[SERVER-9270] Mongodb 2.4 fails authenticate user in Replicaset Created: 05/Apr/13  Updated: 10/Dec/14  Resolved: 07/Apr/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.0, 2.4.1
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Marco Tusa Assignee: J Rassi
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Linux Centos 32 (test environment)


Operating System: Linux
Steps To Reproduce:

See all the process, and information from log and console:

http://docs.mongodb.org/manual/tutorial/control-access-to-mongodb-with-authentication/#control-access-add-users

Server has startup warnings:
Fri Apr 5 17:58:10.946 [initandlisten]
Fri Apr 5 17:58:10.946 [initandlisten] ** NOTE: This is a 32 bit MongoDB binary.
Fri Apr 5 17:58:10.946 [initandlisten] ** 32 bit builds are limited to less than 2GB of data (or less with --journal).
Fri Apr 5 17:58:10.946 [initandlisten] ** See http://dochub.mongodb.org/core/32bit
Fri Apr 5 17:58:10.947 [initandlisten]
replica2:PRIMARY> db.addUser(

{ user: "root", "pwd":"mongo", roles: [ "userAdminAnyDatabase" ] }

)
{
"user" : "root",
"pwd" : "7bc9aa6753e5241290fd85fece372bd8",
"roles" : [
"userAdminAnyDatabase"
],
"_id" : ObjectId("515f4d015827f846df604bd0")
}
replica2:PRIMARY> db.removeUser("root")
replica2:PRIMARY> use admin
switched to db admin
replica2:PRIMARY> db.system.users.find();
replica2:PRIMARY> db.addUser(

{ user: "root", "pwd":"mongo", roles: [ "userAdminAnyDatabase" ] }

)
{
"user" : "root",
"pwd" : "7bc9aa6753e5241290fd85fece372bd8",
"roles" : [
"userAdminAnyDatabase"
],
"_id" : ObjectId("515f4db45827f846df604bd1")
}
replica2:PRIMARY>

[root@mongodbN5 ~]# mongo
MongoDB shell version: 2.4.1
connecting to: test
Server has startup warnings:
Fri Apr 5 17:58:21.031 [initandlisten]
Fri Apr 5 17:58:21.031 [initandlisten] ** NOTE: This is a 32 bit MongoDB binary.
Fri Apr 5 17:58:21.031 [initandlisten] ** 32 bit builds are limited to less than 2GB of data (or less with --journal).
Fri Apr 5 17:58:21.031 [initandlisten] ** See http://dochub.mongodb.org/core/32bit
Fri Apr 5 17:58:21.032 [initandlisten]
replica2:SECONDARY> use admin
switched to db admin
replica2:SECONDARY> db.system.users.find();
error:

{ "$err" : "not master and slaveOk=false", "code" : 13435 }

replica2:SECONDARY> db.getMongo().setSlaveOk()
replica2:SECONDARY> db.system.users.find();
replica2:SECONDARY> db.system.users.find();

{ "_id" : ObjectId("515f4db45827f846df604bd1"), "user" : "root", "pwd" : "7bc9aa6753e5241290fd85fece372bd8", "roles" : [ "userAdminAnyDatabase" ] }

replica2:SECONDARY>

[root@mongodbN6 ~]# mongo
MongoDB shell version: 2.4.1
connecting to: test
Server has startup warnings:
Fri Apr 5 17:58:24.623 [initandlisten]
Fri Apr 5 17:58:24.623 [initandlisten] ** NOTE: This is a 32 bit MongoDB binary.
Fri Apr 5 17:58:24.623 [initandlisten] ** 32 bit builds are limited to less than 2GB of data (or less with --journal).
Fri Apr 5 17:58:24.623 [initandlisten] ** See http://dochub.mongodb.org/core/32bit
Fri Apr 5 17:58:24.623 [initandlisten]
replica2:SECONDARY> use admin
switched to db admin
replica2:SECONDARY> db.getMongo().setSlaveOk()
replica2:SECONDARY> db.runCommand(

{ shardingState: 1 }

)

{ "note" : "from execCommand", "ok" : 0, "errmsg" : "not master" }

replica2:SECONDARY> db.system.users.find();
replica2:SECONDARY> db.system.users.find();

