Description of problem: Currently mongodb authentication is switched off. If I change it to on, skyring service cannot connect to db and it fails to start. However in the configuration of skyring there's correct user and password for the db. Version-Release number of selected component (if applicable): rhscon-ui-0.0.49-1.el7scon.noarch rhscon-ceph-0.0.34-1.el7scon.x86_64 rhscon-core-selinux-0.0.35-1.el7scon.noarch rhscon-core-0.0.35-1.el7scon.x86_64 How reproducible: 100% Steps to Reproduce: 1. Stop skyring and mongod service if needed 2. Modify /etc/mongodb.conf, add or un-comment 'auth=yes' line 3. Start mongod service 4. Check that /etc/skyring/skyring.conf has correct credentials for the db 5. Try to start skyring service Actual results: Skyring fails to start # journalctl -xe ... -- Unit skyring.service has begun starting up. čec 21 16:30:36 dhcp46-15.lab.eng.blr.redhat.com skyring-pre.sh[10655]: MongoDB shell version: 2.6.5 čec 21 16:30:36 dhcp46-15.lab.eng.blr.redhat.com skyring-pre.sh[10655]: connecting to: skyring čec 21 16:30:36 dhcp46-15.lab.eng.blr.redhat.com skyring-pre.sh[10655]: 2016-07-21T16:30:36.403+0200 Error: couldn't add user: not authorized on skyring to execute command { createUser: "admin", pwd: "xxx", roles: [ "readWrite", "dbAdmin" ... Expected results: skyring should be able to connect to the db if it has correct credentials set Additional info: Could be a security issue that mongodb authentication is disabled.
Looking at this, I can make out that we should enable authentication once skyring-pre.sh is executed. Tim, can you check and add this as part of skyring-pre.sh only? So that just after installation of skyring, once admin user is created, the authentication would be set as Yes for mongodb.
Security flag will be added after creating db-admin user first time. Patch sent to upstream for review: https://review.gerrithub.io/#/c/286696/2 https://review.gerrithub.io/#/c/296095/1
Tested with ceph-ansible-1.0.5-34.el7scon.noarch ceph-installer-1.0.15-2.el7scon.noarch rhscon-ceph-0.0.43-1.el7scon.x86_64 rhscon-core-0.0.45-1.el7scon.x86_64 rhscon-core-selinux-0.0.45-1.el7scon.noarch rhscon-ui-0.0.59-1.el7scon.noarch and it works as excepted. --> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2016:2082