[SERVER-6936] addUser appears to fail when KeyFile used in a Sharding configuration Created: 05/Sep/12  Updated: 15/Feb/13  Resolved: 05/Sep/12

Status: Closed
Project: Core Server
Component/s: Security, Sharding
Affects Version/s: 2.1.1, 2.2.0
Fix Version/s: None

Type: Bug Priority: Blocker - P1
Reporter: Zoiner Tejada Assignee: Spencer Brody (Inactive)
Resolution: Duplicate Votes: 0
Labels: sharding
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows - 7, 2008 R2. On-premise and on Azure.


Attachments: Zip Archive ReproScripts.zip    
Issue Links:
Duplicate
duplicates SERVER-6591 Localhost authentication exception do... Closed
Operating System: ALL
Participants:

 Description   

The crux of problem occurs when I try to add the user using a localhost connection to mongos I get:
mongos> db.addUser('z','z')
{
"user" : "z",
"readOnly" : false,
"pwd" : "899fa315594cebad2592f18d1ef50f79",
"_id" : ObjectId("504670f2705dfdc07c42070a")
}
Tue Sep 04 21:21:54 uncaught exception: couldn't add user: SyncClusterConnection
::insert prepare failed: ShardRole0:20000:

{ errmsg: "need to login", ok: 0.0 }

ShardRole1:20000:

{ errmsg: "need to login", ok: 0.0 }

ShardRole2:20000:

{ errmsg: "need to login", ok: 0.0 }

At this point, we are running with security mode enabled (e.g., KeyFile switch), but have not yet added any admin users anywhere.

Here are some key details:

  • This happened with MongoDB for Windows 2008plus versions 2.1.1 and 2.2.0
  • Our topology is we have three servers, each running a MongoS, a Config and MongoD Replica member.
    • ShardServer0: MongoS, MongoD Config, MongoD replica
    • ShardServer1: MongoS, MongoD Config, MongoD replica
    • ShardServer2: MongoS, MongoD Config, MongoD replica
  • All replica instances belong to a single ReplicaSet, "rs"
  • This error occurs with or without a Shard first being added.
  • The problem ONLY seems to surface when the servers are actually separate physical machines, or separate virtual machine instances. In other words, if all three sets of processes run on one machine then this error is not encountered,

Reproducing the Problem:
We have built a set of command line batch scripts for Windows that replicate the problem (see the attachments).

The scripts just need to be copied next to your Mongo binaries. For example, here's how we run it (follow the prompts at the command line for each):
– ShardServer0: execute "RunA.bat"
– ShardServer1: execute "RunB.bat"
– ShardServer2: execute "RunC.bat"

RunA.bat is identical to RunB and RunC except that it will also create a MongoS process and attempt to add a user.
If you will be trying it out, be sure to update folder paths, IP addresses and ports as appropriate for your environment by modifying all three BAT scripts and the initShardABC.js script.

For comparison purposes, if you just run RunShardInfrastructureWithAuth.bat, it will run everything on a single machine and you will not encounter this error.



 Comments   
Comment by Spencer Brody (Inactive) [ 26/Sep/12 ]

You could set up and configure the entire cluster without the --keyFile flag so that there is no authentication checks performed, add an admin user, then restart all the nodes in the cluster to run with --keyFile.

I updated the documentation at http://www.mongodb.org/display/DOCS/Security+and+Authentication#SecurityandAuthentication-EnablingSecureMode to make this clearer.

Comment by Hays Barrett [ 26/Sep/12 ]

I am experiencing the exact same issue using 2.2 Linux 64-bit. What do you mean when you say "set up the cluster without authentication enabled"? To set up a cluster don't you need to use the keyFile switch, and if you use that switch isn’t auth implied?

Comment by Spencer Brody (Inactive) [ 05/Sep/12 ]

The easiest workaround here is to set up the cluster without authentication enabled, add the first admin user, then restart the cluster enabling authentication.

Comment by Spencer Brody (Inactive) [ 05/Sep/12 ]

The problem is that in 2.0 all connections between the mongos and the config servers are given full admin access, but in 2.2 commands run on the config servers only have whatever permissions the user has authenticated to against the mongos. Although the mongos recognizes the incoming connection as coming from localhost, and thus having permission to run anything, when the addUser command is sent to the config servers the connection from the mongos to the config servers is not a localhost connection, and since the user has no auth credentials at this point, the command gets denied.

There is a ticket open to fix this behavior: SERVER-6591.

Generated at Thu Feb 08 03:13:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.