[SERVER-10016] Can't add a shard after first user is added in auth mode Created: 25/Jun/13  Updated: 24/Aug/17  Resolved: 31/Jul/17

Status: Closed
Project: Core Server
Component/s: Security, Sharding
Affects Version/s: 2.4.4, 2.5.0
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: Michael Grundy Assignee: Spencer Jackson
Resolution: Duplicate Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Sharded with Kerberos authentication


Issue Links:
Duplicate
duplicates SERVER-11126 addUser does not work on mongos witho... Closed
Related
is related to SERVER-11126 addUser does not work on mongos witho... Closed
Participants:

 Description   

When configuring a sharded cluster with authentication in localhost bypass mode, you have to add a shard before you add the first user on a database other than admin or config, or else you can't add a shard. While we are working on getting this documented, it still isn't intuitive.

It would be better to be able to add a user, or have a user database pre-populated with a clusterAdmin level user, prior to adding shards.

This is primarily an issue if the first user you plan to add is on the $external database, say because the user is to be authenticated via Kerberos of LDAP proxy.



 Comments   
Comment by Andy Schwerin [ 19/Dec/13 ]

michael.grundy@10gen.com, would you consider this a duplicate of SERVER-11126?

Comment by Michael Grundy [ 25/Jun/13 ]

I'm thinking this may be more of a kerberos gotcha. You have to add the user in localhost bypass, but you can't authenticate kerberos unless you've connected to the host address. Then when you try to authenticate, it throws a "can't find a shard to put new db on" error.

[ec2-user@mongod1 ~]$ mongo --host mongod1
MongoDB shell version: 2.5.0
connecting to: mongod1:27017/test
> use admin
switched to db admin
> db.system.users.insert({ "_id" : ObjectId("5192e155198a45b8a009ea88"), "roles" : [ "dbAdminAnyDatabase", "userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase" ], "user" : "grund/admin@REALM99.10GEN.ME", "userSource" : "$external" })
not authorized for insert on admin.system.users
> quit()
 
[ec2-user@mongod1 ~]$ mongo
MongoDB shell version: 2.5.0
connecting to: test
mongos> use admin
switched to db admin
mongos> db.system.users.insert({ "_id" : ObjectId("5192e155198a45b8a009ea88"), "roles" : [ "dbAdminAnyDatabase", "userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase" ], "user" : "grund/admin@REALM99.10GEN.ME", "userSource" : "$external" })
> db.auth({ mechanism: "GSSAPI", user: "grund/admin@REALM99.10GEN.ME"})
Error: 17 SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server mongodb/localhost@REALM99.10GEN.ME not found in Kerberos database)
0
> quit()
 
[ec2-user@mongod1 ~]$ mongo --host mongod1
MongoDB shell version: 2.5.0
connecting to: mongod1:27017/test
> use $external
switched to db $external
> db.auth({ mechanism: "GSSAPI", user: "grund/admin@REALM99.10GEN.ME"})
Error: 13106 nextSafe(): { $err: "error creating initial database config information :: caused by :: can't find a shard to put new db on", code: 10185 }
0
> quit()

Comment by Spencer Brody (Inactive) [ 25/Jun/13 ]

I'm still not sure I understand the problem, after you add the first user can't you just authenticate to that user and then use it to add the first shard?

Comment by Michael Grundy [ 25/Jun/13 ]

Yes, you can add a user, but then you can't add any shards. I'll clarify

Comment by Spencer Brody (Inactive) [ 25/Jun/13 ]

I believe you can add a user to a sharded system with no shards, so long as that user is on the admin database, though I haven't tested this recently.

Generated at Thu Feb 08 03:22:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.