mongostats on a sharded cluster with authentication

[sine...@gmail.com]

Hi all,

I have a sharded clustes with authentication (keyfile + users to access to mongos). I've seen that mongostats can get information from all the nodes of the cluster with --discover option.

The user I am working with has readAnyDatabase and clusterAdmin permissions (maybe they could be reduced) and I am running mongostats in the mongos client like this:

mongostat --port mongos_port -u user -p --authenticationDatabase admin --discover

I can retrieve information from the client, but auth fails when trying to connect to the members of the replicasets (shards):

serverThread (node.:27017) fatal error : { code: 18, ok: 0.0, errmsg: "auth fails" }

Do I need to add the same user to the admin database of all the replica sets? If this is the case, which permissions should it have? Because, as far as I know, clusterAdmin is not directly related to shards (replica sets in my case).

I've tried creating a userAdminAnyDatabase in just one RS with 

use admin

db.addUser( {user:"username", pwd: "password", roles: ["userAdminAnyDatabase"] } )

and after accessing mongod with

 mongo --port 27017 -u username -p --authenticationDatabase admin

I could not read data from the system.users collection of the user’s database! I restored the admin database information (in fact, I removed the db files: .ns .0 and .1) and it is working again but I still have no access to the nodes with mongostats.

Thank you,

  Antònia

[David Hows]

Hi Antònia,

I'm working under the assumption that this relates to MongoDB 2.4

Do I need to add the same user to the admin database of all the replica sets? If this is the case, which permissions should it have? Because, as far as I know, clusterAdmin is not directly related to shards (replica sets in my case).

Yes. When you create a user on the admin database via the MongoS that user will be defined on the config server's for use as a cluster level admin. If you wish to perform admin tasks (such as using Mongostat) you will need to create valid users with the same credentials on each shard that match those provided to the MongoS. The clusterAdmin permission is needed on the shard servers themselves as it allows access to some of the server management and information functions.

I could not read data from the system.users collection of the user’s database! I restored the admin database information (in fact, I removed the db files: .ns .0 and .1) and it is working again but I still have no access to the nodes with mongostats.

I tested locally with a 2.4.9 instance, and this was not my experience. Can you please list the exact steps you took? As this should have functioned correctly.

Thanks,

David