Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sc-mongodb::user_management - fails to create admin and users #180

Open
MelonSmasher opened this issue Dec 9, 2017 · 11 comments
Open

sc-mongodb::user_management - fails to create admin and users #180

MelonSmasher opened this issue Dec 9, 2017 · 11 comments

Comments

@MelonSmasher
Copy link

I'm trying to have Chef provision a user account for graylog. I can't seem to get this working. I've looked over the attributes and the README but I am still having trouble. Am I doing something wrong, or is this a bug?

Chef Client output:

  * sc_mongodb_user[admin] action add

    ================================================================================
    Error executing action `add` on resource 'sc_mongodb_user[admin]'
    ================================================================================

    NoMethodError
    -------------
    undefined method `db' for nil:NilClass

    Cookbook Trace:
    ---------------
    /var/chef/cache/cookbooks/sc-mongodb/providers/user.rb:16:in `add_user'
    /var/chef/cache/cookbooks/sc-mongodb/providers/user.rb:295:in `block in class_from_file'

    Resource Declaration:
    ---------------------
    # In /var/chef/cache/cookbooks/sc-mongodb/recipes/user_management.rb

     37:   mongodb_user user['username'] do
     38:     password user['password']
     39:     roles user['roles']
     40:     database user['database']
     41:     connection node['mongodb']
     42:     if node.recipe?('sc-mongodb::mongos') || node.recipe?('sc-mongodb::replicaset')
     43:       # If it's a replicaset or mongos, don't make any users until the end
     44:       action :nothing
     45:       subscribes :add, 'ruby_block[config_replicaset]', :delayed
     46:       subscribes :add, 'ruby_block[config_sharding]', :delayed
     47:     else
     48:       action user['action'] || :add
     49:     end
     50:   end

    Compiled Resource:
    ------------------
    # Declared in /var/chef/cache/cookbooks/sc-mongodb/recipes/user_management.rb:37:in `block in from_file'

