Uploaded image for project: 'Mongoid'
  1. Mongoid
  2. MONGOID-4404

MongoDB ReplicaSet Authentication Issue with Secondary

    • Type: Icon: Task Task
    • Resolution: Gone away
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 5.1.1
    • Component/s: None
    • Environment:
      MongoDB 3.2.8, Ubuntu 14.04, Rails 4.2.5, Ruby 2.2.2

      We have a MongoDB (v 3.2.8) replicaSet with the following configuration:

      replication:
        replSetName: replica
      security:
        keyFile: mongo.key
      

      Our replicaSet status rs.status() currently looks like this:

      {
          "set" : "replica",
          "date" : ISODate("2016-11-11T15:43:29.164Z"),
          "myState" : 1,
          ...
          "members" : [
              {
                  "_id" : 4,
                  "name" : "mongo_1:27017",
                  "health" : 1,
                  "state" : 1,
                  "stateStr" : "PRIMARY",
                  "uptime" : 155,
                  ...
                  "self" : true
              }
              {
                  "_id" : 5,
                  "name" : "mongo_2:27017",
                  "health" : 1,
                  "state" : 1,
                  "stateStr" : "SECONDARY",
                  "uptime" : 145,
                  ...
                  "self" : false
              },
              {
                  "_id" : 6,
                  "name" : "mongo_3:27017",
                  "health" : 1,
                  "state" : 1,
                  "stateStr" : "SECONDARY",
                  "uptime" : 150,
                  ...
                  "self" : false
              }
          ],
          "ok" : 1
      }
      

      For authentication, we have the following user (db.getUsers()) in the admin database:

      [
          {
              "_id" : "admin.user",
              "user" : "user",
              "db" : "admin",
              "roles" : [
                  {
                      "role" : "clusterManager",
                      "db" : "admin"
                  },
                  {
                      "role" : "userAdminAnyDatabase",
                      "db" : "admin"
                  },
                  {
                      "role" : "clusterAdmin",
                      "db" : "admin"
                  },
                  {
                      "role" : "backup",
                      "db" : "admin"
                  },
                  {
                      "role" : "dbOwner",
                      "db" : "db_users"
                  },
                  {
                      "role" : "clusterMonitor",
                      "db" : "admin"
                  },
                  {
                      "role" : "restore",
                      "db" : "admin"
                  }
              ]
          }
      ]
      

      When we try connecting from a Rails application, we get the authentication errors in the log files of the secondary members:

      I ACCESS   [conn221]  authenticate db: admin
      { authenticate: 1, user: "user", nonce: "xxx", key: "xxx" }
      I ACCESS   [conn221] Failed to authenticate user@admin with mechanism
      MONGODB-CR: AuthenticationFailed: MONGODB-CR credentials missing in
      the user document
      I ACCESS   [conn221] Unauthorized: not authorized on db_users
      to execute command { aggregate: "mongo_users", pipeline: [...],
                           cursor: {}, allowDiskUse: true }
      

      On dropping the secondary members from the replica set, every read/write query works fine on the primary mongoDB server. Also note that the command mongo db_users -u user --password password --authenticationDatabase admin works fine locally on all the three members. Our rails application uses 'mongoid' v(5.1.1) gem as the MongoDB client, with the following settings in mongoid.yml.

      production:
        clients:
          default:
            database: db_users
            hosts:
              - mongo_1:27017
              - mongo_2:27017
              - mongo_2:27017
            options:
              user: 'user'
              password: 'password'
              auth_source: admin
              safe: true
              wait_queue_timeout: 300
              read:
                  mode: :secondary_preferred
      

      We are also facing similar authentication issues when trying to connect using mongo_engine on our Flask backend, the difference being that it fails to authenticate at all on having the security option enabled in mongoid.conf. Wondering if we are setting up the user role correctly in the admin database, or if someone has faced similar issues while setting up replicaSet configurations, and possible solutions for our issue.

            Assignee:
            Unassigned Unassigned
            Reporter:
            swapnil.debarshi Swapnil Debarshi
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: