Work around authentication requirement before user creation

Johan De Wit · stevenpost · commit 453808866e10 · 2024-03-19T18:19:08.000+01:00
On the initial setup, a user doesn't yet exists so we can't
authenticate. However we require authentication. We work around this by
connecting unauthenticated using the loopback address.
diff --git a/lib/puppet/provider/mongodb.rb b/lib/puppet/provider/mongodb.rb
@@ -139,7 +139,13 @@ def self.db_ismaster
     cmd_ismaster = 'db.isMaster().ismaster'
     cmd_ismaster = mongoshrc_file + cmd_ismaster if mongoshrc_file
     db = 'admin'
-    res = mongosh_cmd(db, conn_string, cmd_ismaster).to_s.split(%r{\n}).last.chomp
+
+    begin
+      res = mongosh_cmd(db, conn_string, cmd_ismaster).to_s.split(%r{\n}).last.chomp
+    rescue StandardError
+      res = mongosh_cmd(db, conn_string, 'db.isMaster().ismaster').to_s.chomp if mongoshrc_file && res =~ %r{Authentication failed}
+    end
+
     res.eql?('true')
   end
 
@@ -156,6 +162,7 @@ def self.auth_enabled(config = nil)
   def self.mongo_eval(cmd, db = 'admin', retries = 10, host = nil)
     retry_count = retries
     retry_sleep = 3
+    no_auth_cmd = cmd
     cmd = mongoshrc_file + cmd if mongoshrc_file
 
     out = nil
@@ -166,15 +173,25 @@ def self.mongo_eval(cmd, db = 'admin', retries = 10, host = nil)
               mongosh_cmd(db, conn_string, cmd)
             end
     rescue StandardError => e
-      retry_count -= 1
-      if retry_count.positive?
-        Puppet.debug "Request failed: '#{e.message}' Retry: '#{retries - retry_count}'"
-        sleep retry_sleep
-        retry
+      # When using the rc file, we get this eror because in most cases the admin user is not yet created
+      # Can/must we move this out of the rescue block ?
+      if auth_enabled && e.message =~ %r{Authentication failed}
+        out = if host
+                mongosh_cmd(db, host, no_auth_cmd)
+              else
+                mongosh_cmd(db, conn_string, no_auth_cmd)
+              end
+      else
+        retry_count -= 1
+        if retry_count.positive?
+          sleep retry_sleep
+          retry
+        end
       end
     end
 
-    raise Puppet::ExecutionFailure, "Could not evaluate MongoDB shell command: #{cmd}" unless out
+    # return also the error message, so caller can react on it
+    raise Puppet::ExecutionFailure, "Could not evaluate MongoDB shell command: #{cmd} with #{e.message}" unless out
 
     Puppet::Util::MongodbOutput.sanitize(out)
   end
diff --git a/lib/puppet/provider/mongodb_database/mongodb.rb b/lib/puppet/provider/mongodb_database/mongodb.rb
@@ -27,12 +27,26 @@ def self.prefetch(resources)
     end
   end
 
+  def auth_enabled
+    self.class.auth_enabled
+  end
+
   def create
-    if db_ismaster
-      out = mongo_eval('db.dummyData.insert({"created_by_puppet": 1})', @resource[:name])
-      raise "Failed to create DB '#{@resource[:name]}'\n#{out}" if %r{writeError} =~ out
-    else
+    unless db_ismaster
       Puppet.warning 'Database creation is available only from master host'
+      return
+    end
+
+    begin
+      out = mongo_eval('db.dummyData.insertOne({"created_by_puppet": 1})', @resource[:name])
+    rescue StandardError => e
+      if auth_enabled && e.message =~ %r{not authorized on admin to execute commanda} && @resource[:name] == 'admin'
+        Puppet.warning 'Skipping database creation for admin, need admin user first when security is enabled'
+        @property_hash[:ensure] = :present
+        @property_hash[:name] = @resource[:name]
+      elsif out =~ %r{writeError}
+        raise "Failed to create DB '#{@resource[:name]}'\n#{out}"
+      end
     end
   end
 
diff --git a/lib/puppet/provider/mongodb_replset/mongo.rb b/lib/puppet/provider/mongodb_replset/mongo.rb
@@ -133,51 +133,70 @@ def self.replset_properties
     conn_string = conn_string
     begin
       output = mongo_command('rs.conf()', conn_string)
-    rescue Puppet::ExecutionFailure
-      output = {}
-    end
-    if output['members']
-      return {
-        name: output['_id'], # replica set name
-        ensure: :present,
-        members: output['members'],
-        settings: output['settings'],
-        provider: :mongo
-      }
+      if output['members']
+        return {
+          name: output['_id'], # replica set name
+          ensure: :present,
+          members: output['members'],
+          settings: output['settings'],
+          provider: :mongo
+        }
+      end
+      nil
+    rescue Puppet::ExecutionFailure => e
+      if e.message =~ %r{command replSetGetConfig requires authentication} || e.message =~ %r{not authorized on admin to execute command}
+        output = mongo_command('rs.status()', host)
+        if output['members']
+          memb = []
+          output['members'].each do |m|
+            memb << { 'host' => m['name'] }
+          end
+          return {
+            name: output['set'],
+            ensure: :present,
+            members: memb,
+            provider: :mongo
+          }
+        end
+        nil
+      end
     end
-    nil
   end
 
   def get_hosts_status(members)
     alive = []
     members.select do |member|
       host = member['host']
       Puppet.debug "Checking replicaset member #{host} ..."
-      status = rs_status(host)
-      raise Puppet::Error, "Can't configure replicaset #{name}, host #{host} is not supposed to be part of a replicaset." if status.key?('errmsg') && status['errmsg'] == 'not running with --replSet'
-
-      if auth_enabled && status.key?('errmsg') && (status['errmsg'].include?('unauthorized') || status['errmsg'].include?('not authorized') || status['errmsg'].include?('requires authentication'))
-        Puppet.warning "Host #{host} is available, but you are unauthorized because of authentication is enabled: #{auth_enabled}"
-        alive.push(member)
-      end
-
-      if status.key?('errmsg') && status['errmsg'].include?('no replset config has been received')
-        Puppet.debug 'Mongo v4 rs.status() RS not initialized output'
-        alive.push(member)
-      end
-
-      if status.key?('set')
-        raise Puppet::Error, "Can't configure replicaset #{name}, host #{host} is already part of another replicaset." if status['set'] != name
-
-        # This node is alive and supposed to be a member of our set
-        Puppet.debug "Host #{host} is available for replset #{status['set']}"
-        alive.push(member)
-      elsif status.key?('info')
-        Puppet.debug "Host #{host} is alive but unconfigured: #{status['info']}"
-        alive.push(member)
+      begin
+        status = rs_status(host)
+        raise Puppet::Error, "Can't configure replicaset #{name}, host #{host} is not supposed to be part of a replicaset." if status.key?('errmsg') && status['errmsg'] == 'not running with --replSet'
+
+        if status.key?('set')
+          raise Puppet::Error, "Can't configure replicaset #{name}, host #{host} is already part of another replicaset." if status['set'] != name
+
+          # This node is alive and supposed to be a member of our set
+          Puppet.debug "Host #{host} is available for replset #{status['set']}"
+          alive.push(member)
+        elsif status.key?('info')
+          Puppet.debug "Host #{host} is alive but unconfigured: #{status['info']}"
+          alive.push(member)
+        end
+      rescue Puppet::ExecutionFailure => e
+        if auth_enabled
+          case e.message
+          when %r{no replset config has been received}
+            Puppet.warning('No replicaset config received, needs initialisation')
+          when %r{Authentication failed}, %r{not authorized on admin}
+            Puppet.warning "Host #{host} is available, but you are unauthorized because of authentication is enabled: #{auth_enabled}"
+          when %r{command replSetGetStatus requires authentication}
+            Puppet.warning("Node #{host} is reachable but requires authentication: ReplicaSet not initialized")
+          end
+          alive.push(member)
+        else
+          Puppet.warning "Can't connect to replicaset member #{host} (Errormsg: #{e.message})."
+        end
       end
-    rescue Puppet::ExecutionFailure
-      Puppet.warning "Can't connect to replicaset member #{host}."
     end
     alive.uniq!
     dead = members - alive
@@ -233,6 +252,13 @@ def set_members
     end
 
     Puppet.debug 'Checking for dead and alive members'
+    # When no replicaset is initiated yet, and authenticatoin is anabled,
+    # mongo_eval still adds the mongorcsh.js.  This gives an 'MongoServerError: Authentication failed.' error.
+    # In this stage, we only can connect to localhost, and only rs.status() and rs.initiate() is possible.
+    # All other commands generate 'MongoServerError: not authorized on admin to execute command' error
+    # So we need to check first if the replicaset is already available, then the admin user can be created, and after that
+    # authentication should be working.
+    #
     if !@property_flush[:members].nil? && !@property_flush[:members].empty?
       # Find the alive members so we don't try to add dead members to the replset using new config
       alive_hosts, dead_hosts = get_hosts_status(@property_flush[:members])
