-
-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth in mongod 3.6 #437
Comments
Hello, Puppet: 5.3.2 This use-case worked on Puppet 3 with the old module puppetlabs-mongodb: 0.17.0. Unfortunately I can't easily test against a Puppet 3 environment with the current version of the module, but I believe it's something to do with changes in ordering between Puppet 3 and later version. My code:
|
I'm seeing this too. The only way i can get the error to stop is by setting This is affecting the StackStackstorm module ======== It looks like the root of the problem is that It seems like it needs to run on a first pass with Not sure exactly how to implement this exactly. |
I have some super hacky code, but it works: # define class { 'mongodb':} somewhere before this
# check if our "custom fact" has been created and set to true
if $::mongodb_auth_init == undef or $::mongodb_auth_init == false {
# disable auth
exec { 'mongodb - stop service':
command => '/usr/bin/systemctl stop mongod',
unless => '/bin/grep "^security.authorization: disabled" /etc/mongod.conf',
}
exec { 'mongodb - disable auth':
command => '/usr/bin/sed -i \'s/security.authorization: enabled/security.authorization: disabled/g\' /etc/mongod.conf',
refreshonly => true,
}
exec { 'mongodb - auth fact':
command => '/usr/bin/echo "mongodb_auth_init: true" > /etc/facter/facts.d/mongodb.yaml',
refreshonly => true,
}
exec { 'mongodb - start service':
command => '/usr/bin/systemctl start mongod',
refreshonly => true,
}
# create mongodb admin database with auth disabled
# enable auth
exec { 'mongodb - enable auth':
command => '/usr/bin/sed -i \'s/security.authorization: disabled/security.authorization: enabled/g\' /etc/mongod.conf',
unless => '/bin/grep "^security.authorization: enabled" /etc/mongod.conf',
}
exec { 'mongodb - restart service':
command => '/usr/bin/systemctl restart mongod',
refreshonly => true,
}
# ensure MongoDB config is present and service is running
Class['mongodb::server::config']
-> Class['mongodb::server::service']
# disable auth
-> Exec['mongodb - stop service']
~> Exec['mongodb - disable auth']
~> Exec['mongodb - auth fact']
~> Exec['mongodb - start service']
# create mongodb admin database with auth disabled
-> Mongodb::Db['admin']
# enable auth
~> Exec['mongodb - enable auth']
~> Exec['mongodb - restart service']
-> Mongodb::Db <| title != 'admin' |>
} |
So @nmaludy 's hack works .. but ugh, its not nice to have to do this. Are we all mis-using the code, or is this really a scenario thats just not tested? |
No, this is correct. I had a patch for the old pre-Voxpopuli takeover of this module that worked correctly. This is a very long-standing bug in the codebase and should be considered top priority. The number of times that data theft has occurred because people configure mongo without authentication is just mind boggling. The defaults should be to have it on and running. I'll see if I can bring my patch up to date with the latest code and resubmit. Code is here: https://github.com/WetHippie/puppetlabs-mongodb/tree/admin_user_handling |
create_admin uses localhost execeotion to create the first user when "auth" is enabled. Create_admin works with mongo 2.4. However, since 3.0 they changed the localhost exception: "The localhost exception changed so that these connections only have access to create the first user on the admin database. In previous versions, connections that gained access using the localhost exception had unrestricted access to the MongoDB instance." |
I am also facing the same issue. Could you please let me know, when we are planing to fix this. |
Facing similar issues: Puppet: 5.5.2
|
I'll leave another 'me too' here. Also note the issues exists when installing MongoDB 4.x, though you get messages similar to this:
I can run the following from a mongo shell to manually create the admin user, but again this is just another hack
Is this on the radar for a fix? |
I'm working with puppet5 and mongodb 4.0.8 Note that in this fork your admin user has to be named admin in order to use the create_adminuser function. I created a subfork to only do this for the database named admin. |
Another crutch that solves this problem for me, may be useful to someone: class {'mongodb::globals':
manage_package_repo => true,
version => '3.6.12',
}
-> class {'mongodb::client': }
-> class {'mongodb::server':
auth => true,
create_admin => true,
admin_username => 'root',
admin_password => 'password',
store_creds => true,
bind_ip => ['127.0.0.1']
}
exec {'mongodb_auth_fix_disable_auth':
command => "sed -i 's/security.authorization: enabled/security.authorization: disabled/' /etc/mongod.conf; touch /root/.mongodb_auth_fix_disable_auth",
path => ['/bin', '/usr/bin'],
notify => [
Class['mongodb::server::service'],
],
creates => '/root/.mongodb_auth_fix_disable_auth',
require => Class['mongodb::server::config'],
}
mongodb::db { 'db_name':
user => 'db_user',
password => 'db_pass',
} ->
exec {'mongodb_auth_fix_enable_auth':
command => "sed -i 's/security.authorization: disabled/security.authorization: enabled/' /etc/mongod.conf; systemctl restart mongod; touch /root/.mongodb_auth_fix_enable_auth;",
path => ['/bin', '/usr/bin'],
creates => '/root/.mongodb_auth_fix_enable_auth',
} |
Are there any efforts to fix this ? Maybe integrate the fork ? |
Any news on resolution or a good workaround of this bug? |
Bumping this issue as still an open problem in the latest version of the puppet module. |
Affected Puppet, Ruby, OS and module versions/distributions
How to reproduce (e.g Puppet code you use)
What are you seeing
What behaviour did you expect instead
I would have expected the module to configure Mongo 3.6, enable authentication and create the admin account. It appears the account must be created with mongo running without auth enabled, once an admin account is created, it should be then started with auth enabled.
Output log
As per 'What are you seeing'
Any additional information you'd like to impart
N/A
The text was updated successfully, but these errors were encountered: