mongodb 开启认证

确认 primary 节点

rs.status()

连接 MongoDB

mongosh --host 192.168.174.100 --port 37013
Current Mongosh Log ID: 67596f155da2f2f4a0e94969
Connecting to:          mongodb://192.168.174.100:37013/?directConnection=true&appName=mongosh+2.3.4
Using MongoDB:          8.0.4
Using Mongosh:          2.3.4

For mongosh info see: https://www.mongodb.com/docs/mongodb-shell/

------
   The server generated these startup warnings when booting
   2024-12-11T18:30:54.031+08:00: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem
   2024-12-11T18:30:54.754+08:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
   2024-12-11T18:30:54.754+08:00: You are running on a NUMA machine. We suggest launching mongod like this to avoid performance problems: numactl --interleave=all mongod [other options]
   2024-12-11T18:30:54.754+08:00: For customers running the current memory allocator, we suggest changing the contents of the following sysfsFile
   2024-12-11T18:30:54.754+08:00: We suggest setting the contents of sysfsFile to 0.
   2024-12-11T18:30:54.754+08:00: vm.max_map_count is too low
   2024-12-11T18:30:54.755+08:00: We suggest setting swappiness to 0 or 1, as swapping can cause performance problems.
------

configReplSet [direct: primary] test>

创建用户管理员

切换到 admin 数据库

configReplSet [direct: primary] test> use admin
switched to db admin
configReplSet [direct: primary] admin>

创建用户

configReplSet [direct: primary] admin> db.createUser(
...   {
...     user: "myUserAdmin",
...     pwd: passwordPrompt(), // or cleartext password
...     roles: [
...       { role: "userAdminAnyDatabase", db: "admin" },
...       { role: "readWriteAnyDatabase", db: "admin" }
...     ]
...   }
... )
Enter password
****************
{
  ok: 1,
  '$clusterTime': {
    clusterTime: Timestamp({ t: 1733914614, i: 5 }),
    signature: {
      hash: Binary.createFromBase64('AAAAAAAAAAAAAAAAAAAAAAAAAAA=', 0),
      keyId: Long('0')
    }
  },
  operationTime: Timestamp({ t: 1733914614, i: 5 })
}
configReplSet [direct: primary] admin>

开启认证配置

新增如下内容

mongod_config.conf

security:
    authorization: enabled
    keyFile: /usr/local/mongodb/etc/mongo-keyfile

mongod_shard.conf

security:
    authorization: enabled
    keyFile: /usr/local/mongodb/etc/mongo-keyfile

mongos.conf

security:
  keyFile: /usr/local/mongodb/etc/mongo-keyfile

测试账号

无认证连接 mongod

mongosh --host 192.168.174.100 --port 37013
Current Mongosh Log ID: 675972e609f1b12eb7e94969
Connecting to:          mongodb://192.168.174.100:37013/?directConnection=true&appName=mongosh+2.3.4
Using MongoDB:          8.0.4
Using Mongosh:          2.3.4

For mongosh info see: https://www.mongodb.com/docs/mongodb-shell/

configReplSet [direct: primary] test>

测试命令

configReplSet [direct: primary] test> rs.status()
MongoServerError[Unauthorized]: Command replSetGetStatus requires authentication

认证连接 mongod

mongosh --host 192.168.174.100 --port 37013 --authenticationDatabase "admin" -u "myUserAdmin" -p
Enter password: 
Enter password: ****************
Current Mongosh Log ID: 675973d3fa629f9633e94969
Connecting to:          mongodb://<credentials>@192.168.174.100:37013/?directConnection=true&authSource=admin&appName=mongosh+2.3.4
Using MongoDB:          8.0.4
Using Mongosh:          2.3.4

For mongosh info see: https://www.mongodb.com/docs/mongodb-shell/

------
   The server generated these startup warnings when booting
   2024-12-11T19:00:03.682+08:00: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesystem
   2024-12-11T19:00:04.736+08:00: You are running on a NUMA machine. We suggest launching mongod like this to avoid performance problems: numactl --interleave=all mongod [other options]
   2024-12-11T19:00:04.736+08:00: For customers running the current memory allocator, we suggest changing the contents of the following sysfsFile
   2024-12-11T19:00:04.736+08:00: We suggest setting the contents of sysfsFile to 0.
   2024-12-11T19:00:04.737+08:00: vm.max_map_count is too low
   2024-12-11T19:00:04.737+08:00: We suggest setting swappiness to 0 or 1, as swapping can cause performance problems.
------

configReplSet [direct: primary] test>

or

mongosh --port 27017
use admin
db.auth("myUserAdmin", passwordPrompt()) // or cleartext password

账号授权

configReplSet [direct: primary] admin> db.updateUser("myUserAdmin", {
...   roles: [
...     { role: "clusterMonitor", db: "admin" }
...   ]
... })
{
  ok: 1,
  '$clusterTime': {
    clusterTime: Timestamp({ t: 1733915218, i: 1 }),
    signature: {
      hash: Binary.createFromBase64('ixfp9qfTi3+DKSZb0wwmlY/NSOY=', 0),
      keyId: Long('7447103258356613143')
    }
  },
  operationTime: Timestamp({ t: 1733915218, i: 1 })
}

常用命令

db.getUser("Admin")
db.grantRolesToUser("<username>", [{ role: "dbAdmin", db: "<database>" }])
db.dropUser('username')

参考文档

https://www.mongodb.com/zh-cn/docs/manual/tutorial/configure-scram-client-authentication/#std-label-create-user-admin

posted @ 2024-12-11 19:15  小吉猫  阅读(16)  评论(0编辑  收藏  举报