0

I am new to Mongod, and have to get up a cluster. The db is started with --replSet=Data and I have created the cluster with rs.Initiate beforehand. But this question is about user administration.

This replica set was set up with this command:

rs.initiate({ _id : "Data",members: [
{ _id: 0, host: "srv1:27017" },
{ _id: 1, host: "srv2:27017" },
{ _id: 2, host: "srv3:27017" , arbiterOnly: true }
})

And the server was started with $ /usr/bin/mongod -f /etc/mongod.conf --replSet=rs0

Note that I have not yet configured the other nodes/added these into the cluster as far as I am aware, but I did distribute the keyFile: /etc/mongod/keyfile to each server.

An rs.status says it's not running.

> rs.Status();
{
"ok : 0"
"errmsg" : no replset config has been received",
"code" : 94,
"codename" : "NotYetInitialized"
}

I have run into some nib problems.

I created a user before called mgdb with the command :

# mongo admin -port 27017 
> db.createUser ( {  
user : 'mgdb', pwd: 'password', roles: [ { roles: root, db: admin } ]
})

This returned ok.

Next I tried with,

$ mongo --authenticationDatabase admin --username "mgdb" --password "password"

but got an error

E QUERY  [js] Error authentication failed.

Next I tried to see the user list,

> show users;
not authorizeed on admin to execute on admin to execute command { UserInfo: 1.0}, lsid: { id: UID"xxxxxxxx") }. $db: "admin" }  DB.prototy[e.getUsers@.....

So, I am bit lost. I used mysql a few years ago, but have not used it since. My dB experience is very little.

Although I can connect as the admin user, the admin user does not seem to have rights to do basic "show users;"

Where can I look in the dB to find out what went wrong?

Environment: RHEL 7.6 SELinux Enforcing, MOngdodB 4.2.9

Sophie
  • 21
  • 1
  • 7
  • On which database did you create the user? i.e. what do you get from `db` command? – Wernfried Domscheit Jan 20 '21 at 10:10
  • I created the user last week and have been battling since. I don't recall which dB I ruan this on, but I know I did not type any ```use db``` command aforehand. – Sophie Jan 20 '21 at 12:54
  • You should start from scratch paying more attention to what you type. To start with `usermame` isn't an option in mongo db. But `username`. Still you can try this: `mongo admin --username --password --host srv1:27017` – Minsky Jan 20 '21 at 13:53
  • Thank-you for pointing this out. I have corrected the typos in my original post. – Sophie Jan 20 '21 at 14:07
  • Unlike many other databases you can **connect** to any MongoDB even without password. You will get authentication error only when you run commands. – Wernfried Domscheit Jan 20 '21 at 16:16
  • You should not mix config file (option `-f | --config`) and other options. Better put all options into the config file or provide all options in command line. – Wernfried Domscheit Jan 20 '21 at 16:19
  • I did, but the server did not start. The config file has ```security: authorization: enabled keyFile: /etc/mongo/keyfile replication: replSetName: Data``` – Sophie Jan 21 '21 at 09:55
  • From your question it is even not clear what you try to deploy. A "Replica Set" or a "Sharded Cluster". You state "*started with `--replSet=Data`*" and a view lines later "*started with `--replSet=rs0`*" You don't tell us on which server you started the mongo shell. You claim "*the server did not start*" however you can run commands. - Sorry, you miss far too much information. – Wernfried Domscheit Jan 21 '21 at 10:08
  • My tip: Start with deploying a Stand alone MonogDB (incl. authentication). Once you managed it, deploy a Replica Set. Then try a Sharded Cluster. Don't start with the most difficult one. You can do this all on a single machine, you only have to use different ports and different data and log folders. – Wernfried Domscheit Jan 21 '21 at 10:14
  • I have just a fortnight to deploy into pre-prod and then go live next week with the application. It's very frustrating. – Sophie Jan 21 '21 at 12:42
  • Well - good luck in this case. For me it took longer to learn it. Deploying a sharded cluster requires some know-how. – Wernfried Domscheit Jan 21 '21 at 17:07
  • Maybe provide your configuration files - note there must be at least three different files! – Wernfried Domscheit Jan 27 '21 at 13:46

1 Answers1

0

In MongoDB you can create users per database. Usually users are create in database admin (I wouldn't know any reason to create them somewhere else):

use admin
db.createUser(...

or

db.getSiblingDB("admin").createUser(...

When you connect to Mongo then you need to specify the authentication database, i.e. the database where user was created:

mongo --usermame=mgdb --password 'password' --authenticationDatabase admin

See Authentication failure while trying to save to mongodb

In order to deploy a sharded cluster have a look at Deploy a Sharded Cluster or Deploy a Replica Set tutorial.

