[DOCS-3307] Server admin password reset Created: 30/Apr/14 Updated: 11/Jan/17 Resolved: 27/Jul/16 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | kb |
| Affects Version/s: | None |
| Fix Version/s: | 01112017-cleanup |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Alexander Komyagin | Assignee: | Unassigned |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | security-review | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Participants: | |||||
| Days since reply: | 7 years, 29 weeks ago | ||||
| Description |
|
It should be useful to document the steps needed to reset the admin password for the following configurations:
|
| Comments |
| Comment by Emily Hall [ 27/Jul/16 ] |
|
Closed for housekeeping on 7/27/2016 by Emily Hall. |
| Comment by Amalia Hawkins [ 28/Oct/14 ] |
|
A standalone server, for example. |
| Comment by Scott Hernandez (Inactive) [ 28/Oct/14 ] |
|
amalia.hawkins@10gen.com, what is the case when you have auth on but no keyfile/x509 (since it requires some server creds for intra-system auth)? |
| Comment by Amalia Hawkins [ 28/Oct/14 ] |
|
I would not suggest removing the admin db files. For the non-keyfile/x509 scenario, there is no other option but to restart with auth disabled. Alternatively, if there is another user with userAdmin rights, you can of course use that other user to reset the admin user's password. For the keyfile/x509 scenario, you can login as the __system user. This is not recommended for normal operations, but is the only other option to the two outlined above in an 'emergency'. Basically, you pretend to be a server. |
| Comment by Scott Hernandez (Inactive) [ 15/Oct/14 ] |
|
Probably not till after the 2.8RCs, but sure. Might be good to talk to someone working on auth/security or QA do a first pass if they have any time. |
| Comment by Michael Paik [ 15/Oct/14 ] |
|
scotthernandez, can you write something up to this effect, and we'll polish? |
| Comment by Scott Hernandez (Inactive) [ 03/Sep/14 ] |
|
I think this solution falls more into the "how to reset auth" and is not what we want to suggest/doc for this use. Also, for 3, you probably want to remove the admin dbs on shards too, or follow the 2nd steps. Instead we should have them (surgically) reset the admin password(s) using the keyfile/x509 user. We would have to document how to login with the keyfile/x509 user as a prereq. This will also allow these changes live and without downtime. |