    sc_mongodb_user("admin") do
      action [:add]
      retries 0
      retry_delay 2
      default_guard_interpreter :default
      declared_type :mongodb_user
      cookbook_name "sc-mongodb"
      recipe_name "user_management"
      password "password-here"
      roles ["userAdminAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin"]
      database "admin"
      connection {"client_roles"=>[], "cluster_name"=>"graylog", "shard_name"=>"default", "replica_arbiter_only"=>false, "replica_build_indexes"=>true, "replica_hidden"=>false, "replica_slave_delay"=>0, "replica_priority"=>1, "replica_tags"=>{}, "replica_votes"=>1, "auto_configure"=>{"replicaset"=>true, "sharding"=>true}, "configserver_url"=>nil, "root_group"=>"root", "user"=>"mongodb", "group"=>"mongodb", "init_dir"=>"/etc/init.d", "init_script_template"=>"debian-mongodb.init.erb", "sysconfig_file"=>{"mongod"=>"/etc/default/mongodb", "mongos"=>"/etc/default/mongos", "template"=>"mongodb.sysconfig.erb"}, "dbconfig_file"=>{"template"=>"mongodb.conf.erb", "mongod"=>"/etc/mongod.conf", "mongos"=>"/etc/mongos.conf"}, "package_name"=>"mongodb-org", "package_version"=>"3.2.10", "default_init_name"=>"mongod", "instance_name"=>{"mongod"=>"mongod", "mongos"=>"mongos"}, "packager_options"=>"-o Dpkg::Options::=\"--force-confold\" --force-yes", "install_method"=>"mongodb-org", "is_replicaset"=>nil, "is_shard"=>nil, "is_configserver"=>nil, "reload_action"=>"restart", "repo"=>"http://repo.mongodb.org/apt/ubuntu", "template_cookbook"=>"sc-mongodb", "key_file_content"=>nil, "ruby_gems"=>{"mongo"=>"~> 1.12", "bson_ext"=>nil}, "config"=>{"mongod"=>{"net"=>{"port"=>"27017", "bindIp"=>"0.0.0.0", "bindIpAll"=>true}, "systemLog"=>{"destination"=>"file", "logAppend"=>true, "path"=>"/var/log/mongodb/mongod.log"}, "storage"=>{"journal"=>{"enabled"=>true}, "dbPath"=>"/var/lib/mongodb", "engine"=>"wiredTiger"}, "replication"=>{"oplogSizeMB"=>nil, "replSetName"=>nil, "secondaryIndexPrefetch"=>nil, "enableMajorityReadConcern"=>nil}, "security"=>{"keyFile"=>nil}}, "mongos"=>{"net"=>{"port"=>27017, "bindIp"=>"0.0.0.0"}, "systemLog"=>{"destination"=>"file", "logAppend"=>true, "path"=>"/var/log/mongodb/mongos.log"}, "sharding"=>{"configDB"=>nil}, "security"=>{"keyFile"=>nil}}, "auth"=>true}, "mms_agent"=>{"api_key"=>nil, "mmsGroupId"=>nil, "user"=>"mongodb-mms-agent", "group"=>"mongodb-mms-agent", "automation"=>{"config"=>{"mmsGroupId"=>nil, "mmsApiKey"=>nil, "mmsBaseUrl"=>"https://mms.mongodb.com", "logFile"=>"/var/log/mongodb-mms-automation/automation-agent.log", "mmsConfigBackup"=>"/var/lib/mongodb-mms-automation/mms-cluster-config-backup.json", "logLevel"=>"INFO", "maxLogFiles"=>10, "maxLogFileSize"=>268435456}, "user"=>"mongodb", "group"=>"mongodb", "package_url"=>"https://cloud.mongodb.com/download/agent/automation/mongodb-mms-automation-agent-manager_latest_amd64.ubuntu1604.deb"}, "backup"=>{"config"=>{"mmsApiKey"=>nil, "mothership"=>"api-backup.mongodb.com", "https"=>true}, "user"=>"mongodb-mms-agent", "group"=>"mongodb-mms-agent", "package_url"=>"https://cloud.mongodb.com/download/agent/backup/mongodb-mms-backup-agent_latest_amd64.ubuntu1604.deb"}, "monitoring"=>{"config"=>{"mmsApiKey"=>nil, "mmsBaseUrl"=>"https://mms.mongodb.com"}, "user"=>"mongodb-mms-agent", "group"=>"mongodb-mms-agent", "package_url"=>"https://cloud.mongodb.com/download/agent/monitoring/mongodb-mms-monitoring-agent_latest_amd64.ubuntu1604.deb"}}, "sysconfig"=>{"mongod"=>{"DAEMON"=>"/usr/bin/$NAME", "DAEMON_USER"=>"mongodb", "DAEMON_OPTS"=>"--config /etc/mongod.conf", "CONFIGFILE"=>"/etc/mongod.conf", "ENABLE_MONGODB"=>"yes"}, "mongos"=>{"DAEMON"=>"/usr/bin/$NAME", "DAEMON_USER"=>"mongodb", "DAEMON_OPTS"=>"--config /etc/mongos.conf", "CONFIGFILE"=>"/etc/mongos.conf", "ENABLE_MONGODB"=>"yes"}}, "ulimit"=>{"fsize"=>"unlimited", "cpu"=>"unlimited", "as"=>"unlimited", "nofile"=>64000, "rss"=>"unlimited", "nproc"=>32000}, "authentication"=>{"username"=>"admin", "password"=>"password-here"}, "admin"=>{"username"=>"admin", "password"=>"password-here", "roles"=>["userAdminAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin"], "database"=>"admin"}, "users"=>[{"username"=>"graylog", "password"=>"password-here", "roles"=>["dbOwner", "root"], "database"=>"graylog"}], "mongos_create_admin"=>false, "user_management"=>{"connection"=>{"retries"=>2, "delay"=>2}}, "mongod_create_user"=>{"retries"=>2, "delay"=>10}}
      username "admin"
    end

    System Info:
    ------------
    chef_version=12.21.1
    platform=ubuntu
    platform_version=16.04
    ruby=ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-linux]
    program_name=chef-client worker: ppid=20474;start=17:32:03;
    executable=/opt/chef/bin/chef-client


Running handlers:
Running handlers complete
Chef Client failed. 8 resources updated in 31 seconds

My Role:

{
  "name": "graylog_mongodb",
  "description": "The role installs a mongo server.",
  "chef_type": "role",
  "json_class": "Chef::Role",
  "default_attributes": {
    "mongodb": {
      "cluster_name": "graylog",
      "admin": {
        "username": "admin",
        "password": "password-here"
      },
      "authentication": {
        "username": "admin",
        "password": "password-here"
      },
      "users": [
        {
          "username": "graylog",
          "password": "password-here",
          "roles": ["dbOwner", "root"],
          "database": "graylog"
        }
      ],
      "config": {
        "auth": true,
        "mongod": {
          "net": {
            "bindIp": "0.0.0.0",
            "bindIpAll": true,
            "port": "27017"
          }
        }
      }
    }
  },
  "override_attributes": {
  },
  "run_list": [
    "recipe[sc-mongodb]",
    "recipe[sc-mongodb::user_management]"
  ]
}
@mateusduboli
Copy link
Contributor

