<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 06:04:50 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-66228] Not possible to automate setup of replicaSet with RBAC</title>
                <link>https://jira.mongodb.org/browse/SERVER-66228</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;There are requirements to setting up a RBAC. There are requirements to setting up a replica set. These requirements are opposed to each other making it not possible to automate the setup of a mongo server.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</description>
                <environment></environment>
        <key id="2039987">SERVER-66228</key>
            <summary>Not possible to automate setup of replicaSet with RBAC</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="chris.kelly@mongodb.com">Chris Kelly</assignee>
                                    <reporter username="curranhydespam@gmail.com">Currn Hyde</reporter>
                        <labels>
                            <label>Replication</label>
                            <label>authorization</label>
                            <label>replica-set</label>
                    </labels>
                <created>Thu, 5 May 2022 01:20:39 +0000</created>
                <updated>Thu, 8 Sep 2022 19:27:40 +0000</updated>
                            <resolved>Thu, 8 Sep 2022 19:27:40 +0000</resolved>
                                                                                        <votes>0</votes>
                                    <watches>5</watches>
                                                                                                                <comments>
                            <comment id="4812766" author="JIRAUSER1265262" created="Thu, 8 Sep 2022 19:27:25 +0000"  >&lt;p&gt;Just to add clarification before closing this ticket:&lt;/p&gt;

&lt;p&gt;There is a documented for accomplishing setting up new replica sets with RBAC.&lt;/p&gt;

&lt;p&gt;In order to do this, follow the steps for &lt;a href=&quot;https://www.mongodb.com/docs/manual/tutorial/deploy-replica-set-with-keyfile-access-control/#deploy-replica-set-with-keyfile-authentication&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Deploying a Replica Set With Keyfile Authentication&lt;/a&gt;. The key point you are interested in is step 4, &lt;a href=&quot;https://www.mongodb.com/docs/manual/tutorial/deploy-replica-set-with-keyfile-access-control/#connect-to-a-member-of-the-replica-set-over-the-localhost-interface&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;connecting over the localhost interface.&lt;/a&gt;&#160;&lt;/p&gt;

&lt;p&gt;From here you can also initiate the replicaset, without rebooting or swapping configs, and then subsequently create your administrator user.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;After you create the first user, the&#160;&lt;a href=&quot;https://www.mongodb.com/docs/manual/core/localhost-exception/#std-label-localhost-exception&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;localhost exception&lt;/a&gt; is no longer available.&lt;/b&gt;&#160;The first user must have privileges to create other users, such as a user with &lt;a href=&quot;https://www.mongodb.com/docs/manual/reference/built-in-roles/#mongodb-authrole-userAdminAnyDatabase&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;&lt;tt&gt;userAdminAnyDatabase.&lt;/tt&gt;&lt;/a&gt;&#160;This ensures that you can create additional users after the Localhost Exception closes.&lt;/p&gt;

&lt;p&gt;If there are any further difficulties, the documentation has good examples for accomplishing this in more ways, and in greater detail. If you happen to find inconsistencies there that don&apos;t make sense, we would be interested in fixing that though.&lt;/p&gt;

&lt;p&gt;Regards,&lt;br/&gt;
Christopher&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</comment>
                            <comment id="4671418" author="JIRAUSER1269891" created="Mon, 11 Jul 2022 18:20:19 +0000"  >
&lt;p&gt;I have just been using the workaround I listed in my bug report of partial&lt;br/&gt;
setup, shutdown and swap configs, then boot and continue.&lt;/p&gt;
</comment>
                            <comment id="4671334" author="JIRAUSER1265262" created="Mon, 11 Jul 2022 17:58:13 +0000"  >&lt;p&gt;Just wanted to check in on this, did this solution work for you? If so, we can close this ticket.&lt;/p&gt;

&lt;p&gt;Christopher&lt;/p&gt;</comment>
                            <comment id="4584314" author="spencer.brown" created="Tue, 31 May 2022 19:09:53 +0000"  >&lt;p&gt;As mentioned &lt;a href=&quot;https://www.mongodb.com/docs/manual/tutorial/deploy-replica-set-with-keyfile-access-control/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;in our tutorial for manually deploying a replica set with keyfile authentication&lt;/a&gt;, you can:&lt;/p&gt;

&lt;p&gt;1. Start the replica set members with a configuration including both the replica set name and security auth enabled and keyfile internal authentication &lt;br/&gt;
2. initiate the replica set under the localhost exception&lt;br/&gt;
3. Create the first admin user, also under the localhost exception&lt;/p&gt;

&lt;p&gt;This is how MongoDB&apos;s automation solutions (Atlas, Ops Manager, Cloud Manager) create new replica sets.&lt;/p&gt;

&lt;p&gt;Please try this and let us know if it works for you. &lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 31 May 2022 14:05:07 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        1 year, 21 weeks, 6 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>chris.kelly@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            1 year, 21 weeks, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>chris.kelly@mongodb.com</customfieldvalue>
            <customfieldvalue>curranhydespam@gmail.com</customfieldvalue>
            <customfieldvalue>spencer.brown@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i0tqkv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|i0o5cm:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10750" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Steps To Reproduce</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>&lt;p&gt;For mongodb to support a replicaset it must have in the mongod.conf file:&lt;br/&gt;
replication:&lt;br/&gt;
&#160; &#160;replSetName: &amp;lt;someName&amp;gt;&lt;br/&gt;
&#160;&lt;br/&gt;
at the same time for RBAC to be enabled it must contain:&lt;br/&gt;
security:&lt;br/&gt;
&#160; &#160;authorization: enabled&lt;br/&gt;
as well as the mode (ex: x509 or keyfile)&lt;br/&gt;
&#160;&lt;br/&gt;
The issue: With Authorization enabled the only thing you can do, and therefore the first thing you must do is to create the admin user with the ability to create other users via the localhost exception. But that&apos;s not possible. This is being blocked by mongodb because the replication specification means mongo will always return:&lt;br/&gt;
MongoServerError: not primary&lt;br/&gt;
&#160;&lt;br/&gt;
this can only be eliminated by first setting up the replicaset. But you can&apos;t because that&apos;s in conflict with RBAC where the only thing you can first is create a user... but you can&apos;t do that because of the replicaset where the only thing you&apos;re allowed to do is configure the replicaset and around and around the problem goes.&lt;br/&gt;
&#160;&lt;br/&gt;
The only current workaround for this design flaw is to boot with one configuration that leaves out one of these options. Configure the remaining option. Then shut down mongodb and swap out the configuration file with the complete one that has both replicaSet and RBAC enabled then reboot mongo and complete the setup of the other one. This is a very annoying problem and is counter intuitive. Please Fix.&lt;/p&gt;</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                    <customfieldvalue><![CDATA[chris.kelly@mongodb.com]]></customfieldvalue>
    

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i0tcq7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>