4

I have a mongodb replica-set of 3 members (version 2.4) in which the administrator user for the 'admin' db does not have the 'userAdminAnyDatabase' role.

This role is required for managing the users on all databases.

The roles I currently have are: [ "readWriteAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin" ]

I tried updating roles for myself or creating a new user, however I have no permission to access db.system.users in the admin db.

I tried setting noauth=true but that did not help. When removing the keyFile as well, the db was not able to sync with the other members (obviously) and got stuck in RECOVERY state.

I found a similar question that refers to a stand alone db (no replica set) so it doesn't really help in this case.

What would be the best way to add this role while having minimal system downtime?

Community
  • 1
  • 1
odedfos
  • 4,491
  • 3
  • 30
  • 42

2 Answers2

1

I would use mongodump and mongorestore to backup the data then rebuild node with right permissions and restore the data.

However this approach should work:

If you have locked yourself out then you need to do the following:

  1. Stop your MongoDB instance
  2. Remove the --auth and/or --keyfile options from your MongoDB config to disable authentication
  3. Start the instance without authentication
  4. Edit the users as needed
  5. Restart the instance with authentication enabled
Community
  • 1
  • 1
Tim
  • 2,695
  • 3
  • 33
  • 39
  • Thanks, like I wrote in the question, disabling authentication from my master node in the replica set does not allow it to connect to the cluster. Also, mongodump & restore will cause a very long downtime. – odedfos Jul 06 '16 at 06:53
1

As you are using mongo 2.4, that means you have MMAP as a storage engine.

my proposal will be:

  1. create similar replica set on each host but different port, and set database directory on same media as current one.
  2. configure all auth stuff same as running ones
  3. stop old replica set members
  4. MOVE database files to new directory excluding local
  5. change port on new replica set
  6. start it

As moving files to other directory is just a pointer change this will take some seconds.

Please test before implementation.

Any comments welcome!

profesor79
  • 9,213
  • 3
  • 31
  • 52
  • How does moving the database files (excluding local) without the op-log affect the new replica set? Will it know how to sync? Also, what if the data is not be exact between all members due to replication lag? By the way my storage engine is tokumx – odedfos Jul 06 '16 at 13:13
  • had no experience with tokmux... you need to restore the one which was master first – profesor79 Jul 06 '16 at 14:30
  • just thinking... oplog need to be transferred as well - but still thinking about the storage engine and way we could go over that.... – profesor79 Jul 06 '16 at 14:31