To be able to create replicaset in an authenticated environment, a switch has been added to first create the replicaset (on first run) and afterwards enable authentication.

This is quite dirty but there does not seem to be another way.

Author: Henning Block

lib/facter/is_master.rb

@@ -0,0 +1,21 @@
+require 'json';
+
+Facter.add('mongodb_is_master') do
+  setcode do
+    if Facter::Core::Execution.which('mongo')
+      mongo_output = Facter::Core::Execution.exec('mongo --quiet --eval "printjson(db.isMaster())" 2>/dev/null')
+
+      if mongo_output =~ /Failed to connect to/
+        'failed_to_connect'
+      else
+        ['ObjectId','ISODate'].each do |data_type|
+          mongo_output.gsub!(/#{data_type}\(([^)]*)\)/, '\1')
+        end
+        JSON.parse(mongo_output)['ismaster'] ||= false
+      end
+    else
+      'not_installed'
+    end
+  end
+end
+

lib/facter/mongodb_is_master.rb

@@ -196,7 +196,7 @@ def set_members
       hostconf = alive_hosts.each_with_index.map do |host,id|
         arbiter_conf = ""
         if rs_arbiter == host
-          arbiter_conf = ", arbiterOnly: \"true\""
+          arbiter_conf = ", arbiterOnly: true"
         end
         "{ _id: #{id}, host: \"#{host}\"#{arbiter_conf} }"
       end.join(',')
@@ -266,6 +266,7 @@ def self.mongo_command(command, host=nil, retries=4)
     end
 
     # Dirty hack to remove JavaScript objects
+    output.gsub!(/Timestamp\(([^,]+?),.*\)/, '\1')
     output.gsub!(/\w+\((.+?)\)/, '\1')
 
     #Hack to avoid non-json empty sets

lib/puppet/provider/mongodb_replset/mongo.rb

@@ -34,6 +34,9 @@
   $use_enterprise_repo   = undef,
 
   $pidfilepath           = undef,
+
+  $create_admin          = false,
+  $admin_username        = 'admin',
 ) {
 
   # Setup of the repo only makes sense globally, so we are doing it here.

manifests/globals.pp

@@ -8,8 +8,8 @@
   $service_ensure        = pick($mongodb::globals::service_ensure, 'running')
   $service_status        = $mongodb::globals::service_status
   $restart               = true
-  $create_admin          = false
-  $admin_username        = 'admin'
+  $create_admin          = $mongodb::globals::create_admin
+  $admin_username        = $mongodb::globals::admin_username
   $store_creds           = false
   $rcfile                = "${::root_home}/.mongorc.js"
 

manifests/params.pp

@@ -1,14 +1,15 @@
 # Wrapper class useful for hiera based deployments
 class mongodb::replset(
-  $sets = undef
-) {
+  $sets = undef,
+  $admin_username = $mongodb::params::admin_username
+) inherits mongodb::params {
 
   if $sets {
     create_resources(mongodb_replset, $sets)
   }
 
   # Order replset before any DB's and shard config
-  Mongodb_replset <| |> -> Mongodb_database <| |>
+  Mongodb_replset <| |> -> Mongodb::Db <| |>
   Mongodb_replset <| |> -> Mongodb_shard <| |>
   Mongodb_replset <| |> -> Mongodb_user <| |>
 }

manifests/replset.pp

@@ -69,16 +69,17 @@
   $ssl_ca          = undef,
   $restart         = $mongodb::params::restart,
   $storage_engine  = undef,
+  $version = $mongodb::params::version,
 
   $create_admin    = $mongodb::params::create_admin,
   $admin_username  = $mongodb::params::admin_username,
   $admin_password  = undef,
   $store_creds     = $mongodb::params::store_creds,
   $admin_roles     = ['userAdmin', 'readWrite', 'dbAdmin',
-                      'dbAdminAnyDatabase', 'readAnyDatabase',
-                      'readWriteAnyDatabase', 'userAdminAnyDatabase',
-                      'clusterAdmin', 'clusterManager', 'clusterMonitor',
-                      'hostManager', 'root', 'restore'],
+    'dbAdminAnyDatabase', 'readAnyDatabase',
+    'readWriteAnyDatabase', 'userAdminAnyDatabase',
+    'clusterAdmin', 'clusterManager', 'clusterMonitor',
+    'hostManager', 'root', 'restore'],
 