{ "_id" : ObjectId("515f4db45827f846df604bd1"), "user" : "root", "pwd" : "7bc9aa6753e5241290fd85fece372bd8", "roles" : [ "userAdminAnyDatabase" ] }

replica2:SECONDARY>

[root@mongodbN4 ~]# vi /etc/mongod.cnf
[root@mongodbN4 ~]# ll /usr/local/mongo/keyfile
rw------. 1 mongo mongo 1020 Apr 5 17:43 /usr/local/mongo/keyfile
[root@mongodbN4 ~]# ll /usr/local/mongo/keyfile
rw------. 1 mongo mongo 1020 Apr 5 17:43 /usr/local/mongo/keyfile
[root@mongodbN4 ~]# cat /usr/local/mongo/keyfile
LHi75oy1KksA7dkR537AkWLqsEPE0mGG4U7xJj0haA1iWH+rsr1Xr5c+esQzb4MW
19MuuTbLEu/0a4FiLGF57n9AETPdJTSNcgVbl27+u5nmkatZNWb5ILRkWLo6ho6G
GEK5X3Kqyt2yIERmmJLNaHwgqy2o/Hj7GltuXxR0Eb5pRXUZbFb7yAdBx815jL9+
hokaHX79OuUWki/Jfem7tZ7QpNc4eap/6h4OgzCiQQ241eXKTw4GNuRWyEW8/wEj
Y1YMrrQvlZCDeUR7u5xbjCZ+XXRV5edYyg7UlEaOByF8/kUQYYf5OEAT59n9d81p
fWt0N1JsPPJRKB87sTHviJwgZRNXFw/Steaynzs5ySodXVuRsOKsXcsdAigdU1WY
AUf97zpq9oXv0f4o7xpbTk/psj1agx/hVXNLSIrAfmvq8P4cqDrVb4Hch9ENnu0J
OCnfG6ZPAwIPIZ4lgGxBkOofak7dyZijUTPtEBaKLPbAiKn8X9C30r5GyDDbl9Xw
hnpK1lBu3lk3Nyo6auKbj3W4ekyzvS+Bfr+2IbEFrWxWZWWkUYPG9qZ6QTKP+GLm
TqhO+bBB9htRgAYVSaTWn34h8Ab22BDHPxCjoMJR0Ns0AYA2JNgHQp2eqA/XOgkE
DE7X1tmxiAqwqVD9OPnayzuOwA2slCt8CBy+VcBwmLwnRA0BeGvlvptm/e0hRLTU
AMB5hY+ReZ41q197xerDVDduUrdZItOcFCAcpoIesmK8UzX36pWnnZj1ywe+Diwz
m+e4akt3gEaZzgkecQFhCnN9NVpwMdvtD2v5QEMTL02FRwBmaOCIRZWZsqAoLIqz
S8hcMobBGaWY6Rgmd3nWP5PomV6I79XPPpBFyoupysca/lN11DgSl6sx8TbJwNyd
oC4olxFutZfiIX+By4XcNo6BFH1J8c8rTq3OmtH8oG5/pZMiQ1OmGuHYWx0D6Veu
Uzv0QqxZv4wLHnb+vGirS7XTKLTvO0ABSX6ahfP3w8U6

[root@mongodbN5 ~]# /etc/init.d/mongod stop
Stopping mongod: [ OK ]
[root@mongodbN5 ~]# ll /usr/local/mongo/keyfile
rw------. 1 mongo mongo 1020 Apr 5 17:47 /usr/local/mongo/keyfile
[root@mongodbN5 ~]# cat /usr/local/mongo/keyfile
LHi75oy1KksA7dkR537AkWLqsEPE0mGG4U7xJj0haA1iWH+rsr1Xr5c+esQzb4MW
19MuuTbLEu/0a4FiLGF57n9AETPdJTSNcgVbl27+u5nmkatZNWb5ILRkWLo6ho6G
GEK5X3Kqyt2yIERmmJLNaHwgqy2o/Hj7GltuXxR0Eb5pRXUZbFb7yAdBx815jL9+
hokaHX79OuUWki/Jfem7tZ7QpNc4eap/6h4OgzCiQQ241eXKTw4GNuRWyEW8/wEj
Y1YMrrQvlZCDeUR7u5xbjCZ+XXRV5edYyg7UlEaOByF8/kUQYYf5OEAT59n9d81p
fWt0N1JsPPJRKB87sTHviJwgZRNXFw/Steaynzs5ySodXVuRsOKsXcsdAigdU1WY
AUf97zpq9oXv0f4o7xpbTk/psj1agx/hVXNLSIrAfmvq8P4cqDrVb4Hch9ENnu0J
OCnfG6ZPAwIPIZ4lgGxBkOofak7dyZijUTPtEBaKLPbAiKn8X9C30r5GyDDbl9Xw
hnpK1lBu3lk3Nyo6auKbj3W4ekyzvS+Bfr+2IbEFrWxWZWWkUYPG9qZ6QTKP+GLm
TqhO+bBB9htRgAYVSaTWn34h8Ab22BDHPxCjoMJR0Ns0AYA2JNgHQp2eqA/XOgkE
DE7X1tmxiAqwqVD9OPnayzuOwA2slCt8CBy+VcBwmLwnRA0BeGvlvptm/e0hRLTU
AMB5hY+ReZ41q197xerDVDduUrdZItOcFCAcpoIesmK8UzX36pWnnZj1ywe+Diwz
m+e4akt3gEaZzgkecQFhCnN9NVpwMdvtD2v5QEMTL02FRwBmaOCIRZWZsqAoLIqz
S8hcMobBGaWY6Rgmd3nWP5PomV6I79XPPpBFyoupysca/lN11DgSl6sx8TbJwNyd
oC4olxFutZfiIX+By4XcNo6BFH1J8c8rTq3OmtH8oG5/pZMiQ1OmGuHYWx0D6Veu
Uzv0QqxZv4wLHnb+vGirS7XTKLTvO0ABSX6ahfP3w8U6
[root@mongodbN5 ~]#

