mongodb sharding user authentication

3
votes

I've set up a brand new, sharded MongoDb (3 config servers, 3 node replica set). Followed the documentation online, really didn't have any problems. Sharded a database and a collection; mongos connects to the system; it's all working fine.

The one thing that I don't have a grasp of is how authentication works when in a sharded system. I have keyfile set for all 6 nodes. When I want to add a user, do I do it from mongos? Do I have to log in to each node in the replica set and add the user as well? Do I have to add the user to the config servers?

In particular I've created a MMS user via mongos, and that allowed the mms-monitoring-agent to connect enough to know about the various servers. But it can't actually read data from any of them; I get errors like:

ask failure `serverStatus`. Err: `Failed command to mongoshard1:27017 running 
[{serverStatus 1} {recordStats 0} {locks 0}] against DB admin. 
Err: `not authorized on admin to execute command { serverStatus: 1, recordStats: 0, locks: 0 }`

When I connect via mongos and use admin; show users I see:

{
"_id" : "admin.mms",
"user" : "mms",
"db" : "admin",
"roles" : [
    {
        "role" : "readAnyDatabase",
        "db" : "admin"
    },
    {
        "role" : "clusterMonitor",
        "db" : "admin"
    }
]
}

I think I just lack understanding of which of the instances the user needs to be added to.

1
mongodbshardingreplicaset
Did you connect to the replica set directly? - Markus W Mahlberg
I believe the issue is that you're attempting to authenticate against the admin db, which is not sharded. Typically, for any non-sharded databases, I've had to create the user on each individual replica set (use the primary) as well as one of the mongos instances. On any sharded databases, I've been able to just create the user from mongos after running the sh.enableSharding command for that database. - Verran
@Verran Okay. For MMS I think (mms.mongodb.com/help/reference/authentication/#mms-monitoring) I am supposed to add the mms user to the admin db. Which as you say probably isn't sharded. So does that mean I should add it to the replica set too (I did; I still get the same error even though I can connect to the Replica Set with the mms user fine from the command line) - rycel
I thought that would be the problem, but apparently not. I'd say the next step would be to try running that command directly from the mongo shell as the user you expect mms to be using. It looks like the serverStatus command is what is failing, which can be run with db.serverStatus(). docs.mongodb.org/manual/reference/server-status If that works, then it is possible that MMS isn't authenticating properly. - Verran
Erm. There is a good reason why the admin database isn't sharded. it is supposed to only live on the config servers. However, users need to be added via mongos. - Markus W Mahlberg

1 Answers

0
votes

I hope below steps would solve problem:

  1. Setup shard cluster without enabling authentication(even do not use keyfile).
  2. Use admin db, add super users like "siteUserAdmin" and "siteRootAdmin" using mongoose.
  3. Then restart each machine(or mongo process) with auth as well as use keyfile too.
  4. Connect mogoose and authenticate with "siteRootAdmin" and create all other required users and grant roles.