[SERVER-9516] Upgrade/downgrade support for new schema for user and role data Created: 30/Apr/13 Updated: 21/Sep/18 Resolved: 13/Nov/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 2.5.4 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Andy Schwerin | Assignee: | Andy Schwerin |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||||||||||
| Issue Links: |
|
||||||||||||||||||||||||
| Backwards Compatibility: | Major Change | ||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Description |
|
Role and user information for all databases will now be stored in system collections in the admin database, and manipulated exclusively via commands per The db.system.users collections will be deprecated, with data migrated from them to the new collection schema as part of the 2.4->2.6 upgrade process. |
| Comments |
| Comment by Andy Schwerin [ 13/Nov/13 ] | |||||
|
When working with a replicaset, it is only necessary to upgrade/downgrade the primary. When upgrading with a sharded cluster, first connect to a single mongos and run the upgrade procedure. This upgrades the config servers and all mongoses. Next, connect to the primary replicaset member of each shard, and run the upgrade, to upgrade that replicaset. When downgrading a sharded cluster, one may downgrade the cluster first or the shards first. Order does not matter. | |||||
| Comment by Andy Schwerin [ 13/Nov/13 ] | |||||
|
Downgrade is best achieved by the following procedure, assuming that one has left the contents of *.system.users for * != admin intact.
| |||||
| Comment by Andy Schwerin [ 13/Nov/13 ] | |||||
|
The attached ugpradeusers.js can be loaded and the upgradeUsers() function can then be called to perform an upgrade.
| |||||
| Comment by Andy Schwerin [ 13/Nov/13 ] | |||||
|
Upgrade achieved via by running the new authSchemaUpgradeStep command, as follows, while connected as a user with userAdminAnyDatabase:
| |||||
| Comment by Githook User [ 13/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by Githook User [ 13/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by Githook User [ 13/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: The mechanism for probing schemaVersion24 users was not respecting this requirement Also, with this change the internalSecurity.user is never stored in the cache, and | |||||
| Comment by Githook User [ 13/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 12/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 12/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 12/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 12/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 12/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 11/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 08/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: Unbreaks the windows compile. | |||||
| Comment by auto [ 08/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 08/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 08/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 08/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: Update the unit tests to reflect the new interface, and various other | |||||
| Comment by auto [ 08/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 05/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: This commit lets userAdminAnyDatabase role run listDatabases, since it was the It also uses constants for auth collections in RoleGraph. Finally, it grants access to new_users and backup_users. | |||||
| Comment by auto [ 05/Nov/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 31/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 31/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: . Previously, it reported users as { user: <string>, userSource: <string> }Branch: master | |||||
| Comment by auto [ 31/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 31/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: The right place to upgrade the admin.system.users indexes is during the explicit Furthermore, since system indexes are only created on system collection creation, now, | |||||
| Comment by auto [ 31/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 30/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: User and role management commands are only allowed when the schema version | |||||
| Comment by auto [ 29/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 29/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: That method should not clear the _isThisGuardInFetchPhase field. Rather, the | |||||
| Comment by auto [ 29/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: That method should not clear the _isThisGuardInFetchPhase field. Rather, the | |||||
| Comment by auto [ 25/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: Revert " This reverts commit 3d61067308f7f526ec00d79bcbb158d31fd413fa, which breaks multi-version | |||||
| Comment by auto [ 25/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 25/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: At startup, for standalone mongod and master. Upon election to primary for replicaset members. | |||||
| Comment by auto [ 25/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: Older schema versions may have incompatible documents in admin.system.users. | |||||
| Comment by auto [ 25/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 25/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: To enable this support, one must change the _version field when constructing the | |||||
| Comment by auto [ 18/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 18/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 18/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 18/Oct/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 04/Sep/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 04/Sep/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: | |||||
| Comment by auto [ 03/Sep/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: Newer compilers correctly identify that durableVersion in this patch is always | |||||
| Comment by auto [ 03/Sep/13 ] | |||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: Includes AuthorizationManagerExternalState interface changes and implementation |