[root@mongodbN6 ~]# /etc/init.d/mongod stop
Stopping mongod: [ OK ]
[root@mongodbN6 ~]# ll /usr/local/mongo/keyfile
rw------. 1 mongo mongo 1020 Apr 5 17:48 /usr/local/mongo/keyfile
[root@mongodbN6 ~]# cat /usr/local/mongo/keyfile
LHi75oy1KksA7dkR537AkWLqsEPE0mGG4U7xJj0haA1iWH+rsr1Xr5c+esQzb4MW
19MuuTbLEu/0a4FiLGF57n9AETPdJTSNcgVbl27+u5nmkatZNWb5ILRkWLo6ho6G
GEK5X3Kqyt2yIERmmJLNaHwgqy2o/Hj7GltuXxR0Eb5pRXUZbFb7yAdBx815jL9+
hokaHX79OuUWki/Jfem7tZ7QpNc4eap/6h4OgzCiQQ241eXKTw4GNuRWyEW8/wEj
Y1YMrrQvlZCDeUR7u5xbjCZ+XXRV5edYyg7UlEaOByF8/kUQYYf5OEAT59n9d81p
fWt0N1JsPPJRKB87sTHviJwgZRNXFw/Steaynzs5ySodXVuRsOKsXcsdAigdU1WY
AUf97zpq9oXv0f4o7xpbTk/psj1agx/hVXNLSIrAfmvq8P4cqDrVb4Hch9ENnu0J
OCnfG6ZPAwIPIZ4lgGxBkOofak7dyZijUTPtEBaKLPbAiKn8X9C30r5GyDDbl9Xw
hnpK1lBu3lk3Nyo6auKbj3W4ekyzvS+Bfr+2IbEFrWxWZWWkUYPG9qZ6QTKP+GLm
TqhO+bBB9htRgAYVSaTWn34h8Ab22BDHPxCjoMJR0Ns0AYA2JNgHQp2eqA/XOgkE
DE7X1tmxiAqwqVD9OPnayzuOwA2slCt8CBy+VcBwmLwnRA0BeGvlvptm/e0hRLTU
AMB5hY+ReZ41q197xerDVDduUrdZItOcFCAcpoIesmK8UzX36pWnnZj1ywe+Diwz
m+e4akt3gEaZzgkecQFhCnN9NVpwMdvtD2v5QEMTL02FRwBmaOCIRZWZsqAoLIqz
S8hcMobBGaWY6Rgmd3nWP5PomV6I79XPPpBFyoupysca/lN11DgSl6sx8TbJwNyd
oC4olxFutZfiIX+By4XcNo6BFH1J8c8rTq3OmtH8oG5/pZMiQ1OmGuHYWx0D6Veu
Uzv0QqxZv4wLHnb+vGirS7XTKLTvO0ABSX6ahfP3w8U6
[root@mongodbN6 ~]#

Fri Apr 5 18:31:21.964 [journal] lsn set 411208
Fri Apr 5 18:31:21.995 [snapshotthread] cpu: elapsed:4000 writelock: 0%
Fri Apr 5 18:31:22.081 [TTLMonitor] query $SERVER.system.indexes query: { expireAfterSeconds:

