MongoDB- backing up and restoring users and roles

3
votes

What are best practices for synching users and roles between Mongo instances?

On the same Windows machine, I am trying to copy MongoDB users and roles in the admin database from one Mongo instance to another. Authentication is 'on' for each instance. No combination of mongodump\mongorestore or mongoexport\mongoimport I have tried works. With mongodump\restore, the restore step displays:

assuming users in the dump directory are from <= 2.4 (auth version 1) Failed: the users and roles collections in the dump have an incompatible auth version with target server: cannot restore users of auth version 1 to a server of auth version 5

I found no command line option to tell it not to do this silly thing. I have Mongo version 4 and that's it installed.

You would think --dumpDbUsersAndRoles and --restoreDbUsersAndRoles would be symmetrical, but they are not.

I was able to run this, mongoexport -p 27017 -u admin --password please -d admin --collection system.roles --out myRoles.json

However, when trying mongoimport

mongoimport -p 26017 -u admin --password please -d admin --collection "system.roles" --file myRoles.json

the output displays error validating settings: invalid collection name: collection name 'system.roles' is not allowed to begin with 'system.'

1
mongodbmongoimportmongodumpmongoexportmongorestore

1 Answers

2
votes

Primer

Users are attached to databases. Ideally, you have your database specific users stored in the respective database. All “global” users should go into admin. The good part: replica sets take care of syncing those users to each member of the replica set.

Solution

That being said, it seems to be quite obvious on how to deal with this. For a worst case scenario, it is much easier to have a .js ready which simply recreates the 3-4 global roles instead of fiddling with system.* collections in the admin database. This has the advantage that you can also do other setup stuff automatically, like sharding setup if TSHTF and you need to rebuild your cluster from scratch.

use admin;
db.createRole([...])
db.createRole([...])
// do other stuff, like sharding setup

Run it against the primary of your replica set or a mongos instance (if you have a sharded cluster) using

mongo daHost:27017/admin myjsfile.js

after you set up your machines but before you enable authentication.

Another option would be to use Ansible for user creation.

As for dump and restore, you might want to leave out the collection name.