Locked outside mongodb replica set

4
votes

I have a mongodb replica-set of 3 members (version 2.4) in which the administrator user for the 'admin' db does not have the 'userAdminAnyDatabase' role.

This role is required for managing the users on all databases.

The roles I currently have are: [ "readWriteAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin" ]

I tried updating roles for myself or creating a new user, however I have no permission to access db.system.users in the admin db.

I tried setting noauth=true but that did not help. When removing the keyFile as well, the db was not able to sync with the other members (obviously) and got stuck in RECOVERY state.

I found a similar question that refers to a stand alone db (no replica set) so it doesn't really help in this case.

What would be the best way to add this role while having minimal system downtime?

2
mongodbtokumxmongodb-replica-set

2 Answers

1
votes

I would use mongodump and mongorestore to backup the data then rebuild node with right permissions and restore the data.

However this approach should work:

If you have locked yourself out then you need to do the following:

  1. Stop your MongoDB instance
  2. Remove the --auth and/or --keyfile options from your MongoDB config to disable authentication
  3. Start the instance without authentication
  4. Edit the users as needed
  5. Restart the instance with authentication enabled
1
votes

As you are using mongo 2.4, that means you have MMAP as a storage engine.

my proposal will be:

  1. create similar replica set on each host but different port, and set database directory on same media as current one.
  2. configure all auth stuff same as running ones
  3. stop old replica set members
  4. MOVE database files to new directory excluding local
  5. change port on new replica set
  6. start it

As moving files to other directory is just a pointer change this will take some seconds.

Please test before implementation.

Any comments welcome!