{ $exists: true }

} ntoreturn:0 ntoskip:0 nscanned:0 keyUpdates:0 locks(micros) r:268 nreturned:0 reslen:20 0ms
Fri Apr 5 18:31:22.082 [TTLMonitor] creating profile collection: $SERVER.system.profile
Fri Apr 5 18:31:22.082 [TTLMonitor] Assertion: 10356:invalid ns: $SERVER.system.profile
0x89f133d 0x89c6e75 0x89acb10 0x89ad066 0x86bc7e1 0x8600a1e 0x860172e 0x860273f 0x85f695b 0x85f77b4 0x83545f3 0x8317abb 0x85ea9c7 0x885302a 0x885515c 0x89afc9e 0x89b087e 0x8a3f33e 0x785a09 0x1ed00e
/usr/local/mongo/bin/mongod(_ZN5mongo15printStackTraceERSo+0x2d) [0x89f133d]
/usr/local/mongo/bin/mongod(_ZN5mongo10logContextEPKc+0xa5) [0x89c6e75]
/usr/local/mongo/bin/mongod(_ZN5mongo11msgassertedEiPKc+0xc0) [0x89acb10]
/usr/local/mongo/bin/mongod() [0x89ad066]
/usr/local/mongo/bin/mongod(_ZN5mongo12userCreateNSEPKcNS_7BSONObjERSsbPb+0x121) [0x86bc7e1]
/usr/local/mongo/bin/mongod(_ZN5mongo28getOrCreateProfileCollectionEPNS_8DatabaseEbPSs+0x4fe) [0x8600a1e]
/usr/local/mongo/bin/mongod() [0x860172e]
/usr/local/mongo/bin/mongod(_ZN5mongo7profileERKNS_6ClientEiRNS_5CurOpE+0x43f) [0x860273f]
/usr/local/mongo/bin/mongod(_ZN5mongo16assembleResponseERNS_7MessageERNS_10DbResponseERKNS_11HostAndPortE+0xafb) [0x85f695b]
/usr/local/mongo/bin/mongod(_ZN5mongo14DBDirectClient4callERNS_7MessageES2_bPSs+0x84) [0x85f77b4]
/usr/local/mongo/bin/mongod(_ZN5mongo14DBClientCursor4initEv+0xc3) [0x83545f3]
/usr/local/mongo/bin/mongod(_ZN5mongo12DBClientBase5queryERKSsNS_5QueryEiiPKNS_7BSONObjEii+0xbb) [0x8317abb]
/usr/local/mongo/bin/mongod(_ZN5mongo14DBDirectClient5queryERKSsNS_5QueryEiiPKNS_7BSONObjEii+0x77) [0x85ea9c7]
/usr/local/mongo/bin/mongod(_ZN5mongo10TTLMonitor10doTTLForDBERKSs+0x24a) [0x885302a]
/usr/local/mongo/bin/mongod(_ZN5mongo10TTLMonitor3runEv+0x40c) [0x885515c]
/usr/local/mongo/bin/mongod(_ZN5mongo13BackgroundJob7jobBodyEN5boost10shared_ptrINS0_9JobStatusEEE+0xbe) [0x89afc9e]
/usr/local/mongo/bin/mongod(_ZN5boost6detail11thread_dataINS_3_bi6bind_tIvNS_4_mfi3mf1IvN5mongo13BackgroundJobENS_10shared_ptrINS7_9JobStatusEEEEENS2_5list2INS2_5valueIPS7_EENSD_ISA_EEEEEEE3runEv+0x7e) [0x89b087e]
/usr/local/mongo/bin/mongod() [0x8a3f33e]
/lib/libpthread.so.0() [0x785a09]
/lib/libc.so.6(clone+0x5e) [0x1ed00e]
Fri Apr 5 18:31:22.097 [TTLMonitor] warning: Caught Assertion while trying to profile query against $SERVER.system.indexes: 10356 invalid ns: $SERVER.system.profile
Fri Apr 5 18:31:22.098 [TTLMonitor] query admin.system.indexes query: { expireAfterSeconds:

{ $exists: true }

} ntoreturn:0 ntoskip:0 nscanned:2 keyUpdates:0 locks(micros) r:232 nreturned:0 reslen:20 0ms
Fri Apr 5 18:31:22.099 [TTLMonitor] query local.system.indexes query: { expireAfterSeconds:

{ $exists: true }

} ntoreturn:0 ntoskip:0 nscanned:4 keyUpdates:0 locks(micros) r:205 nreturned:0 reslen:20 0ms
Fri Apr 5 18:31:22.916 [conn72] run command admin.$cmd

{ replSetHeartbeat: "replica2", v: 3, pv: 1, checkEmpty: false, from: "10.0.3.236:27017" }

Fri Apr 5 18:31:22.916 [conn72] command admin.$cmd command:

{ replSetHeartbeat: "replica2", v: 3, pv: 1, checkEmpty: false, from: "10.0.3.236:27017" }

ntoreturn:1 keyUpdates:0 reslen:124 0ms
Fri Apr 5 18:31:23.027 [conn73] run command admin.$cmd

{ replSetHeartbeat: "replica2", v: 3, pv: 1, checkEmpty: false, from: "10.0.3.235:27017" }

Fri Apr 5 18:31:23.027 [conn73] command admin.$cmd command:

{ replSetHeartbeat: "replica2", v: 3, pv: 1, checkEmpty: false, from: "10.0.3.235:27017" }

ntoreturn:1 keyUpdates:0 reslen:124 0ms
Fri Apr 5 18:31:24.918 [conn72] run command admin.$cmd

{ replSetHeartbeat: "replica2", v: 3, pv: 1, checkEmpty: false, from: "10.0.3.236:27017" }

Fri Apr 5 18:31:24.918 [conn72] command admin.$cmd command:

{ replSetHeartbeat: "replica2", v: 3, pv: 1, checkEmpty: false, from: "10.0.3.236:27017" }

ntoreturn:1 keyUpdates:0 reslen:124 0ms
Fri Apr 5 18:31:25.030 [conn73] run command admin.$cmd

{ replSetHeartbeat: "replica2", v: 3, pv: 1, checkEmpty: false, from: "10.0.3.235:27017" }

Fri Apr 5 18:31:25.031 [conn73] command admin.$cmd command:

{ replSetHeartbeat: "replica2", v: 3, pv: 1, checkEmpty: false, from: "10.0.3.235:27017" }

ntoreturn:1 keyUpdates:0 reslen:124 0ms
Fri Apr 5 18:31:25.947 [conn12] getmore local.oplog.rs query: { ts:

{ $gte: Timestamp 1365200308000|1 }

} cursorid:115484627315748 ntoreturn:0 keyUpdates:0 locks(micros) r:542 nreturned:0 reslen:20 5013ms
Fri Apr 5 18:31:25.995 [snapshotthread] cpu: elapsed:4000 writelock: 0%
Fri Apr 5 18:31:26.921 [conn74] run command local.$cmd

{ getnonce: 1 }

Fri Apr 5 18:31:26.921 [conn74] command local.$cmd command:

{ getnonce: 1 }

ntoreturn:1 keyUpdates:0 reslen:65 0ms
Fri Apr 5 18:31:26.923 [conn74] run command local.$cmd { authenticate: 1, nonce: "1ed2d58a7b5f

AFTER clean up and establish AGAIN the replicaset
replica2:PRIMARY> rs.status()
{
"set" : "replica2",
"date" : ISODate("2013-04-05T23:05:30Z"),
"myState" : 1,
"members" : [
{
"_id" : 0,
"name" : "10.0.3.234:27017",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 76,
"optime" :

{ "t" : 1365202164, "i" : 1 }

,
"optimeDate" : ISODate("2013-04-05T22:49:24Z"),
"self" : true
},
{
"_id" : 1,
"name" : "10.0.3.235:27017",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 27,
"optime" :

{ "t" : 1365202164, "i" : 1 }

,
"optimeDate" : ISODate("2013-04-05T22:49:24Z"),
"lastHeartbeat" : ISODate("2013-04-05T23:05:29Z"),
"lastHeartbeatRecv" : ISODate("1970-01-01T00:00:00Z"),
"pingMs" : 1,
"lastHeartbeatMessage" : "syncing to: 10.0.3.234:27017"
},
{
"_id" : 2,
"name" : "10.0.3.236:27017",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 5,
"optime" :

{ "t" : 1365202164, "i" : 1 }

,
"optimeDate" : ISODate("2013-04-05T22:49:24Z"),
"lastHeartbeat" : ISODate("2013-04-05T23:05:29Z"),
"lastHeartbeatRecv" : ISODate("2013-04-05T23:05:29Z"),
"pingMs" : 1
}
],
"ok" : 1
}
replica2:PRIMARY> use admin
switched to db admin
replica2:PRIMARY> db.system.users.find();

{ "_id" : ObjectId("515f54f4094db731fa2766ca"), "user" : "root", "pwd" : "7bc9aa6753e5241290fd85fece372bd8", "roles" : [ "userAdminAnyDatabase" ] }

replica2:PRIMARY>

[root@mongodbN5 ~]# mongo
MongoDB shell version: 2.4.1
connecting to: test
Server has startup warnings:
Fri Apr 5 19:05:01.412 [initandlisten]
Fri Apr 5 19:05:01.412 [initandlisten] ** NOTE: This is a 32 bit MongoDB binary.
Fri Apr 5 19:05:01.412 [initandlisten] ** 32 bit builds are limited to less than 2GB of data (or less with --journal).
Fri Apr 5 19:05:01.412 [initandlisten] ** See http://dochub.mongodb.org/core/32bit
Fri Apr 5 19:05:01.413 [initandlisten]
replica2:SECONDARY> db.getMongo().setSlaveOk()
replica2:SECONDARY> use admin
switched to db admin
replica2:SECONDARY> db.system.users.find();