   # Deprecated parameters
   $master          = undef,
@@ -96,14 +97,14 @@
     if $restart {
       anchor { 'mongodb::server::start': }->
       class { 'mongodb::server::install': }->
-      # If $restart is true, notify the service on config changes (~>)
+        # If $restart is true, notify the service on config changes (~>)
       class { 'mongodb::server::config': }~>
       class { 'mongodb::server::service': }->
       anchor { 'mongodb::server::end': }
     } else {
       anchor { 'mongodb::server::start': }->
       class { 'mongodb::server::install': }->
-      # If $restart is false, config changes won't restart the service (->)
+        # If $restart is false, config changes won't restart the service (->)
       class { 'mongodb::server::config': }->
       class { 'mongodb::server::service': }->
       anchor { 'mongodb::server::end': }
@@ -158,18 +159,43 @@
           }
         }
       }
+    }
 
-      # Wrap the replset class
-      class { 'mongodb::replset':
-        sets => $replset_config_REAL
-      }
-      Anchor['mongodb::server::end'] -> Class['mongodb::replset']
+    # Wrap the replset class
+    class { 'mongodb::replset':
+      sets => $replset_config_REAL
+    }
+    Anchor['mongodb::server::end'] -> Class['mongodb::replset']
+
+    # Make sure that the ordering is correct
+    if $create_admin {
+      Class['mongodb::replset'] -> Mongodb::Db['admin']
+      if $::mongodb_is_master == 'not_installed' and $auth == true and $noauth != true and versioncmp($version, '2.6.0') >= 0  {
+        file_line{ 'enable_authentication' :
+          ensure  =>  present,
+          path    => $config,
+          match   => 'security.authorization:',
+          line    => 'security.authorization: enabled',
+          require => [Class['mongodb::replset'], Mongodb::Db['admin'] ]
+        }
+        if $keyfile {
+          file_line{ 'enable_keyfile' :
+            ensure  =>  present,
+            path    => $config,
+            line    => "security.keyFile: ${keyfile}",
+            require => [Class['mongodb::replset'], Mongodb::Db['admin']],
+            notify  => Exec['/sbin/restart mongod']
+          }
+        }
 
-      # Make sure that the ordering is correct
-      if $create_admin {
-        Class['mongodb::replset'] -> Mongodb::Db['admin']
+        exec{ '/sbin/restart mongod':
+          user        => 'root',
+          refreshonly => true,
+          cwd         => '/tmp',
+          subscribe   => File_line['enable_authentication']
+        }
       }
-
     }
+
   }
 }

manifests/server.pp

@@ -64,6 +64,13 @@
   $storage_engine  = $mongodb::server::storage_engine
   $version         = $mongodb::server::version
 
+  if $auth == true and $::mongodb_is_master=='not_installed' {
+    $real_auth=false
+  }
+  else {
+    $real_auth=$auth
+  }
+
   File {
     owner => $user,
     group => $group,

manifests/server/config.pp

@@ -8,6 +8,8 @@
       {
         :osfamily        => 'Debian',
         :operatingsystem => 'Debian',
+        :root_home  => '/root',
+        :operatingsystemmajrelease  => '14.04'
       }
     end
 

spec/classes/mongos_config_spec.rb

@@ -8,6 +8,8 @@
       {
         :osfamily        => 'Debian',
         :operatingsystem => 'Debian',
+        :root_home  => '/root',
+        :operatingsystemmajrelease  => '14.04'
       }
     end
 

spec/classes/mongos_install_spec.rb

@@ -5,17 +5,19 @@
   context 'on Debian with service_manage set to true' do
     let :facts do
       {
-        :osfamily               => 'Debian',
-        :operatingsystem        => 'Debian',
-        :operatingsystemrelease => '7.0',
+          :osfamily => 'Debian',
+          :operatingsystem => 'Debian',
+          :operatingsystemrelease => '7.0',
+          :root_home => '/root',
+          :operatingsystemmajrelease => '14.04'
       }
     end
 
-    let :pre_condition do          
+    let :pre_condition do
       "class { 'mongodb::mongos':
          configdb => ['127.0.0.1:27019'],
        }"
-    end 
+    end
 
     describe 'include init script' do
       it { is_expected.to contain_file('/etc/init.d/mongos') }
@@ -30,9 +32,11 @@
   context 'on Debian with service_manage set to false' do
     let :facts do
       {
-        :osfamily               => 'Debian',
-        :operatingsystem        => 'Debian',
-        :operatingsystemrelease => '7.0',
+          :osfamily => 'Debian',
+          :operatingsystem => 'Debian',
+          :operatingsystemrelease => '7.0',
+          :operatingsystemmajrelease => '14.04',
+          :root_home  => '/root'
       }
     end
 
