puppetlabs-mongodb module: How to enable user authentication for a database.

asked 2014-08-14 17:59:23 -0600

ns408 gravatar image

updated 2014-08-28 21:42:12 -0600

I am using the following to create a database and add a user to it.

  class { '::mongodb::globals': manage_package_repo => true, } ->
  class { '::mongodb::server':
    bind_ip => '0.0.0.0',
    auth    => 'true',
  } ->
  class { '::mongodb::client': }

  $databasename = 'itztest'
  $databaseuser = 'itztest'
  $databasepass = 'password'

  mongodb_database { $databasename:
    ensure  => present,
    tries   => 10,
    require => Class['mongodb::server'],
  }

  mongodb_user { $databaseuser:
    ensure        => present,
    password_hash => mongodb_password($databaseuser, $databasepass),
    database      => $databasename,
    roles         => ['readWrite', 'dbAdmin'],
    tries         => 10,
    require       => Class['mongodb::server'],
  }

Problem: Both database and user gets created but user doesn't seem to be added to authenticationdatabase(admin).

Code output:

Notice: /Stage[main]/Mongodb::Server::Install/Package[mongodb_server]/ensure: created
Notice: /Stage[main]/Mongodb::Server::Config/File[/etc/mongod.conf]/content: content changed '{md5}0aa1300d8c64318b1a7683cb3fee646e' to '{md5}69b42689ee7cf83f8428fca843fdf8d1'
Notice: /Stage[main]/Mongodb::Server::Config/File[/var/lib/mongodb]/ensure: created
Notice: /Stage[main]/Mongodb::Server::Service/Service[mongodb]/ensure: ensure changed 'stopped' to 'running'
Notice: /Stage[main]/Main/Mongodb_database[itztest]/ensure: created
Notice: /Stage[main]/Main/Mongodb_user[itztest]/ensure: created
Notice: Finished catalog run in 122.93 seconds

Cannot access itztest database using user/pass:

[root@ip-10-0-1-99 ~]# mongo itztest -u itztest -p 'password'
MongoDB shell version: 2.6.4
connecting to: itztest
2014-08-16T03:52:22.211+0000 Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 } at src/mongo/shell/db.js:1210
exception: login failed

Can access without user/pass:

[root@ip-10-0-1-99 ~]# mongo itztest 
MongoDB shell version: 2.6.4
connecting to: itztest
> show dbs
admin    (empty)
itztest  0.078GB
local    0.078GB

I've also tried using the following which bears same result:

 class { '::mongodb::globals': manage_package_repo => true, } ->
 class { '::mongodb::server':
   bind_ip => '0.0.0.0',
   auth    => 'true',
  } ->
  class { '::mongodb::client': }

  $databasename = 'itztest'
  $databaseuser = 'itztest'
  $databasepass = 'password'

 mongodb::db { $databasename:
   user          => $databaseuser,
   password      => $databasepass,
   require => Class['mongodb::server'],
   roles         => ['readWrite', 'dbAdmin'],
   tries         => 10,
 }

Roles and users in the database

[ec2-user@ip-10-0-1-99 ~]$ mongo admin
MongoDB shell version: 2.6.4
connecting to: admin
> show users
> show roles
{
    "role" : "__system",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "backup",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "clusterAdmin",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "clusterManager",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "clusterMonitor",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "dbAdmin",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "dbAdminAnyDatabase",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "dbOwner",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "hostManager",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "read",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "readAnyDatabase",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "readWrite",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "readWriteAnyDatabase",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "restore",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "root",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "userAdmin",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
{
    "role" : "userAdminAnyDatabase",
    "db" : "admin",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ]
}
edit retag flag offensive close merge delete

Comments

.. any error messages? your giving class declarations containing variables and not telling how or what those variables contain.

ptierno gravatar imageptierno ( 2014-08-15 04:26:03 -0600 )edit

what's the output from $databasename etc? I fear that they're empty / wrong... could you please post your .yaml

khaefeli gravatar imagekhaefeli ( 2014-08-15 07:37:51 -0600 )edit

thank you for the additional information. Looks right to me. what does "show users" and "show roles" output? I think the puppet run didn't set the database privileges to your user. btw: tries 10 and require => Class['mongodb::server'], is default, you don't need to set it ;)

khaefeli gravatar imagekhaefeli ( 2014-08-18 04:28:08 -0600 )edit

Thanks Khaefeli for your response. I didn't receive an alert on your response so I didn't bother to take a look at this page - sorry. I've added the output of 'show roles' and 'show users' now. Could you kindly check and let me know your opinion on it.

ns408 gravatar imagens408 ( 2014-08-28 21:43:39 -0600 )edit