{ "_id" : ObjectId("515f54f4094db731fa2766ca"), "user" : "root", "pwd" : "7bc9aa6753e5241290fd85fece372bd8", "roles" : [ "userAdminAnyDatabase" ] }

replica2:SECONDARY>

[root@mongodbN6 ~]# mongo
MongoDB shell version: 2.4.1
connecting to: test
Server has startup warnings:
Fri Apr 5 19:05:22.868 [initandlisten]
Fri Apr 5 19:05:22.869 [initandlisten] ** NOTE: This is a 32 bit MongoDB binary.
Fri Apr 5 19:05:22.869 [initandlisten] ** 32 bit builds are limited to less than 2GB of data (or less with --journal).
Fri Apr 5 19:05:22.869 [initandlisten] ** See http://dochub.mongodb.org/core/32bit
Fri Apr 5 19:05:22.869 [initandlisten]
replica2:SECONDARY> use admin
switched to db admin
replica2:SECONDARY> db.getMongo().setSlaveOk()
replica2:SECONDARY> db.system.users.find();

{ "_id" : ObjectId("515f54f4094db731fa2766ca"), "user" : "root", "pwd" : "7bc9aa6753e5241290fd85fece372bd8", "roles" : [ "userAdminAnyDatabase" ] }

replica2:SECONDARY>

replica2:PRIMARY> db.system.users.find();

{ "_id" : ObjectId("515f54f4094db731fa2766ca"), "user" : "root", "pwd" : "7bc9aa6753e5241290fd85fece372bd8", "roles" : [ "userAdminAnyDatabase" ] }

replica2:PRIMARY> db.addUser(

{ user: "marco", pwd: "mongo", roles: [ "userAdmin" ] }

)

{ "user" : "marco", "pwd" : "d3e62f4c292a090d179e198f8d3ad602", "roles" : [ "userAdmin" ], "_id" : ObjectId("515f5a2620a51d6d7b98e52c") } replica2:PRIMARY> db.system.users.find(); { "_id" : ObjectId("515f54f4094db731fa2766ca"), "user" : "root", "pwd" : "7bc9aa6753e5241290fd85fece372bd8", "roles" : [ "userAdminAnyDatabase" ] } { "_id" : ObjectId("515f5a2620a51d6d7b98e52c"), "user" : "marco", "pwd" : "d3e62f4c292a090d179e198f8d3ad602", "roles" : [ "userAdmin" ] }

replica2:PRIMARY>

replica2:SECONDARY> db.system.users.find();

{ "_id" : ObjectId("515f54f4094db731fa2766ca"), "user" : "root", "pwd" : "7bc9aa6753e5241290fd85fece372bd8", "roles" : [ "userAdminAnyDatabase" ] } { "_id" : ObjectId("515f5a2620a51d6d7b98e52c"), "user" : "marco", "pwd" : "d3e62f4c292a090d179e198f8d3ad602", "roles" : [ "userAdmin" ] }

replica2:SECONDARY>

replica2:SECONDARY> db.system.users.find();

{ "_id" : ObjectId("515f54f4094db731fa2766ca"), "user" : "root", "pwd" : "7bc9aa6753e5241290fd85fece372bd8", "roles" : [ "userAdminAnyDatabase" ] } { "_id" : ObjectId("515f5a2620a51d6d7b98e52c"), "user" : "marco", "pwd" : "d3e62f4c292a090d179e198f8d3ad602", "roles" : [ "userAdmin" ] }

