        "roles" : [
                "readWrite"
        ]
}

Comment by Bernie Hackett [ 27/Sep/13 ]

That last one is particularly confusing since "source" is "$external".

Comment by Bernie Hackett [ 26/Sep/13 ]

Actually, I can't figure out how to add a user with roles to $external in current builds. Here's a few attempts:

> use admin
switched to db admin
> db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: ['dbAdminAnyDatabase']})
 
2013-09-26T15:42:34.779-0700 couldn't add user: Must provide a 'pwd' field for all user documents, except those with '$external' as the user's source at src/mongo/shell/db.js:989
 
> db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: ['dbAdminAnyDatabase'], userSource: '$external'})
2013-09-26T15:45:40.014-0700 couldn't add user: "userSource" is not a valid argument to createUser at src/mongo/shell/db.js:989
 
> use $external
switched to db $external
> db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: ['dbAdminAnyDatabase']})
2013-09-26T15:48:54.201-0700 couldn't add user: dbAdminAnyDatabase@$external does not name an existing role at src/mongo/shell/db.js:989
 
> db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: ['readAnyDatabase', 'readWriteAnyDatabase']})
2013-09-26T15:49:32.358-0700 couldn't add user: readAnyDatabase@$external does not name an existing role at src/mongo/shell/db.js:989
 
> db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: ['clusterAdmin']})
2013-09-26T15:50:14.608-0700 couldn't add user: clusterAdmin@$external does not name an existing role at src/mongo/shell/db.js:989
 
>  db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: [{name: 'readWriteAnyDatabase', source: '$external', hasRole: true, canDelegate: false}]})
2013-09-26T16:15:35.156-0700 couldn't add user: readWriteAnyDatabase@$external does not name an existing role at src/mongo/shell/db.js:989
 
> use admin
switched to db admin
> db.addUser({user: 'CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US', roles: [{name: 'readWriteAnyDatabase', source: '$external', hasRole: true, canDelegate: false}]})
2013-09-26T16:16:55.141-0700 couldn't add user: Must provide a 'pwd' field for all user documents, except those with '$external' as the user's source at src/mongo/shell/db.js:989
>

spencer, andreas.nilsson@10gen.com, is this a server bug? Is there some totally new, undocumented format for this?

Generated at Thu Feb 08 07:42:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.