Wernfried Domscheit
  • 54,457
  • 9
  • 76
  • 110
  • Thanks for the info. Just tried again to create the mgdb user, ```> use admin;``` The reply for ```db.CreateUser``` was : ```Error: couldn't add user: not master``` – Sophie Jan 20 '21 at 10:37
  • Do you deploy a Replica set or a sharded cluster? You must connect to primary member or mongos. Od do you try to create a [Shard Local User](https://docs.mongodb.com/manual/core/security-users/#shard-local-users) – Wernfried Domscheit Jan 20 '21 at 10:46
  • I don't know. I just copied from a company's install guide: ```rs.initiate({ _id : "Data",members: [``` ```{ _id: 0, host: "srv1:27017" },``` ```{ _id: 0, host: "srv2:27017" },``` ```{ _id: 0, host: "srv3:27017" , arbiterOnly: true }``` ```})``` – Sophie Jan 20 '21 at 12:47
  • I have added the rs.initiate part to my initial question. – Sophie Jan 20 '21 at 12:56
  • 1
    `usermame` isn't an option :-). I'd also keep consistency `--usermame=mgdb --password 'password` should be `--username --password ` – Minsky Jan 20 '21 at 13:59
  • Still got the same error, ```Error: couldn't add user: not master``` – Sophie Jan 20 '21 at 15:03
  • You cannot add three members which all have `_id: 0`, the _id's must be different. – Wernfried Domscheit Jan 20 '21 at 16:04
  • Start from scratch and follow the linked tutorial very carefully. If you like to build sharded cluster authentication have a look at [Deploy Sharded Cluster with Keyfile Authentication](https://docs.mongodb.com/manual/tutorial/deploy-sharded-cluster-with-keyfile-access-control/) – Wernfried Domscheit Jan 20 '21 at 16:07
  • ```_id: 0``` was a typo. The numbers are all 0 1 2. I have corrected the original post. I have started from scratch several times, now. I posted here after my forth attempt – Sophie Jan 21 '21 at 09:57
  • have you tried after disabling selinux once? – ROHIT KHURANA Jan 21 '21 at 11:06
  • check context for logs and data directory https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/ – ROHIT KHURANA Jan 21 '21 at 11:10
  • I uninstalled the RPM, rm'ed everything under /var/lib/mongo, /etc/mongo, /etc/mongod.conf. Next I reinstalled the RPMs, and started the service. Logged in with ```mongo admin -port 27017``` but even ```show users``` gave a permission error. – Sophie Jan 21 '21 at 16:29
  • @ROHITKHURANA Good idea. The SElinux pre-requis were met including the compiled modules, and the tags on the datadir, /var/lib/mongo and /var/run/mongo. Otherwise it ought not to start. I'll disable it just to verify there is not something I missed. – Sophie Jan 22 '21 at 08:21
  • First disable **security** part and keep **replica set** enable. Then initialize replica set first with **rs.initiate** then enable **auth and keyfile** and check. It worked for me. – ROHIT KHURANA Jan 25 '21 at 09:07
  • Deleted & reinstalled. Did not add security to the mongod.conf file. All I did was run: ```> use user; ```> db.createUser ( { user : 'mgdb', pwd: 'password', roles: [ { roles: root, db: admin } ] }) ```Successfully added user: ... I then tried to login with ```mongo --authenticationDatabase admin --username "mgdb" --password "password" and got : Error: Authentication failed. Also tried with SELinux permissive. – Sophie Jan 26 '21 at 14:35
  • Why do you use `--authenticationDatabase admin` when you created the user in database `user`? – Wernfried Domscheit Jan 26 '21 at 16:43
  • no idea. I thought that all users had to be created in user db. Don't all credentials live there? The ```db.Create command had the constraint { role:root, db: admin } doesn't this mean it creates in admin db instead of user db. – Sophie Jan 26 '21 at 16:47
  • Instead of db user, I did a db.admin, and ran the db.create command. And can now log in. I don't understand mongod. I wish the third party s/w providor we have had to use mandated mysql or oracle instead, because we have DBAs for those. – Sophie Jan 26 '21 at 16:51
  • should rs.initiate command be run inside a specific database like the db.create commandabove? – Sophie Jan 26 '21 at 16:54
  • `rs.initiate` can run from any DB. – Wernfried Domscheit Jan 26 '21 at 17:12
  • Thanks. Tried it but got : ```ok : 0``` ```errmg: this node was not started with eth replSet option``` I used to put replSet in the mongod,conf, but think this is the wrong place. Is the recommended way to use this on the command with --replSet=Data – Sophie Jan 27 '21 at 09:58
  • The systemd service file for RHEL7 is broken. I commented the Environment and OPTIONS type values and instead set the `ExecStart/usr/bin.mongod -f /etc/mongod.cong --replSet=Data` This started, and rs.status() returned: `operationTime : Timestamp 0,0` `ok : 0`; `errmsg: no replset config has been received,` `code : 94,` `codeName: NotYetInitialized` `...` – Sophie Jan 27 '21 at 10:09
  • I already told you: "**You should not mix config file (option `-f | --config`) and other options.**" Config file `/etc/mongod.cong` is most likely a typo - should it be `/etc/mongod.conf`? – Wernfried Domscheit Jan 27 '21 at 11:10
  • I don't wish to come across as impertinent, but why not? The guide does not mention the mixing problem: https://docs.mongodb.com/v3.2/reference/configuration-options/#use-the-configuration-file – Sophie Jan 27 '21 at 12:03
  • Yep, a typo. `Mongod.conf` – Sophie Jan 27 '21 at 12:04
  • For example you can set replicaSet name by option `--replSet` or in configuration file `replication.replSetName` - honestly I don't know which one takes precedence in case they are different, I did not find out. That's the reason why I **recommend** not mixing them. – Wernfried Domscheit Jan 27 '21 at 13:01
  • I tried using `replication.replSetName` but it ignored it. Only later did I add the command line option, and then it didn't complain. By the way, can we use `replication.replSetName: Data` in the conf file, or is it `replication: replSetName: Data` – Sophie Jan 27 '21 at 13:15
  • Got the dB started. Not that the cluster is working. Nothing is listening on port 27019/tcp or 27018/tcp. Though it should be. 27017/tcp is listening. – Sophie Jan 27 '21 at 13:35
  • `rs.printReplicationInfo()` returns `this is a slave, printing slave replication info.` and `rs.printSlaveReplicationInfo()` did nothing. Whilst the other nodes return `errmsg: replication not detected` when `rs.printReplicationInfo()` is run. – Sophie Jan 27 '21 at 14:09