replica2:SECONDARY>

RESTART ALL with Authentication and KEYFILE

logs on primary say all ok
Fri Apr 5 19:14:17.270 [snapshotthread] cpu: elapsed:4000 writelock: 0%
Fri Apr 5 19:14:17.372 BackgroundJob starting: ConnectBG
Fri Apr 5 19:14:17.373 BackgroundJob starting: ConnectBG
Fri Apr 5 19:14:17.374 BackgroundJob starting: MultiCommandJob
Fri Apr 5 19:14:17.375 [rsMgr] replSet dev we are freshest of up nodes, nok:1 nTies:1
Fri Apr 5 19:14:17.375 [rsMgr] replSet info electSelf 0
Fri Apr 5 19:14:17.375 BackgroundJob starting: MultiCommandJob
Fri Apr 5 19:14:17.377 [rsMgr] replSet election succeeded, assuming primary role
Fri Apr 5 19:14:17.377 [rsMgr] replSet waiting for replication to finish before becoming primary
Fri Apr 5 19:14:17.385 [rsHealthPoll] replSet member 10.0.3.236:27017 is up
Fri Apr 5 19:14:17.385 [rsHealthPoll] replSet member 10.0.3.236:27017 is now in state SECONDARY
Fri Apr 5 19:14:17.798 [conn2] run command admin.$cmd

{ replSetHeartbeat: "replica2", v: 1, pv: 1, checkEmpty: false, from: "10.0.3.235:27017" }

Fri Apr 5 19:14:17.798 [conn2] command admin.$cmd command:

{ replSetHeartbeat: "replica2", v: 1, pv: 1, checkEmpty: false, from: "10.0.3.235:27017" }

ntoreturn:1 keyUpdates:0 reslen:124 0ms
Fri Apr 5 19:14:17.800 [conn2] run command admin.$cmd

{ replSetFresh: 1, set: "replica2", opTime: new Date(5863504359114932225), who: "10.0.3.235:27017", cfgver: 1, id: 1 }

Fri Apr 5 19:14:17.800 [conn2] command admin.$cmd command:

{ replSetFresh: 1, set: "replica2", opTime: new Date(5863504359114932225), who: "10.0.3.235:27017", cfgver: 1, id: 1 }

ntoreturn:1 keyUpdates:0 reslen:140 0ms
Fri Apr 5 19:14:17.815 [conn2] run command admin.$cmd

{ replSetFresh: 1, set: "replica2", opTime: new Date(5863504359114932225), who: "10.0.3.235:27017", cfgver: 1, id: 1 }

Fri Apr 5 19:14:17.816 [conn2] command admin.$cmd command:

{ replSetFresh: 1, set: "replica2", opTime: new Date(5863504359114932225), who: "10.0.3.235:27017", cfgver: 1, id: 1 }

ntoreturn:1 keyUpdates:0 reslen:140 0ms
Fri Apr 5 19:14:18.205 [conn4] run command admin.$cmd

{ replSetHeartbeat: "replica2", v: 1, pv: 1, checkEmpty: false, from: "10.0.3.236:27017" }

Fri Apr 5 19:14:18.205 [conn4] command admin.$cmd command:

{ replSetHeartbeat: "replica2", v: 1, pv: 1, checkEmpty: false, from: "10.0.3.236:27017" }

ntoreturn:1 keyUpdates:0 reslen:144 0ms

Authentication fails with any user

[root@mongodbN4 ~]# mongo admin -umarco -pmongo
MongoDB shell version: 2.4.1
connecting to: admin
> db.r
db.removeUser( db.repairDatabase( db.resetError( db.runCommand(
> rs.s
rs.slaveOk( rs.status( rs.stepDown( rs.syncFrom(
> rs.status()

{ "ok" : 0, "errmsg" : "unauthorized" }

> exit
bye
[root@mongodbN4 ~]# mongo admin -uroot -pmongo
MongoDB shell version: 2.4.1
connecting to: admin
>

Here also the config file
#General
fork = true

  1. bind_ip = 127.0.0.1
    port = 27017
    quiet = true
    dbpath = /usr/local/mongo/data
    logpath = /usr/local/mongo/log/mongod.log
    logappend = true
    journal = true
    pidfilepath = /usr/local/mongo/db0.pid

#security
nounixsocket = true
auth = true

#Replica
replSet = replica2
keyFile = /usr/local/mongo/keyfile
oplogSize = 500
replIndexPrefetch = _id_only

#Sharding

#on controller
#configsvr = true
#bind_ip = 10.8.0.12
#port = 27001

#on server
shardsvr = true

#on mongos

  1. configdb = 10.8.0.12:27001
  2. chunkSize = 64

#Diagnostics
slowms = 50
profile = 3
verbose = true

REMOVE authentication and all goes ok

[root@mongodbN4 ~]# mongo admin -uroot -pmongo
MongoDB shell version: 2.4.1
connecting to: admin
Server has startup warnings:
Fri Apr 5 19:22:00.746 [initandlisten]
Fri Apr 5 19:22:00.746 [initandlisten] ** NOTE: This is a 32 bit MongoDB binary.
Fri Apr 5 19:22:00.746 [initandlisten] ** 32 bit builds are limited to less than 2GB of data (or less with --journal).
Fri Apr 5 19:22:00.746 [initandlisten] ** See http://dochub.mongodb.org/core/32bit
Fri Apr 5 19:22:00.747 [initandlisten]
replica2:PRIMARY> rs.status()
{
"set" : "replica2",
"date" : ISODate("2013-04-05T23:22:24Z"),
"myState" : 1,
"members" : [
{
"_id" : 0,
"name" : "10.0.3.234:27017",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 24,
"optime" :

