Fix secondary users on a replicaset being marked as changed

lib/puppet/provider/mongodb_user/mongodb.rb

@@ -9,28 +9,23 @@
   def self.instances
     require 'json'
 
-    if db_ismaster
-      script = 'EJSON.stringify(db.system.users.find().toArray())'
-      # A hack to prevent prefetching failures until admin user is created
-      script = "try {#{script}} catch (e) { if (e.message.match(/requires authentication/) || e.message.match(/not authorized on admin/)) { 'not authorized on admin' } else {throw e}}" if auth_enabled
-
-      out = mongo_eval(script)
-      return [] if auth_enabled && (out.include?('requires authentication') || out.include?('not authorized on admin'))
-
-      users = JSON.parse out
-
-      users.map do |user|
-        new(name: user['_id'],
-            ensure: :present,
-            username: user['user'],
-            database: user['db'],
-            roles: from_roles(user['roles'], user['db']),
-            password_hash: user['credentials']['MONGODB-CR'],
-            scram_credentials: user['credentials']['SCRAM-SHA-1'])
-      end
-    else
-      Puppet.warning 'User info is available only from master host'
-      []
+    script = 'EJSON.stringify(db.system.users.find().toArray())'
+    # A hack to prevent prefetching failures until admin user is created
+    script = "try {#{script}} catch (e) { if (e.message.match(/requires authentication/) || e.message.match(/not authorized on admin/)) { 'not authorized on admin' } else {throw e}}" if auth_enabled
+
+    out = mongo_eval(script)
+    return [] if auth_enabled && (out.include?('requires authentication') || out.include?('not authorized on admin'))
+
+    users = JSON.parse out
+
+    users.map do |user|
+      new(name: user['_id'],
+          ensure: :present,
+          username: user['user'],
+          database: user['db'],
+          roles: from_roles(user['roles'], user['db']),
+          password_hash: user['credentials']['MONGODB-CR'],
+          scram_credentials: user['credentials']['SCRAM-SHA-1'])
     end
   end
 

spec/acceptance/replset_spec.rb

@@ -73,6 +73,20 @@ class { 'mongodb::globals':
         expect(r.stdout).to match %r{some value}
       end
     end
+
+    it 'create a user' do
+      pp = <<-EOS
+        mongodb_user {'testuser':
+          ensure        => present,
+          password_hash => mongodb_password('testuser', 'passw0rd'),
+          database      => 'testdb',
+          roles         => ['readWrite', 'dbAdmin'],
+        }
+      EOS
+
+      apply_manifest_on(hosts, pp, catch_failures: true)
+      apply_manifest_on(hosts, pp, catch_changes: true)
+    end
   end
 
   describe 'mongodb::server with replset_members' do
@@ -347,5 +361,19 @@ class { 'mongodb::globals':
         expect(r.stdout).to match %r{created_by_puppet}
       end
     end
+
+    it 'create a user' do
+      pp = <<-EOS
+        mongodb_user {'testuser':
+          ensure        => present,
+          password_hash => mongodb_password('testuser', 'passw0rd'),
+          database      => 'testdb',
+          roles         => ['readWrite', 'dbAdmin'],
+        }
+      EOS
+
+      apply_manifest_on(hosts, pp, catch_failures: true)
+      apply_manifest_on(hosts, pp, catch_changes: true)
+    end
   end
 end

spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb

@@ -71,13 +71,6 @@
     end
   end
 
-  describe 'empty self.instances from slave' do
-    it 'doesn`t retrun array of users' do
-      allow(provider.class).to receive(:db_ismaster).and_return(false)
-      expect(provider.class.instances).to be_empty
-    end
-  end
-
   describe 'create' do
     it 'creates a user' do
       cmd_json = <<-EOS.gsub(%r{^\s*}, '').gsub(%r{$\n}, '')