19

I have a MongoDB replica set of 3 servers (1 primary, 1 secondary, 1 arbiter; this is the default replica set created by Google Cloud 1-click install). The 2 config files (mongod.conf) of primary server and secondary server have been changed with security.authorization: enabled added.

Root user is added with the following MongoDB shell command:

use admin
db.createUser({user:"root",pwd:"root",roles:["root"]})

After restarting MongoDB services on the primary and secondary servers with "sudo service mongod restart", connection to the replica set turns unstable.

rs.status() sometimes give the result as

  • 1 primary, 1 unreachable, 1 arbiter
  • 1 secondary, 1 secondary, 1 arbiter
  • 1 secondary, 1 unreachable, 1 arbiter

How to setup basic password authentication (not using keyfile) for MongoDB replica set the correct way?

Madbreaks
  • 19,094
  • 7
  • 58
  • 72
Dee
  • 7,455
  • 6
  • 36
  • 70
  • Please provide the full output of rs.status() which you are observing. – helmy Jul 22 '16 at 13:27
  • Also, can you be more specific about what you mean by "unstable"? Is the rs.status() observed constantly like this? Only for a sure period? Intermittent? – helmy Jul 22 '16 at 13:29
  • 1
    hey man actually i am facing an error `Error: couldn't add user: not authorized on admin to execute command`. You can also find my question here http://stackoverflow.com/questions/41783700/when-creating-first-admin-user-on-mongdb-cluster-getting-error-couldnt-add-use . It would be a lot much easier if you could tell me from which url(source) you have done this whole password authentication thing, please help me i have searched everywhere but didn't find anything ?? – Sudhanshu Gaur Jan 21 '17 at 22:02
  • 1
    use admin first to authenticate, then db.auth('username','password') – Marvin Glenn Lacuna Apr 19 '17 at 06:55

1 Answers1

30

I finally found the answer. MongoDB replica set needs both user account and keyfile. Keyfile seems for authentication between servers in the replica set, not for logging in.

Create mongodb key file on linux, copy to all db servers with mode 600 intact:

cd
openssl rand -base64 741 > mongodb.key
chmod 600 mongodb.key

mongod.conf file:

replication:
  replSetName: rs0

security:
  authorization: enabled
  keyFile: /home/USERNAME/mongodb.key

Admin user:

(just like in question content)
Dee
  • 7,455
  • 6
  • 36
  • 70
  • 2
    I have the same issue right now, I generated the key and provided it into individual .conf files, 4 in my case. now when i start the `mongod` without authentication it cant do `rs.initiate()` or create users. Do you know why? – Gurkha Dec 22 '16 at 20:35
  • create user before creating replicaset, rs.initiate on first server only. "Use rs.initiate() on one and only one member of the replica set" -- https://docs.mongodb.com/manual/tutorial/deploy-replica-set/ – Dee Dec 23 '16 at 03:36
  • so basically run the first instance without `replication:`, create a admin user and then restart with `replication:` enabled and then run `rs.initiate()`? When do I start the remaining instances? – Gurkha Dec 23 '16 at 03:57
  • 1
    hey man actually i am facing an error `Error: couldn't add user: not authorized on admin to execute command`. You can also find my question here http://stackoverflow.com/questions/41783700/when-creating-first-admin-user-on-mongdb-cluster-getting-error-couldnt-add-use . It would be a lot much easier if you could tell me from which url(source) you have done this whole password authentication thing, please help me i have searched everywhere but didn't find anything ?? – Sudhanshu Gaur Jan 21 '17 at 22:03
  • 1
    To enforce authentication for existing replicate set https://docs.mongodb.com/manual/tutorial/enforce-keyfile-access-control-in-existing-replica-set/ – Ukor Mar 31 '18 at 14:04
  • 2
    This works ... trial and tested on production thanks for sharing – K patel May 11 '20 at 21:13