{ "t" : 1365203494, "i" : 1 }

,
"optimeDate" : ISODate("2013-04-05T23:11:34Z"),
"self" : true
},
{
"_id" : 1,
"name" : "10.0.3.235:27017",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 18,
"optime" :

{ "t" : 1365203494, "i" : 1 }

,
"optimeDate" : ISODate("2013-04-05T23:11:34Z"),
"lastHeartbeat" : ISODate("2013-04-05T23:22:24Z"),
"lastHeartbeatRecv" : ISODate("1970-01-01T00:00:00Z"),
"pingMs" : 1,
"lastHeartbeatMessage" : "syncing to: 10.0.3.234:27017"
},
{
"_id" : 2,
"name" : "10.0.3.236:27017",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 12,
"optime" :

{ "t" : 1365203494, "i" : 1 }

,
"optimeDate" : ISODate("2013-04-05T23:11:34Z"),
"lastHeartbeat" : ISODate("2013-04-05T23:22:24Z"),
"lastHeartbeatRecv" : ISODate("1970-01-01T00:00:00Z"),
"pingMs" : 1,
"lastHeartbeatMessage" : "syncing to: 10.0.3.234:27017"
}
],
"ok" : 1
}
replica2:PRIMARY>

Participants:

 Description   

Migrate from 2.2.3 and after the migration when using authentication was having issue in login as administrator or any other user.
Getting warning Assertion: 10356:invalid ns: $SERVER.system.profile .

So I test cleaning up and starting a replica set from scratch no data.

Also in this case once started and after having create user as manual in:
http://docs.mongodb.org/manual/tutorial/control-access-to-mongodb-with-authentication/#control-access-add-user-to-database

like db.addUser(

{ user: "root", "pwd":"mongo", roles: [ "userAdminAnyDatabase" ] }

)

as soon as I restart the set with authentication active, super user or any other were not able to connect.

Removing authentication commenting in the configuration file:
auth and keyfile, all start and work fine.



 Comments   
Comment by J Rassi [ 07/Apr/13 ]

Is it possible now or have you it in the roadmap to have customize roles that will refer to db/role/permission?
Such that I can create a profile assigning the role and then the user for that profile will automatically inherit the relevant grants?

Yes, see SERVER-8580. Feel free to add a vote to the issue. We are currently aiming to incorporate it into the 2.6 release.

Comment by Marco Tusa [ 07/Apr/13 ]

Hi Jason thanks, as I suspect was something I miss.
I was considering that the roles permissions inherit from one to another, given so using the "userAdminAnyDatabase" would have automatically grant the other permissions as well.
I see the point of having the roles completely separate, and in fact granting to the user db.addUser(

{user:"root",pwd:"mongo",roles:["userAdminAnyDatabase","readWriteAnyDatabase","dbAdminAnyDatabase","clusterAdmin"]}

) will indeed create a SUPER user or SA as in Oracle.

Thank you for the clarification.
Anyhow I was thinking that having this, by db/role/permission grants can result in a proliferation of assignments by db/users.
Is it possible now or have you it in the roadmap to have customize roles that will refer to db/role/permission?
Such that I can create a profile assigning the role and then the user for that profile will automatically inherit the relevant grants?

Comment by J Rassi [ 07/Apr/13 ]

In addition, note that the warning "Assertion: 10356:invalid ns: $SERVER.system.profile" is a side effect of SERVER-9111, which is fixed in the development branch and will be incorporated into the 2.4.2 release.

Comment by J Rassi [ 07/Apr/13 ]

The excerpt you pasted showed the users "marco" and "admin" authenticating successfully. If the mongo shell fails to authenticate when passed -u and -p, it will quit before displaying the shell prompt.

You are misunderstanding what privileges users created with the "userAdmin" role have. They are only authorized to add/remove users; they are not authorized to perform other database operations. See here for full documentation on the role-based access control system introduced in 2.4. To explain the "unauthorized" message in your example: "marco" needs the "clusterAdmin" role in order to run "rs.status()".

Does this explanation for your issue make sense?

Generated at Thu Feb 08 03:19:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.