sous-chefs
sc-mongodb::user_management - fails to create admin and users
I'm trying to have Chef provision a user account for graylog. I can't seem to get this working. I've looked over the attributes and the README but I am still having trouble. Am I doing something wrong, or is this a bug?
Chef Client output:
* sc_mongodb_user[admin] action add
================================================================================
Error executing action `add` on resource 'sc_mongodb_user[admin]'
================================================================================
NoMethodError
-------------
undefined method `db' for nil:NilClass
Cookbook Trace:
---------------
/var/chef/cache/cookbooks/sc-mongodb/providers/user.rb:16:in `add_user'
/var/chef/cache/cookbooks/sc-mongodb/providers/user.rb:295:in `block in class_from_file'
Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/sc-mongodb/recipes/user_management.rb
37: mongodb_user user['username'] do
38: password user['password']
39: roles user['roles']
40: database user['database']
41: connection node['mongodb']
42: if node.recipe?('sc-mongodb::mongos') || node.recipe?('sc-mongodb::replicaset')
43: # If it's a replicaset or mongos, don't make any users until the end
44: action :nothing
45: subscribes :add, 'ruby_block[config_replicaset]', :delayed
46: subscribes :add, 'ruby_block[config_sharding]', :delayed
47: else
48: action user['action'] || :add
49: end
50: end
Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/sc-mongodb/recipes/user_management.rb:37:in `block in from_file'
sc_mongodb_user("admin") do
action [:add]
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :mongodb_user
cookbook_name "sc-mongodb"
recipe_name "user_management"
password "password-here"
roles ["userAdminAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin"]
database "admin"
connection {"client_roles"=>[], "cluster_name"=>"graylog", "shard_name"=>"default", "replica_arbiter_only"=>false, "replica_build_indexes"=>true, "replica_hidden"=>false, "replica_slave_delay"=>0, "replica_priority"=>1, "replica_tags"=>{}, "replica_votes"=>1, "auto_configure"=>{"replicaset"=>true, "sharding"=>true}, "configserver_url"=>nil, "root_group"=>"root", "user"=>"mongodb", "group"=>"mongodb", "init_dir"=>"/etc/init.d", "init_script_template"=>"debian-mongodb.init.erb", "sysconfig_file"=>{"mongod"=>"/etc/default/mongodb", "mongos"=>"/etc/default/mongos", "template"=>"mongodb.sysconfig.erb"}, "dbconfig_file"=>{"template"=>"mongodb.conf.erb", "mongod"=>"/etc/mongod.conf", "mongos"=>"/etc/mongos.conf"}, "package_name"=>"mongodb-org", "package_version"=>"3.2.10", "default_init_name"=>"mongod", "instance_name"=>{"mongod"=>"mongod", "mongos"=>"mongos"}, "packager_options"=>"-o Dpkg::Options::=\"--force-confold\" --force-yes", "install_method"=>"mongodb-org", "is_replicaset"=>nil, "is_shard"=>nil, "is_configserver"=>nil, "reload_action"=>"restart", "repo"=>"http://repo.mongodb.org/apt/ubuntu", "template_cookbook"=>"sc-mongodb", "key_file_content"=>nil, "ruby_gems"=>{"mongo"=>"~> 1.12", "bson_ext"=>nil}, "config"=>{"mongod"=>{"net"=>{"port"=>"27017", "bindIp"=>"0.0.0.0", "bindIpAll"=>true}, "systemLog"=>{"destination"=>"file", "logAppend"=>true, "path"=>"/var/log/mongodb/mongod.log"}, "storage"=>{"journal"=>{"enabled"=>true}, "dbPath"=>"/var/lib/mongodb", "engine"=>"wiredTiger"}, "replication"=>{"oplogSizeMB"=>nil, "replSetName"=>nil, "secondaryIndexPrefetch"=>nil, "enableMajorityReadConcern"=>nil}, "security"=>{"keyFile"=>nil}}, "mongos"=>{"net"=>{"port"=>27017, "bindIp"=>"0.0.0.0"}, "systemLog"=>{"destination"=>"file", "logAppend"=>true, "path"=>"/var