MongoDB Cluster – Can’t access member of shard with credentials

authenticationclusteringmongodbshardingusers

I have a Sharded Cluster and I am trying to access a specific member of a replica set within a shard.

When connecting to the mongos it is fine, but when using the same credentials on a member of the replica set I am unable to gain access even though my user has the role of root.

The error is:

SCRAM-SHA-1 authentication failed for root on admin from client
127.0.0.1:39356 ; UserNotFound: Could not find user root@admin

The mongos are started with:

mongos --configdb cfg/mongo-cfg0:27019,mongo-cfg1:27019,mongo-cfg2:27019 --bind_ip_all --keyFile "/etc/mongodb-keyfile"

The members of the replica set are started with:

mongod --auth --bind_ip_all --shardsvr --replSet a --smallfiles --oplogSize 50  --keyFile "/etc/mongodb-keyfile"

When connecting to the mongos I use the following locally:

mongo --port 27017 -u user -p password --authenticationDatabase admin

When connecting to the memnber of the replica set locally i try and use:

mongo --port 27018 -u user -p password --authenticationDatabase admin

I feel like there is something obvious that I am missing but I can not figure out what, any help would be greatly appreciated.

Best Answer

When you are using mongoS authentication is done against config servers admin database. When you connect directly to replica set, you are authenticating against replica set's admin database, where you don't have that root user set.

What can you do? Start replica set's (one by one) without --auth parameter (or equivalent config parameter) to maintenance mode, connect that RS with mongo command, create that root user (and other needed users). After that you can restart RS with authentication and you can do login.

Exporting the users

Assuming you have already upgraded all of your config servers to WiredTiger, here are some steps to add the user information:

Disable the balancer
Stop the last config server listed in your mongos' configDB setting (will call that config3 for the purpose of these steps). This will ensure your sharded cluster metadata remains read-only for the following steps.
Re-start config2 using the mmap data directory

At this stage you should have:
- config1 (running WiredTiger)
- config2 (running mmap with user/role data)
- config3 (stopped)
Export the data from config2:

mongodump --db config --dumpDbUsersAndRoles --username .. --password ..

Add any other parameters needed, eg --authenticationDatabase .. if you need to auth against another database.
If you have users in the admin database on your config server, you will also want to dump that as well.
(optional) Remove files from your dump except for the user/role information. If you are certain nothing has changed since you did the original migration from mmap to WiredTiger you could skip this step, however it would be safer to not overwrite any existing data.

Preview the files to remove:

find ./dump -type f -not -name "\$admin.system*"

WARNING: removing files, make sure you have previewed to confirm:

find ./dump -type f -not -name "\$admin.system*" | xargs rm
Re-start config2 using the wiredTiger storage engine
Run: mongorestore --db config --restoreDbUsersAndRoles dump/config/

You should see messages about restoring users & roles, for example:

2015-03-18T02:41:34.887+1100 restoring users from dump/config/$admin.system.users.bson

2015-03-18T02:41:34.887+1100 restoring roles from dump/config/$admin.system.roles.bson
Login to config2 and confirm the users are correctly setup (i.e. auth with admin account, use db.getUsers() to check).

At this stage you should have:
- config1 (running WiredTiger)
- config2 (running WiredTiger with user/role data)
- config3 (stopped)
Copy the dump directory to config1 and repeat the mongorestore step.
Shutdown config2 (to keep the sharded cluster metadata readonly for the next step).

At this stage you should have:
- config1 (running WiredTiger with user/role data)
- config2 (stopped)
- config3 (stopped)
Start config3. Copy the dump directory to config3, and repeat the mongorestore step.

At this stage you should have:
- config1 (running WiredTiger with user/role data)
- config2 (stopped)
- config3 (running WiredTiger with user/role data)
Start config2. At this point all config servers should be online with the user information.
Re-enable the balancer so normal balancing activity & chunk migration can resume.

Mongodb – How to access mongodb replica set after restart

Check to see what processes you have running:

ps aux | grep mongod

You should see something like that:

mongod --port 27017 --replSet replica --dbpath s1 --logpath s1/monogd.log --fork
mongod --port 27018 --replSet replica --dbpath s2 --logpath s2/monogd.log --fork
mongod --port 27019 --replSet replica --dbpath s3 --logpath s3/monogd.log --fork

You will be able to connect using:

mongo "mongodb://localhost:27017, localhost:27018, localhost:27019/?replicaSet=replica"

Best Answer

Related Solutions

Mongodb – When upgrading config servers to use WireTiger, the running config server with wiredtiger does not authenticate the existing pass and user

Exporting the users

Mongodb – How to access mongodb replica set after restart

Related Question