Hello Melon, I'm trying to reproduce the error with the role you posted on kitchen, and some of the configuration keys are invalid for my version of mongodb. Namely:

mongodb.config.mongod.net.bindIpAll <- gives a invalid configuration error
mongodb.users[graylog].roles <- the "root" role doesn't exists in my database

Could you help me with that?

@miedward
Copy link

miedward commented Feb 9, 2018

In more recent versions of mongo (3.x) the user format has changed so now instead of just username and password you need roles and database resources also. So if you want to make your admin user called 'adminuser' with a password 'adminpassword' you'd need to do something like this.

node.default['mongodb']['admin']['username'] = 'adminuser'
node.default['mongodb']['admin']['password'] = 'adminpassword'
node.default['mongodb']['admin']["roles"] = [ "userAdminAnyDatabase" ]
node.default['mongodb']['admin']["database"] = 'admin'

Documentation needs to be updated to reflect this. Opening a new ticket to address the fact that "auth": true doesn't actually enable authorization in recent versions.

@miedward
Copy link

[root@bluesky-db-uat dbsave]# /opt/chef/embedded/bin/gem list --local

*** LOCAL GEMS ***

addressable (2.5.2, 2.4.0)
appbundler (0.10.0)
ast (2.3.0)
bigdecimal (default: 1.3.0)
binding_of_caller (0.7.2)
blankslate (2.1.2.4)
bson (1.12.5)
bson_ext (1.12.5)
builder (3.2.3)
bundler (1.15.4)
byebug (9.1.0)
chef (13.5.3)
chef-config (13.5.3, 13.4.24)
chef-vault (3.3.0)
chef-zero (13.1.0)
cheffish (13.0.0)
coderay (1.1.2)
crack (0.4.3)
debug_inspector (0.0.3)
did_you_mean (1.1.0)
diff-lcs (1.3)
docile (1.1.5)
docker-api (1.33.6)
erubis (2.7.0)
excon (0.59.0)
faraday (0.13.1)
ffi (1.9.18)
ffi-yajl (2.3.1)
fuzzyurl (0.9.0)
gssapi (1.2.0)
gyoku (1.3.1)
hashdiff (0.3.6)
hashie (3.5.6)
highline (1.7.8)
htmlentities (4.3.4)
httpclient (2.8.3)
iniparse (1.4.4)
inspec (1.39.1)
io-console (default: 0.4.6)
ipaddress (0.8.3)
iso8601 (0.9.1)
json (2.1.0, default: 2.0.4)
libyajl2 (1.2.0)
little-plugger (1.1.4)
logging (2.2.2)
method_source (0.9.0)
mime-types (2.6.2)
mini_portile2 (2.2.0)
minitest (5.10.1)
mixlib-archive (0.4.1)
mixlib-authentication (1.4.2)
mixlib-cli (1.7.0)
mixlib-config (2.2.4)
mixlib-log (1.7.1)
mixlib-shellout (2.3.2)
mongo (1.12.5)
multi_json (1.12.2)
multipart-post (2.0.0)
mysql2 (0.4.9)
net-scp (1.2.1)
net-sftp (2.1.2)
net-ssh (4.2.0)
net-ssh-gateway (2.0.0)
net-ssh-multi (1.2.1)
net-telnet (0.1.1)
netrc (0.11.0)
nokogiri (1.8.0)
nori (2.6.0)
ohai (13.5.0)
openssl (default: 2.0.5)
parallel (1.12.0)
parser (2.4.0.0)
parslet (1.5.0)
plist (3.3.0)
power_assert (0.4.1)
powerpack (0.1.1)
proxifier (1.0.3)
pry (0.11.1)
pry-byebug (3.5.0)
pry-remote (0.1.8)
pry-stack_explorer (0.4.9.2)
psych (default: 2.2.2)
public_suffix (3.0.0)
rack (2.0.3)
rainbow (2.2.2)
rake (12.1.0, 12.0.0)
rb-readline (0.5.5)
rdoc (default: 5.0.0)
rest-client (1.7.3)
rspec (3.6.0)
rspec-core (3.6.0)
rspec-expectations (3.6.0)
rspec-its (1.2.0)
rspec-mocks (3.6.0)
rspec-support (3.6.0)
rspec_junit_formatter (0.2.3)
rubocop (0.49.1)
ruby-prof (0.16.2)
ruby-progressbar (1.9.0)
ruby-shadow (2.5.0)
rubyntlm (0.6.2)
rubyzip (1.2.1)
safe_yaml (1.0.4)
semverse (2.0.0)
serverspec (2.41.0)
sfl (2.3)
simplecov (0.15.1)
simplecov-html (0.10.2)
slop (3.6.0)
specinfra (2.72.0)
sslshake (1.2.0)
syslog-logger (1.6.8)
systemu (2.6.5)
test-unit (3.2.3)
thor (0.20.0)
toml (0.1.2)
train (0.28.0)
unicode-display_width (1.3.0)
uuidtools (2.1.5)
webmock (3.0.1)
winrm (2.2.3)
winrm-fs (1.0.2)
wmi-lite (1.0.0)
xmlrpc (0.2.1)

