We're using a simple python script to backup our mongodb cluster. the script connects to each mongod instance via ssh, and performs mongodump, all without requiring user/pass
ever since we started using the mms monitoring agent, and thus creating an administrative user on each shard for the mms agent to connect to, we're not able to use the mongodump without credentials.
out problem is that all our users are configured on the mongos instances and not directly on the shards, so we cannot perform the mongodump.
One last thing, Is it possible to disable authentication for a specific shard in order to create/remove users from it?
do you have any ideas?
Best Answer
Once you add a user to the individual shards, which you indicate you have done for
MMS, you must then have valid credentials to connect for any purpose, includingmongodump. Up until you added that user forMMS, the shards were running with authentication enabled but with no users populated (this only happens if all your users are in the admin database ans using delegated auth for other databases, otherwise with 2.4 and below you would have at least one shard with users for each database - 2.6+ changes this behavior) and so you were able to connect without credentials.Essentially this is a loophole left open so that you don't accidentally lock yourself out of your instances when you turn on auth with no users (and one that would probably have stopped working at some point as default security is tightened anyway).
The bottom line is that you will need to add a user for use with
mongodump, and it's a good idea to do so anyway rather than allowing non-authenticated users free access to your instances. If you are running 2.6 or later, then the built in backup role exists precisely for this purpose, if you are on 2.4 or earlier, then the description for that role gives you a great outline of what is needed to backup successfully (and in particular if you want to backup the users themselves).