/log/mongodb/mongos.log"}, "sharding"=>{"configDB"=>nil}, "security"=>{"keyFile"=>nil}}, "auth"=>true}, "mms_agent"=>{"api_key"=>nil, "mmsGroupId"=>nil, "user"=>"mongodb-mms-agent", "group"=>"mongodb-mms-agent", "automation"=>{"config"=>{"mmsGroupId"=>nil, "mmsApiKey"=>nil, "mmsBaseUrl"=>"https://mms.mongodb.com", "logFile"=>"/var/log/mongodb-mms-automation/automation-agent.log", "mmsConfigBackup"=>"/var/lib/mongodb-mms-automation/mms-cluster-config-backup.json", "logLevel"=>"INFO", "maxLogFiles"=>10, "maxLogFileSize"=>268435456}, "user"=>"mongodb", "group"=>"mongodb", "package_url"=>"https://cloud.mongodb.com/download/agent/automation/mongodb-mms-automation-agent-manager_latest_amd64.ubuntu1604.deb"}, "backup"=>{"config"=>{"mmsApiKey"=>nil, "mothership"=>"api-backup.mongodb.com", "https"=>true}, "user"=>"mongodb-mms-agent", "group"=>"mongodb-mms-agent", "package_url"=>"https://cloud.mongodb.com/download/agent/backup/mongodb-mms-backup-agent_latest_amd64.ubuntu1604.deb"}, "monitoring"=>{"config"=>{"mmsApiKey"=>nil, "mmsBaseUrl"=>"https://mms.mongodb.com"}, "user"=>"mongodb-mms-agent", "group"=>"mongodb-mms-agent", "package_url"=>"https://cloud.mongodb.com/download/agent/monitoring/mongodb-mms-monitoring-agent_latest_amd64.ubuntu1604.deb"}}, "sysconfig"=>{"mongod"=>{"DAEMON"=>"/usr/bin/$NAME", "DAEMON_USER"=>"mongodb", "DAEMON_OPTS"=>"--config /etc/mongod.conf", "CONFIGFILE"=>"/etc/mongod.conf", "ENABLE_MONGODB"=>"yes"}, "mongos"=>{"DAEMON"=>"/usr/bin/$NAME", "DAEMON_USER"=>"mongodb", "DAEMON_OPTS"=>"--config /etc/mongos.conf", "CONFIGFILE"=>"/etc/mongos.conf", "ENABLE_MONGODB"=>"yes"}}, "ulimit"=>{"fsize"=>"unlimited", "cpu"=>"unlimited", "as"=>"unlimited", "nofile"=>64000, "rss"=>"unlimited", "nproc"=>32000}, "authentication"=>{"username"=>"admin", "password"=>"password-here"}, "admin"=>{"username"=>"admin", "password"=>"password-here", "roles"=>["userAdminAnyDatabase", "dbAdminAnyDatabase", "clusterAdmin"], "database"=>"admin"}, "users"=>[{"username"=>"graylog", "password"=>"password-here", "roles"=>["dbOwner", "root"], "database"=>"graylog"}], "mongos_create_admin"=>false, "user_management"=>{"connection"=>{"retries"=>2, "delay"=>2}}, "mongod_create_user"=>{"retries"=>2, "delay"=>10}}
username "admin"
end
System Info:
------------
chef_version=12.21.1
platform=ubuntu
platform_version=16.04
ruby=ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-linux]
program_name=chef-client worker: ppid=20474;start=17:32:03;
executable=/opt/chef/bin/chef-client
Running handlers:
Running handlers complete
Chef Client failed. 8 resources updated in 31 seconds
My Role:
{
"name": "graylog_mongodb",
"description": "The role installs a mongo server.",
"chef_type": "role",
"json_class": "Chef::Role",
"default_attributes": {
"mongodb": {
"cluster_name": "graylog",
"admin": {
"username": "admin",
"password": "password-here"
},
"authentication": {
"username": "admin",
"password": "password-here"
},
"users": [
{
"username": "graylog",
"password": "password-here",
"roles": ["dbOwner", "root"],
"database": "graylog"
}
],
"config": {
"auth": true,
"mongod": {
"net": {
"bindIp": "0.0.0.0",
"bindIpAll": true,
"port": "27017"
}
}
}
}
},
"override_attributes": {
},
"run_list": [
"recipe[sc-mongodb]",
"recipe[sc-mongodb::user_management]"
]
}
Hello Melon, I'm trying to reproduce the error with the role you posted on kitchen, and some of the configuration keys are invalid for my version of mongodb. Namely:
mongodb.config.mongod.net.bindIpAll <- gives a invalid configuration error
mongodb.users[graylog].roles <- the "root" role doesn't exists in my database
Could you help me with that?