@JJClements
Copy link

I'm seeing the same behaviour when enforcing TLS/SSL using:

normal['mongodb']['config']['mongod']['net']['ssl']['mode'] = 'requireSSL'
normal['mongodb']['config']['mongod']['net']['ssl']['PEMKeyFile'] = "/etc/ssl/#{node['hostname']}.pem"
normal['mongodb']['config']['mongod']['net']['ssl']['CAFile'] = "/etc/ssl/#{node['hostname']}-ca.crt"
normal['mongodb']['config']['mongod']['net']['ssl']['allowConnectionsWithoutCertificates'] = 'true'
normal['mongodb']['config']['mongod']['net']['ssl']['disabledProtocols'] = 'TLS1_0,TLS1_1'

@miedward
Copy link

miedward commented Jul 3, 2018

@JJClements Are you including roles in your admin user creation as I suggested?

@JJClements
Copy link

@miedward no I am not, I do however see the exact same error when enforcing SSL using:

normal['mongodb']['config']['mongod']['net']['ssl']['mode'] = 'requireSSL'

It's probably worth pointing out that I also saw this error when creating a user with an incorrectly named MongoDB role. Are "roles": ["dbOwner", "root"] correct? Maybe try with only 'readWrite' instead?

@miedward
Copy link

miedward commented Jul 3, 2018

The OP error was for the user management cookbook (sc-mongodb::user_management) and this error has nothing to do with SSL

If you are including that recipe (or it is a dependency on something you're using), your admin user should have something like

node.default['mongodb']['admin']['username'] = 'mysystemadmin'
node.default['mongodb']['admin']['password'] = db_passwords["mongodb_password"]
node.default['mongodb']['admin']["roles"] = [ "userAdminAnyDatabase", "root" ]
node.default['mongodb']['admin']["database"] = 'admin'

And then for each database you would made a separate user with dbAdmin permission for that database. They can have the same username but I believe the recipe expects at least one entry for ['mongodb']['users']. This is what I am using.

myuser = {
"username" => "somedatabaseadmin",
"password" => "#{db_passwords["mongodb_password"]}",
"roles" => [ "dbAdmin", "readWrite" ],
"database" => "#{node[:databaseConfig][:mongo_db_dbname]}"
}
node.default['mongodb']['users'] << myuser

@JJClements
Copy link

The OP error was for the user management cookbook (sc-mongodb::user_management) and this error has nothing to do with SSL

Totally agree. I was simply pointing out that the issue is related to the creation of a user, or not being able to in this case. The error seems pretty generic, but ultimately shows for a few different scenarios in my experience, 2 of which I described above.

@ksimuk
Copy link

ksimuk commented Oct 26, 2018

Any solution? I have the same issue

@miedward
Copy link

@MaximKraev Assuming you're talking about the OP and not the SSL issue, you need to include "roles" and "database" entries for the admin user as I suggested above.

node.default['mongodb']['admin']['username'] = 'adminuser'
node.default['mongodb']['admin']['password'] = 'adminpassword'
node.default['mongodb']['admin']["roles"] = [ "userAdminAnyDatabase" ]
node.default['mongodb']['admin']["database"] = 'admin'

@github-actions
Copy link

Marking stale due to inactivity. Remove stale label or comment or this will be closed in 7 days. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.

@github-actions github-actions bot added the Stale label Sep 30, 2020
@xorimabot xorimabot removed the Stale label Sep 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants