[SERVER-5368] can not authenticate an admin user Created: 22/Mar/12  Updated: 15/Aug/12  Resolved: 06/Apr/12

Status: Closed
Project: Core Server
Component/s: Admin
Affects Version/s: 2.0.4
Fix Version/s: None

Type: Question Priority: Minor - P4
Reporter: George Nikopoulos Assignee: Adam Comerford
Resolution: Done Votes: 0
Labels: replicaset
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

My question might be stupid, but I am very new to mongodb. An admin ID was created by our mongodb administrator. The id ex. is("george","password")

on mongos server:
I log in
use admin
db.auth("george","password");
get 1
no problem

db.system.users.find()

{ "_id" : ObjectId("4f6b4a667f1a1c7f7842bee0"), "user" : "george", "readOnly" : false, "pwd" : "d962c58450d4df2a3eb94b944e292bde" }

can run commands
show dbs
show collections
printShartingStatus etc.

of cource the db.printReplicationInfo() can not be run here. I need to go down to my replica set
servers(6 of them) and run it, but I can not get authentiacated on those.

connecting to: 127.0.0.1:27018/test
> use admin
switched to db admin
> db.auth("george","password")
0
show dbs
Thu Mar 22 16:37:30 uncaught exception: listDatabases failed:

{ "errmsg" : "need to login", "ok" : 0 }

PS _ We use a keyFile

What am I doing wrong here.
Appreciate your help.



 Comments   
Comment by Adam Comerford [ 06/Apr/12 ]

Try this, connect to the mongos and run:

> use admin
> db.printShardingStatus();

Take a look at the output for the admin DB, it will say something like this:

databases:
	{ "name" : "admin", "partitioned" : false,
          "primary" : "localhost:20001",
          "_id" : ObjectId("4bd9add2c0302e394c6844b6") }

That is, it is just a regular, unsharded database. If you connect to that host (listed as the primary for the admin DB) you should be able to run the commands there - that host has the same admin database and knows about the user. Whenever you connect to the mongos, any queries are routed to and run against that primary, hence success.

Basically, you've run into one of the quirks with sharding and authentication. Every host in the shard that is the primary for the admin DB will know about the user you added via mongos, because it is replicated inside the shards, however none of the other hosts in other shards will know about it - it is not replicated between shards. This makes sense if you just think of it as an un-sharded collection.

If you want to run authenticated commands on shards that are not the primary for the admin DB you are going to have to add the user individually to each shard that is not listed as the primary for the admin DB. Any changes to the user (passwords etc.) will have to also be sync'ed out to each shard also. I would recommend scripting it rather than doing it manually.

Generated at Thu Feb 08 03:08:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.