[SERVER-10016] Can't add a shard after first user is added in auth mode Created: 25/Jun/13 Updated: 24/Aug/17 Resolved: 31/Jul/17 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security, Sharding |
| Affects Version/s: | 2.4.4, 2.5.0 |
| Fix Version/s: | None |
| Type: | Question | Priority: | Major - P3 |
| Reporter: | Michael Grundy | Assignee: | Spencer Jackson |
| Resolution: | Duplicate | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Sharded with Kerberos authentication |
||
| Issue Links: |
|
||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
When configuring a sharded cluster with authentication in localhost bypass mode, you have to add a shard before you add the first user on a database other than admin or config, or else you can't add a shard. While we are working on getting this documented, it still isn't intuitive. It would be better to be able to add a user, or have a user database pre-populated with a clusterAdmin level user, prior to adding shards. This is primarily an issue if the first user you plan to add is on the $external database, say because the user is to be authenticated via Kerberos of LDAP proxy. |
| Comments |
| Comment by Andy Schwerin [ 19/Dec/13 ] | |||||||||||||||||||||||||||||
|
michael.grundy@10gen.com, would you consider this a duplicate of | |||||||||||||||||||||||||||||
| Comment by Michael Grundy [ 25/Jun/13 ] | |||||||||||||||||||||||||||||
|
I'm thinking this may be more of a kerberos gotcha. You have to add the user in localhost bypass, but you can't authenticate kerberos unless you've connected to the host address. Then when you try to authenticate, it throws a "can't find a shard to put new db on" error.
| |||||||||||||||||||||||||||||
| Comment by Spencer Brody (Inactive) [ 25/Jun/13 ] | |||||||||||||||||||||||||||||
|
I'm still not sure I understand the problem, after you add the first user can't you just authenticate to that user and then use it to add the first shard? | |||||||||||||||||||||||||||||
| Comment by Michael Grundy [ 25/Jun/13 ] | |||||||||||||||||||||||||||||
|
Yes, you can add a user, but then you can't add any shards. I'll clarify | |||||||||||||||||||||||||||||
| Comment by Spencer Brody (Inactive) [ 25/Jun/13 ] | |||||||||||||||||||||||||||||
|
I believe you can add a user to a sharded system with no shards, so long as that user is on the admin database, though I haven't tested this recently. |