Can't get DL 8 to connect to external MongoDB

sipickles · February 9, 2016, 3:41pm

Hi,

We have an external install of MongoDB 3.3 (The 8.0 docs say Mongo 3.0 is minimum). This is a new DB. We are using DL 8.0.0.50-beta, on CentOS 7.

Unfortunately Balancer will not connect to the DB - auth fails every time. We are updating the ‘PasswordHash’ element of dbConnect.xml with the SCRAM-SHA-1 hashed password, produced like this:

[code]>>> from passlib.hash import scram

print scram.encrypt(“12345678”)
$scram$100000$lTIGYEyJcS6FMAbg$sha-1=TwRn9Yo4cTlSWUpJczX/y1s4rNw,sha-256=EiPH2D3/YmvLp2vvwRPu4O.qc/RrMJw1tlEXXJJx5fo,sha-512=/h9qet6jFrqXNjFXttuUTWC3.0tuVFylxRnYsaszONkAISsX72wVyCW.xE8fdY5lIP2slKvQoBc1xzvDZXEo8g
[/code]
I am able to connect via PyMongo if I use SCRAM, as you’d expect

[code]>>> client = MongoClient()

client.dbname.authenticate(‘username’, ‘12345678’, mechanism=‘MONGODB-CR’)
Traceback (most recent call last):
…
raise OperationFailure(msg % errmsg, code, response)
OperationFailure: command SON([(‘authenticate’, 1), (‘user’, u’username’), (‘nonce’, u’b8827153302cb634’), (‘key’, u’2c1f54a2a0794d614b2a59a223916219’)]) on namespace dbname.$cmd failed: auth failed

client.dbname.authenticate(‘username’, ‘12345678’, mechanism=‘SCRAM-SHA-1’)
True[/code]

So why is DL Balancer not able to connect? Is it using SCRAM too?

jgaudet · February 9, 2016, 8:03pm

Couple things here – first is that there is a bug, and we are explicitly using MONGODB-CR, and not SCRAM for authentication. We need to update this on our side, now that we recommend MongoDB 3.0. We likely got tripped up on this since most of our test DBs were upgraded from Mongo 2.6, and would still have been using the CR authentication method – we’ll get that fixed for the next beta build.

Next, the dbConnect.xml file is actually expecting an encrypted version of the plaintext password, which needs to be generated through Deadline.

So you’d have to update the dbConnect.xml file through the “deadlinecommand UpdateDatabaseSettings” command:

UpdateDatabaseSettings
  Updates the given repository's dbConnect.xml file with the given database
  settings.
    [Repository]             The path to the repository root
    [Type]                   The database type (currently only MongoDB)
    [Host]                   The host name or IP address of the database
                             machine
    [Name]                   The database name
    [Port]                   The database port
    [AltPort]                The alternate database port (not currently used)
    [SSL]                    If SSL should be used to connect (not currently
                             used)
    [Authenticate]           If authentication is required
    [Username]               The username
    [Password]               The password
    [Replica Set]            The Replica set name
    [Split DB]               If Database should be split (by default, it is enabled)

C:\Users\Jon>deadlinecommand updatedatabasesettings D:\DeadlineRepository8 MongoDB 127.0.0.1 deadline8db 27017 -1 False True deadline_user test1234 "" False

Note that a few of these positional arguments are not actually in use (AltPort, SSL), and SplitDB should be False, since MongoDB 3.0 has collection-level locking.

Finally, the thing that trips up a lot of people with the authentication is that Deadline requires the ‘clusterMonitor’ permission on the ‘admin’ DB. This could be an issue if you’re using an external service to host your DB, since you may not have access to that.

Let me know if you have any other questions.

Cheers,
Jon

sipickles · February 10, 2016, 12:09pm

Hi John

We ran the deadlinecommand -UpdateDatabase settings and it produced the same password as our own python script:

So we were at least generating the password correctly.

It looks like this might be a workaround:

stackoverflow.com/questions/2998 … mongodb-cr

When do you anticipate releasing beta 8?

Thanks

sipickles · February 10, 2016, 3:03pm

Hi,

This is proving problematic. What we’ve tried so far:

Using the workaround in the SO link enabled MONGODB-CR auth.

Then, we seemed to be able to connect and authenticate, but got this error:

Unable to connect to a member of the replica set matching the read preference Primary

That sounds wrong as we are not using replica sets.

We then tried using the repo installer to set up the external DB, in case it did something we weren’t aware of. We specified --dbauth and username and password, and the MongoDB connection log showed:

2016-02-10T14:53:01.437+0000 I ACCESS [conn78] authenticate db: dbname { authenticate: 1, user: "dbuser", nonce: "xxx", key: "xxx" } 2016-02-10T14:53:01.477+0000 I NETWORK [conn78] end connection 10.244.0.1:33616 (4 connections now open)

so it authenticated successfully. However, the Deadline repo installer strangely says:

[code]Warning: An error occurred while configuring the database:

Credentials for the Mongo Database were specified, but Authentication is NOT
turned on in mongod. To enable Authentication, you must run mongod with the
‘–auth’ command.[/code]

We’re unsure how to proceed now. Here is the python script which is running deadlinecommand:

subprocess.check_output([DEADLINE_COMMAND, '-UpdateDatabaseSettings', '{}'.format(DEADLINE_REPOSITORY_DATA_DIR), 'MongoDB', '{}'.format(address), '{}'.format(os.getenv('MONGO_DATABASE')), '{}'.format(os.getenv('MONGO_PORT')), '0', # [AltPort] 'false', # [SSL] 'true', # [Authenticate] '{}'.format(os.getenv('MONGO_USERNAME')), '{}'.format(os.getenv('MONGO_PASSWORD')), '""', # [Replica Set] 'true']) # [Split DB]

sipickles · February 10, 2016, 3:42pm

We’ve switched off Auth for now…

jgaudet · February 10, 2016, 6:37pm

Hey Simon,

It should be a quick fix on our end, just switching a couple flags. I’ll try to get to this today, and do some testing on my end to make sure it behaves as expected. We can likely get another beta up shortly after that.

I think the replica set error message is due to Deadline thinking those empty quotes are a replica set name… The empty quotes were needed when calling deadlinecommand directly from the console to make that positional argument explicitly empty, but if your’e doing it through subprocess from python it should just be:

subprocess.check_output([DEADLINE_COMMAND,
                         '-UpdateDatabaseSettings',
                         '{}'.format(DEADLINE_REPOSITORY_DATA_DIR),
                         'MongoDB',
                         '{}'.format(address),
                         '{}'.format(os.getenv('MONGO_DATABASE')),
                         '{}'.format(os.getenv('MONGO_PORT')),
                         '0', # [AltPort]
                         'false', # [SSL]
                         'true', # [Authenticate]
                         '{}'.format(os.getenv('MONGO_USERNAME')),
                         '{}'.format(os.getenv('MONGO_PASSWORD')),
                         '', # [Replica Set]
                         'true']) # [Split DB]

Cheers,
Jon