When upgrading config servers to use WireTiger, the running config server with wiredtiger does not authenticate the existing pass and user?

Posted on

Question :

In order to upgrade mongodb to 3.0.0, I am upgrading my config servers to use WireTiger. I followed the subsection of Change Config Server to Use WiredTiger. There are 18 steps. I run mongodump –port 27019 –username user –password pass –authenticationDatabase admin –out /var/data/config1/mongodump-15-03-16/ to bump the data. When I went to step 6, I tried to use “mongorestore –port 27019 –username user –password pass –authenticationDatabase admin –authenticationMechanism MONGODB-CR /var/data/config1/mongodump-15-03-16/” to restore the data.
The error is

2015-03-17T17:37:51.963Z I NETWORK [conn14] end connection (5 connections now open)

2015-03-17T17:38:01.685Z I NETWORK [initandlisten] connection accepted from #15 (6 connections now open)

2015-03-17T17:38:01.687Z I ACCESS [conn15] authenticate db: admin { authenticate: 1, nonce: “xxx”, user: “user”, key: “xxx” }

2015-03-17T17:38:01.687Z I ACCESS [conn15] Failed to authenticate user@admin with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user user@admin

2015-03-17T17:38:01.687Z I NETWORK [conn15] end connection (5 connections now open)

I have no idea. But when I start the config server with MMAP storage engine, no errors. My config file is

dbPath: "/var/data/config1/db"
engine: "wiredTiger"
directoryPerDB: true
enabled: true
destination: file
path: "/var/data/config1/log/config1.log"
logAppend: true
timeStampFormat: iso8601-utc
fork: true
port : 27019
wireObjectCheck : false
enabled : true
keyFile: "/var/data/config1/keys/mongodb-keyfile"
authorization: "enabled"
clusterRole: "configsvr"

Any idea? Should I upgrade the authentication before upgrade the config servers to user WiredTiger? In addition, I used the same binary /usr/bin/mongod to generate the config server process and the data server process. Does this matter?

Answer :

It looks like the current MongoDB 3.0 upgrade instructions are missing mention of two important parameters for backing up and restoring users and roles:

I can think of several approaches to fix:

  1. If you don’t have many user accounts on the config servers, recreate the administrator & user accounts. This isn’t ideal, but is probably the fastest approach.

  2. Export the users from your mmap database. This is more involved, but saves you recreating the users & roles. I’ve described steps for this below.

  3. Redo the config server migration with the user & role information included. I expect this is the least desirable option.

Exporting the users

Assuming you have already upgraded all of your config servers to WiredTiger, here are some steps to add the user information:

  1. Disable the balancer

  2. Stop the last config server listed in your mongos’ configDB setting (will call that config3 for the purpose of these steps). This will ensure your sharded cluster metadata remains read-only for the following steps.

  3. Re-start config2 using the mmap data directory

    At this stage you should have:

    • config1 (running WiredTiger)
    • config2 (running mmap with user/role data)
    • config3 (stopped)
  4. Export the data from config2:

    mongodump --db config --dumpDbUsersAndRoles --username .. --password ..

    Add any other parameters needed, eg --authenticationDatabase .. if you need to auth against another database.

  5. If you have users in the admin database on your config server, you will also want to dump that as well.

  6. (optional) Remove files from your dump except for the user/role information. If you are certain nothing has changed since you did the original migration from mmap to WiredTiger you could skip this step, however it would be safer to not overwrite any existing data.

    Preview the files to remove:

    find ./dump -type f -not -name “$admin.system*”

    WARNING: removing files, make sure you have previewed to confirm:

    find ./dump -type f -not -name “$admin.system*” | xargs rm

  7. Re-start config2 using the wiredTiger storage engine

  8. Run: mongorestore --db config --restoreDbUsersAndRoles dump/config/

    You should see messages about restoring users & roles, for example:

    2015-03-18T02:41:34.887+1100 restoring users from dump/config/$admin.system.users.bson

    2015-03-18T02:41:34.887+1100 restoring roles from dump/config/$admin.system.roles.bson

  9. Login to config2 and confirm the users are correctly setup (i.e. auth with admin account, use db.getUsers() to check).

    At this stage you should have:

    • config1 (running WiredTiger)
    • config2 (running WiredTiger with user/role data)
    • config3 (stopped)
  10. Copy the dump directory to config1 and repeat the mongorestore step.

  11. Shutdown config2 (to keep the sharded cluster metadata readonly for the next step).

    At this stage you should have:

    • config1 (running WiredTiger with user/role data)
    • config2 (stopped)
    • config3 (stopped)
  12. Start config3. Copy the dump directory to config3, and repeat the mongorestore step.

    At this stage you should have:

    • config1 (running WiredTiger with user/role data)
    • config2 (stopped)
    • config3 (running WiredTiger with user/role data)
  13. Start config2. At this point all config servers should be online with the user information.

  14. Re-enable the balancer so normal balancing activity & chunk migration can resume.

Leave a Reply

Your email address will not be published. Required fields are marked *