In more recent versions of mongo (3.x) the user format has changed so now instead of just username and password you need roles and database resources also. So if you want to make your admin user called 'adminuser' with a password 'adminpassword' you'd need to do something like this.
node.default['mongodb']['admin']['username'] = 'adminuser' node.default['mongodb']['admin']['password'] = 'adminpassword' node.default['mongodb']['admin']["roles"] = [ "userAdminAnyDatabase" ] node.default['mongodb']['admin']["database"] = 'admin'
Documentation needs to be updated to reflect this. Opening a new ticket to address the fact that "auth": true doesn't actually enable authorization in recent versions.
[root@bluesky-db-uat dbsave]# /opt/chef/embedded/bin/gem list --local
*** LOCAL GEMS ***
addressable (2.5.2, 2.4.0) appbundler (0.10.0) ast (2.3.0) bigdecimal (default: 1.3.0) binding_of_caller (0.7.2) blankslate (2.1.2.4) bson (1.12.5) bson_ext (1.12.5) builder (3.2.3) bundler (1.15.4) byebug (9.1.0) chef (13.5.3) chef-config (13.5.3, 13.4.24) chef-vault (3.3.0) chef-zero (13.1.0) cheffish (13.0.0) coderay (1.1.2) crack (0.4.3) debug_inspector (0.0.3) did_you_mean (1.1.0) diff-lcs (1.3) docile (1.1.5) docker-api (1.33.6) erubis (2.7.0) excon (0.59.0) faraday (0.13.1) ffi (1.9.18) ffi-yajl (2.3.1) fuzzyurl (0.9.0) gssapi (1.2.0) gyoku (1.3.1) hashdiff (0.3.6) hashie (3.5.6) highline (1.7.8) htmlentities (4.3.4) httpclient (2.8.3) iniparse (1.4.4) inspec (1.39.1) io-console (default: 0.4.6) ipaddress (0.8.3) iso8601 (0.9.1) json (2.1.0, default: 2.0.4) libyajl2 (1.2.0) little-plugger (1.1.4) logging (2.2.2) method_source (0.9.0) mime-types (2.6.2) mini_portile2 (2.2.0) minitest (5.10.1) mixlib-archive (0.4.1) mixlib-authentication (1.4.2) mixlib-cli (1.7.0) mixlib-config (2.2.4) mixlib-log (1.7.1) mixlib-shellout (2.3.2) mongo (1.12.5) multi_json (1.12.2) multipart-post (2.0.0) mysql2 (0.4.9) net-scp (1.2.1) net-sftp (2.1.2) net-ssh (4.2.0) net-ssh-gateway (2.0.0) net-ssh-multi (1.2.1) net-telnet (0.1.1) netrc (0.11.0) nokogiri (1.8.0) nori (2.6.0) ohai (13.5.0) openssl (default: 2.0.5) parallel (1.12.0) parser (2.4.0.0) parslet (1.5.0) plist (3.3.0) power_assert (0.4.1) powerpack (0.1.1) proxifier (1.0.3) pry (0.11.1) pry-byebug (3.5.0) pry-remote (0.1.8) pry-stack_explorer (0.4.9.2) psych (default: 2.2.2) public_suffix (3.0.0) rack (2.0.3) rainbow (2.2.2) rake (12.1.0, 12.0.0) rb-readline (0.5.5) rdoc (default: 5.0.0) rest-client (1.7.3) rspec (3.6.0) rspec-core (3.6.0) rspec-expectations (3.6.0) rspec-its (1.2.0) rspec-mocks (3.6.0) rspec-support (3.6.0) rspec_junit_formatter (0.2.3) rubocop (0.49.1) ruby-prof (0.16.2) ruby-progressbar (1.9.0) ruby-shadow (2.5.0) rubyntlm (0.6.2) rubyzip (1.2.1) safe_yaml (1.0.4) semverse (2.0.0) serverspec (2.41.0) sfl (2.3) simplecov (0.15.1) simplecov-html (0.10.2) slop (3.6.0) specinfra (2.72.0) sslshake (1.2.0) syslog-logger (1.6.8) systemu (2.6.5) test-unit (3.2.3) thor (0.20.0) toml (0.1.2) train (0.28.0) unicode-display_width (1.3.0) uuidtools (2.1.5) webmock (3.0.1) winrm (2.2.3) winrm-fs (1.0.2) wmi-lite (1.0.0) xmlrpc (0.2.1)
