[SERVER-9226] Cannot authenticate in 2.4.1 Created: 03/Apr/13  Updated: 10/Dec/14  Resolved: 03/Apr/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.1
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Donald Dumais Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

UNIX Deb


Operating System: Linux
Steps To Reproduce:

1. Start first set of core mongod nodes using auth and keyFile:
mongod --replSet s1 --logpath /data/logmongo/s1-a.log --dbpath /data/datamongo/s1-a --port 37017 --oplogSize 200 --fork --shardsvr --auth --keyFile /data/keyFile.txt
mongod --replSet s1 --logpath /data/logmongo/s1-b.log --dbpath /data/datamongo/s1-b --port 37018 --oplogSize 200 --fork --shardsvr --auth --keyFile /data/keyFile.txt
mongod --replSet s1 --logpath /data/logmongo/s1-c.log --dbpath /data/datamongo/s1-c --port 37019 --oplogSize 200 --fork --shardsvr --auth --keyFile /data/keyFile.txt

2. Setup replica set s1:
mongo --port 37017
config =

{"_id": "s1", "members" : [ {"_id" : 0, "host" : "localhost:37017"}

,

{"_id" : 1, "host" : "localhost:37018"}

,

{"_id" : 2, "host" : "localhost:37019"}

]
}
rs.initiate(config);

3. Start second set of core mongod nodes using auth and keyFile:
mongod --replSet s2 --logpath /data/logmongo/s2-a.log --dbpath /data/datamongo/s2-a --port 47017 --oplogSize 200 --fork --shardsvr --auth --keyFile /data/keyFile.txt
mongod --replSet s2 --logpath /data/logmongo/s2-b.log --dbpath /data/datamongo/s2-b --port 47018 --oplogSize 200 --fork --shardsvr --auth --keyFile /data/keyFile.txt
mongod --replSet s2 --logpath /data/logmongo/s2-c.log --dbpath /data/datamongo/s2-c --port 47019 --oplogSize 200 --fork --shardsvr --auth --keyFile /data/keyFile.txt

4. Setup replica set s2:
mongo --port 47017
config =

{"_id": "s2", "members" : [ {"_id" : 0, "host" : "localhost:47017"}

,

{"_id" : 1, "host" : "localhost:47018"}

,

{"_id" : 2, "host" : "localhost:47019"}

]
}
rs.initiate(config);

5. Start config servers using --auth and --keyFile:
mongod --logpath /data/logmongo/cfg-1.log --dbpath /data/configmongo/cfg-a --port 57017 --oplogSize 200 --fork --configsvr --auth --keyFile /data/keyFile.txt
mongod --logpath /data/logmongo/cfg-2.log --dbpath /data/configmongo/cfg-b --port 57018 --oplogSize 200 --fork --configsvr --auth --keyFile /data/keyFile.txt
mongod --logpath /data/logmongo/cfg-3.log --dbpath /data/configmongo/cfg-c --port 57019 --oplogSize 200 --fork --configsvr --auth --keyFile /data/keyFile.txt

6. Start mongos process:
mongos --port 27017 --fork --logpath "mongos-1.log" --configdb localhost:57017,localhost:57018,localhost:57019

7. Add shards:
mongos> db.adminCommand(

{"addshard" : "s1/localhost:37017"}

);
mongos> db.adminCommand(

{"addshard" : "s2/localhost:47017"}

);

8. Switch to use admin database:
mongos> use admin;

9. Add user (I try to add an admin user with full access for testing purposes):
mongos> db.addUser(

{user: "admin",pwd: "admin",roles: ["read","readWrite","dbAdmin","userAdmin","clusterAdmin","readAnyDatabase","readWriteAnyDatabase","userAdminAnyDatabase","dbAdminAnyDatabase"], otherDBRoles: { config:["read","readWrite","dbAdmin","userAdmin","clusterAdmin","readAnyDatabase","readWriteAnyDatabase","userAdminAnyDatabase","dbAdminAnyDatabase"], admin: ["read","readWrite","dbAdmin","userAdmin","clusterAdmin","readAnyDatabase","readWriteAnyDatabase","userAdminAnyDatabase","dbAdminAnyDatabase"] }}

);

10. Attempt to log in as the user I just created. This is where the problem seems to be, mongo will not authenticate the user and returns an error
mongos> db.auth("admin","admin");
Error: 18 { code: 13106, ok: 0.0, errmsg: "exception: nextSafe():

{ $err: "not authorized for query on admin.system.users", code: 16550 }

" }

Participants:

 Description   

I cannot log into mongos (authenticate) after creating a user.



 Comments   
Comment by Donald Dumais [ 03/Apr/13 ]

Did not realize mongos had to be started with keyFile. That was that the issue, I am now able to authenticate the user. As a side note, an earlier attempted to start the mongos with --keyFile and --auth failed, instead of excluding the --auth parameter, I inadvertently excluded both keyFile and auth parameters. Thank you.

Comment by Spencer Brody (Inactive) [ 03/Apr/13 ]

From the command lines you posted, it doesn't look like you started mongos with --keyFile. All components of the sharded system, including all mongoses, need to be started with identical keyFiles. Can you try adding the keyFile to mongos and see if that fixes things for you?

Generated at Thu Feb 08 03:19:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.