@@ -52,9 +56,11 @@
   context 'on RedHat with service_manage set to true' do
     let :facts do
       {
-        :osfamily               => 'RedHat',
-        :operatingsystem        => 'RedHat',
-        :operatingsystemrelease => '7.0',
+          :osfamily => 'RedHat',
+          :operatingsystem => 'RedHat',
+          :operatingsystemrelease => '7.0',
+          :operatingsystemmajrelease => '14.04',
+          :root_home  => '/root'
       }
     end
 
@@ -81,9 +87,11 @@
   context 'on RedHat with service_manage set to false' do
     let :facts do
       {
-        :osfamily               => 'RedHat',
-        :operatingsystem        => 'RedHat',
-        :operatingsystemrelease => '7.0',
+          :osfamily => 'RedHat',
+          :operatingsystem => 'RedHat',
+          :operatingsystemrelease => '7.0',
+          :operatingsystemmajrelease => '14.04',
+          :root_home  => '/root'
       }
     end
 

spec/classes/mongos_service_spec.rb

@@ -3,14 +3,16 @@
 describe 'mongodb::mongos' do
   let :facts do
     {
-      :osfamily        => 'Debian',
-      :operatingsystem => 'Debian',
+        :osfamily => 'Debian',
+        :operatingsystem => 'Debian',
+        :root_home => '/root',
+        :operatingsystemmajrelease => '14.04',
     }
   end
 
   let :params do
     {
-      :configdb => ['127.0.0.1:27019']
+        :configdb => ['127.0.0.1:27019']
     }
   end
 
@@ -21,8 +23,7 @@
   end
 
   context 'when deploying on Solaris' do
-    let :facts do
-      { :osfamily        => 'Solaris' }
+    let :facts do {:osfamily => 'Solaris', }
     end
     it { expect { is_expected.to raise_error(Puppet::Error) } }
   end

spec/classes/mongos_spec.rb

@@ -5,10 +5,12 @@
   context 'when deploying on Debian' do
     let :facts do
       {
-        :osfamily               => 'Debian',
-        :operatingsystem        => 'Debian',
-        :operatingsystemrelease => '7.0',
-        :lsbdistid              => 'Debian',
+          :osfamily => 'Debian',
+          :operatingsystem => 'Debian',
+          :operatingsystemrelease => '7.0',
+          :lsbdistid => 'Debian',
+          :root_home => '/root',
+          :operatingsystemmajrelease => '7.0'
       }
     end
 
@@ -20,9 +22,10 @@
   context 'when deploying on CentOS' do
     let :facts do
       {
-        :osfamily               => 'RedHat',
-        :operatingsystem        => 'CentOS',
-        :operatingsystemrelease => '7.0',
+          :osfamily => 'RedHat',
+          :operatingsystem => 'CentOS',
+          :operatingsystemrelease => '7.0',
+          :operatingsystemmajrelease => '7.0'
       }
     end
 
@@ -34,28 +37,29 @@
   context 'when yumrepo has a proxy set' do
     let :facts do
       {
-        :osfamily               => 'RedHat',
-        :operatingsystem        => 'RedHat',
-        :operatingsystemrelease => '7.0',
+          :osfamily => 'RedHat',
+          :operatingsystem => 'RedHat',
+          :operatingsystemrelease => '7.0',
+          :operatingsystemmajrelease => '7.0'
       }
     end
     let :params do
       {
-        :proxy => 'http://proxy-server:8080',
-        :proxy_username => 'proxyuser1',
-        :proxy_password => 'proxypassword1',
+          :proxy => 'http://proxy-server:8080',
+          :proxy_username => 'proxyuser1',
+          :proxy_password => 'proxypassword1',
       }
     end
     it {
       is_expected.to contain_class('mongodb::repo::yum')
     }
     it do
       should contain_yumrepo('mongodb').with({
-        'enabled' => '1',
-        'proxy' => 'http://proxy-server:8080',
-        'proxy_username' => 'proxyuser1',
-        'proxy_password' => 'proxypassword1',
-        })
+                                                 'enabled' => '1',
+                                                 'proxy' => 'http://proxy-server:8080',
+                                                 'proxy_username' => 'proxyuser1',
+                                                 'proxy_password' => 'proxypassword1',
+                                             })
     end
   end
 end