本文主要基于已经搭建好的未认证集群
1.在分片集群环境中,副本集内成员之间需要用keyFile认证,mongos与配置服务器,副本集之间也要keyFile认证,集群所有mongod和mongos实例使用内容相同的keyFile文件
在其中一台机器上生成keyfile
openssl rand -base64 753 > keyfile
chmod 600 ./keyfile#权限必须是600
[root@centos01 ~]# openssl rand -base64 753 > keyfile [root@centos01 ~]# ll 总用量 64 -rw-------. 1 root root 1484 6月 16 2018 anaconda-ks.cfg -rw-r--r--. 1 root root 28412 6月 16 2018 install.log -rw-r--r--. 1 root root 8105 6月 16 2018 install.log.syslog -rw-r--r--. 1 root root 1020 4月 15 20:23 keyfile -rwxr-xr-x. 1 root root 357 7月 8 2018 mongo_start.sh -rwxr-xr-x. 1 root root 348 7月 8 2018 mongo_stop.sh -rwxr-xr-x. 1 root root 78 8月 2 2018 redis_link.sh -rwxr-xr-x. 1 root root 140 8月 10 2018 redis_start.sh
[root@centos01 ~]# chmod 600 ./keyfile
[root@centos01 ~]#
复制文件到其他节点
scp -r /root/keyfile root@192.168.96.202:/root/ scp -r /root/keyfile root@192.168.96.203:/root/
[root@centos01 ~]# scp -r /root/keyfile root@192.168.96.202:/root/ keyfile 100% 1020 1.0KB/s 00:00 [root@centos01 ~]# scp -r /root/keyfile root@192.168.96.203:/root/ keyfile 100% 1020 1.0KB/s 00:00 [root@centos01 ~]#
2、登陆到mongo的config节点
./mongo --port 21000
[root@centos01 bin]# pwd/mysys/mongodb/bin[root@centos01 bin]# /mysys/mongodb/bin/mongo --port 21000
MongoDB shell version v3.6.1 connecting to: mongodb://127.0.0.1:21000/
MongoDB server version: 3.6.1 Server has startup warnings:
2020-04-15T20:04:01.342+0800 I STORAGE [initandlisten]
2020-04-15T20:04:01.342+0800 I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2020-04-15T20:04:01.342+0800 I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem
2020-04-15T20:04:03.307+0800 I CONTROL [initandlisten]
2020-04-15T20:04:03.314+0800 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2020-04-15T20:04:03.314+0800 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2020-04-15T20:04:03.314+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2020-04-15T20:04:03.314+0800 I CONTROL [initandlisten] configs:PRIMARYARY>
3、建立管理员账号,赋所有权限(admin和config数据库),必须在 PRIMARY 节点执行
use admin db.createUser({user: "admin",pwd: "123456",roles: [ { role: "root", db: "admin" } ]}) db.auth("admin","123456") use config db.createUser({user: "admin",pwd: "123456",roles: [ { role: "root", db: "admin" } ]}) db.auth("admin","123456")
configs:PRIMARY> use admin switched to db admin configs:PRIMARY> db.createUser({user: "admin",pwd: "123456",roles: [ { role: "root", db: "admin" } ]}) Successfully added user: { "user" : "admin", "roles" : [ { "role" : "root", "db" : "admin" } ] } configs:PRIMARY> db.auth("admin","123456") 1 configs:PRIMARY> configs:PRIMARY> use config switched to db config configs:PRIMARY> db.createUser({user: "admin",pwd: "123456",roles: [ { role: "root", db: "admin" } ]}) Successfully added user: { "user" : "admin", "roles" : [ { "role" : "root", "db" : "admin" } ] } configs:PRIMARY> db.auth("admin","123456") 1 configs:PRIMARY>
4、关闭所有mongod、mongos、configsvr,编辑配置文件,重新启动每台服务器每个实例
为每一个mongod、mongos、配置服务器的实例其中的配置文件添加认证属性或者在启动实例时添加--authorization、--keyFile选项
Shard和Configserver配置文件添加相关配置信息
#开启权限验证 auth=true keyFile=/root/keyfile
mongos配置文件中添加如下配置
#指向keyFile
keyFile=/root/keyfile
执行添加
echo 'auth=true' >> config.conf echo 'keyFile=/root/keyfile' >> config.conf echo 'auth=true' >> shard1.conf echo 'keyFile=/root/keyfile' >> shard1.conf echo 'auth=true' >> shard2.conf echo 'keyFile=/root/keyfile' >> shard2.conf echo 'auth=true' >> shard3.conf echo 'keyFile=/root/keyfile' >> shard3.conf echo 'keyFile=/root/keyfile' >> mongos.conf
创建用户
db.createUser( { user: "admin", pwd: "123456", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]} ) 登陆mongo后创建程序使用的数据库 use tps 创建用户 db.createUser( { user: "test", pwd: "123456", roles: [ { role: "readWrite", db: "testdb" } ] } )
5、重启后验证
show user 查看用户
方法二
一、生成keyfile文件 1、openssl rand -base64 753 > keyfile 2、chmod 600 ./keyfile #权限必须是600 3、把生成好的文件放到 /mydata/mongodb/keyfile 分发到各个节点 scp -r /root/keyfile root@192.168.96.202:/mydata/mongodb 二、无验证登陆mongo ./mongod -port [端口] 1、创建管理用户 db.createUser( {user: "admin",pwd: "12345",roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]}) 三修改配置文件 1、在config shard配置文件末尾加入如下 auth=true keyFile=/mydata/mongodb/keyfile 2、在mongods配置文件末尾加入 keyFile=/mydata/mongodb/keyfile 四、重启服务 1、killall mongod 2、killall mongos 重启每个节点的mongo 五、创建程序使用的数据库和用户 1、登陆mongo后创建程序使用的数据库 use tps 2、创建用户 db.createUser( { user: "test", pwd: "12345", roles: [ { role: "readWrite", db: "testdb" } ] } )
结束