Get authentication to co-exist with replication #97
Conversation
| begin | ||
| connection.add_auth("admin", node['mongodb']['admin']['username'], node['mongodb']['admin']['password']) | ||
| rescue Mongo::AuthenticationError => e | ||
| Chef::Log.warn("Unable to authenticate as admin user. If this is a fresh install, ignore warning: #{e}") |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
Well. Let me explain how I'm using it. I'm typing on my phone so excuse the straight line without breaks. I'm using a wrapper cookbook that runs replicaset (recipe) [which includes the "install" recipe, otherwise mongo isn't there]. Then after that I include the "user management" recipe which actually also won't raise an error if the admin user is missing the first time (not that this is likely the best method). After the first user is created mongo then requires authentication and future runs of chef need the admin user. I'm guessing the assumption made in user management for instance is that if the authentication fails it's OK to ignore it because adding (or modifying (see comments in user management) fails due to lack of privileges (couldn't login as admin when there's an admin user and it's necessary). The same should apply to the parts that add the replica set. I'm guessing from what you said it's going to be best if we check if authentication is necessary (ask mongo somehow) and when authentication happens based on that decision it's going to be best to fail (raise). It'd seem wise to me then to move the connecting code into libraries and share it from everywhere then? |
|
Ok so that's why I suspected: at this point the recipe doesn't know if authentication is required or not, because it doesn't know if it has already been setup or not. If we assume chef is the only one interacting with mongodb setup, then we could track our own state: was the create_user recipe already executed? If not, then we assume no authentication required. But this doesn't even work if we run chef multiple times... So we want to be more robust as you said: we should auto-detect the state:
It should indeed be moved into libraries, this would help re-use it everywhere we need it! |
|
Hopefully going to get back to this soon... It's somewhat a free time issue for me. |
|
User management and auth fixed under #13 |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
A bit of a monkey patch.
Also not sure if this works on a single instance (didn't check), but it should.
Works on 4 servers on CentOS perfectly. Much smoother than before.
Forced to use an older version of the 'gem'.