I'm seeing the same behaviour when enforcing TLS/SSL using:
normal['mongodb']['config']['mongod']['net']['ssl']['mode'] = 'requireSSL' normal['mongodb']['config']['mongod']['net']['ssl']['PEMKeyFile'] = "/etc/ssl/#{node['hostname']}.pem" normal['mongodb']['config']['mongod']['net']['ssl']['CAFile'] = "/etc/ssl/#{node['hostname']}-ca.crt" normal['mongodb']['config']['mongod']['net']['ssl']['allowConnectionsWithoutCertificates'] = 'true' normal['mongodb']['config']['mongod']['net']['ssl']['disabledProtocols'] = 'TLS1_0,TLS1_1'
@JJClements Are you including roles in your admin user creation as I suggested?
@miedward no I am not, I do however see the exact same error when enforcing SSL using:
normal['mongodb']['config']['mongod']['net']['ssl']['mode'] = 'requireSSL'
It's probably worth pointing out that I also saw this error when creating a user with an incorrectly named MongoDB role. Are "roles": ["dbOwner", "root"] correct? Maybe try with only 'readWrite' instead?
The OP error was for the user management cookbook (sc-mongodb::user_management) and this error has nothing to do with SSL
If you are including that recipe (or it is a dependency on something you're using), your admin user should have something like
node.default['mongodb']['admin']['username'] = 'mysystemadmin' node.default['mongodb']['admin']['password'] = db_passwords["mongodb_password"] node.default['mongodb']['admin']["roles"] = [ "userAdminAnyDatabase", "root" ] node.default['mongodb']['admin']["database"] = 'admin'
And then for each database you would made a separate user with dbAdmin permission for that database. They can have the same username but I believe the recipe expects at least one entry for ['mongodb']['users']. This is what I am using.
myuser = { "username" => "somedatabaseadmin", "password" => "#{db_passwords["mongodb_password"]}", "roles" => [ "dbAdmin", "readWrite" ], "database" => "#{node[:databaseConfig][:mongo_db_dbname]}" } node.default['mongodb']['users'] << myuser
The OP error was for the user management cookbook (sc-mongodb::user_management) and this error has nothing to do with SSL
Totally agree. I was simply pointing out that the issue is related to the creation of a user, or not being able to in this case. The error seems pretty generic, but ultimately shows for a few different scenarios in my experience, 2 of which I described above.
@MaximKraev Assuming you're talking about the OP and not the SSL issue, you need to include "roles" and "database" entries for the admin user as I suggested above.
node.default['mongodb']['admin']['username'] = 'adminuser' node.default['mongodb']['admin']['password'] = 'adminpassword' node.default['mongodb']['admin']["roles"] = [ "userAdminAnyDatabase" ] node.default['mongodb']['admin']["database"] = 'admin'
Marking stale due to inactivity. Remove stale label or comment or this will be closed in 7 days. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}