Question

我正在与具有clusterAdmin和备份角色的用户连接到mongo，但是我收到错误：

2017-02-09 17:51:23,254 [ERROR] mongo_connector.util:96 - Fatal Exception
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/mongo_connector/util.py", line 94, in wrapped
    func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/mongo_connector/connector.py", line 370, in run
    'listShards')['shards']:
  File "/usr/lib/python2.7/site-packages/mongo_connector/util.py", line 78, in retry_until_ok
    return func(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/pymongo/database.py", line 494, in command
    codec_options, **kwargs)
  File "/usr/lib64/python2.7/site-packages/pymongo/database.py", line 406, in _command
    parse_write_concern_error=parse_write_concern_error)
  File "/usr/lib64/python2.7/site-packages/pymongo/pool.py", line 419, in command
    collation=collation)
  File "/usr/lib64/python2.7/site-packages/pymongo/network.py", line 116, in command
    parse_write_concern_error=parse_write_concern_error)
  File "/usr/lib64/python2.7/site-packages/pymongo/helpers.py", line 210, in _check_command_response
    raise OperationFailure(msg % errmsg, code, response)
OperationFailure: not authorized on admin to execute command { listShards: 1 }

“必需权限”下的此页面说明运行mongo-connector的最简单方法是创建具有备份角色的用户：

https://github.com/mongodb-labs/mongo-connector/wiki/Usage-with-Authentication

db.getSiblingDB("admin").createUser({ user:"backup",pwd:"password_here", roles: ["backup"] })

但我甚至无法与这样的用户联系（身份验证错误）：

2017-02-10 16:52:01,448 [ERROR] mongo_connector.util:96 - Fatal Exception
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/mongo_connector/util.py", line 94, in wrapped
    func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/mongo_connector/connector.py", line 398, in run
    hosts, replicaSet=repl_set)
  File "/usr/lib/python2.7/site-packages/mongo_connector/connector.py", line 299, in create_authed_client
    client['admin'].authenticate(self.auth_username, self.auth_key)
  File "/usr/lib64/python2.7/site-packages/pymongo/database.py", line 1048, in authenticate
    connect=True)
  File "/usr/lib64/python2.7/site-packages/pymongo/mongo_client.py", line 505, in _cache_credentials
    sock_info.authenticate(credentials)
  File "/usr/lib64/python2.7/site-packages/pymongo/pool.py", line 523, in authenticate
    auth.authenticate(credentials, self)
  File "/usr/lib64/python2.7/site-packages/pymongo/auth.py", line 470, in authenticate
    auth_func(credentials, sock_info)
  File "/usr/lib64/python2.7/site-packages/pymongo/auth.py", line 450, in _authenticate_default
    return _authenticate_scram_sha1(credentials, sock_info)
  File "/usr/lib64/python2.7/site-packages/pymongo/auth.py", line 201, in _authenticate_scram_sha1
    res = sock_info.command(source, cmd)
  File "/usr/lib64/python2.7/site-packages/pymongo/pool.py", line 419, in command
    collation=collation)
  File "/usr/lib64/python2.7/site-packages/pymongo/network.py", line 116, in command
    parse_write_concern_error=parse_write_concern_error)
  File "/usr/lib64/python2.7/site-packages/pymongo/helpers.py", line 210, in _check_command_response
    raise OperationFailure(msg % errmsg, code, response)
OperationFailure: Authentication failed.

当我与这两个用户登录mongos并运行命令

时

db.getSiblingDB("admin").runCommand( { listShards: 1 } )

我得到一个没有probs的分片

 {
        "shards" : [
                {
                        "_id" : "shard001",
                        "host" : "shard001/timgrhlmdb01:27020,timgrhlmdb02:27020",
                        "state" : 1
                },
                {
                        "_id" : "shard002",
                        "host" : "shard002/timgrhlmdb03:27020,timgrhlmdb04:27020",
                        "state" : 1
                }
        ],
        "ok" : 1
}

那是什么意思：

OperationFailure：管理员未授权执行命令{listShards：1}

更新

我从头开始重建群集并仍然遇到同样的问题： OperationFailure：管理员未授权执行命令{listShards：1}

我也尝试过用户备份＆＃39;只有角色＆＃39; clusterManager＆＃39;和＆＃39; readAnyDatabase＆＃39;。这允许用户列出分片，但现在mongo-connector失败并且＆＃39;身份验证失败＆＃39;：

{ "_id" : "admin.backup", "user" : "backup", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "pWcEU7uFqfHPgGe8z+E9Wg==", "storedKey" : "k2tapXQPtM2dHlxYnJiWVxO/rtg=", "serverKey" : "EGG8M4i27OYBy+fLYaL13+Nn4mc=" } }, "roles" : [ { "role" : "readAnyDatabase", "db" : "admin" }, { "role" : "clusterManager", "db" : "admin" } ] }

Answer 1

运行此命令检出用户：

db.system.users.find({})

如果您可以以备份用户身份登录，并确保您创建的用户具有backup角色，您还可以运行这些命令，这意味着备份用户已创建并被授予角色及其权限。

确保您具有clusterManager的角色来执行此操作。

在群集上提供管理和监视操作。一个用户   此角色可以访问用于的配置和本地数据库   分别进行分片和复制。

在整个群集上提供以下操作：


addShard

appendOplogNote

applicationMessage

cleanupOrphaned

flushRouterConfig

的 listShards

removeShard   等

查看built-in-roles。

顺便说一下，看看这个issue。希望这会有所帮助。

Answer 2

提交给mongodb-labs / mongo-connector的错误的响应：

这确实是＃563中引入的一个微妙的错误。我们改变了一个发现   config.shards调用listShards，假设它没有   改变行为。不幸的是（并且令人讨厌），备份角色   有权读取config.shards中的分片列表   集合，但正如你所看到的，没有权限运行   listShards命令。我将此更改还原为修复问题   即将发布的2.5.1错误修复版本。

与此同时，您需要授予mongo-connector用户权限   备份和clusterMonitor 角色。

文档中尚未提及的重点是   必须在mongos和所有分片上创建用户。这个   使mongo-connector能够作为一个整体对集群进行身份验证   分别对每个碎片。

这现在有效！耶

这将教会我遵循手册大声笑！

Mongo连接器无法连接到mongos

2 个答案: