Mongo集群设置认证

本文主要基于已经搭建好的未认证集群

1.在分片集群环境中,副本集内成员之间需要用keyFile认证,mongos与配置服务器,副本集之间也要keyFile认证,集群所有mongod和mongos实例使用内容相同的keyFile文件

在其中一台机器上生成keyfile

openssl rand -base64 753  > keyfile
chmod 600 ./keyfile  #权限必须是600
[root@centos01 ~]# openssl rand -base64 753  > keyfile
[root@centos01 ~]# ll
总用量 64
-rw-------. 1 root root  1484 6月  16 2018 anaconda-ks.cfg
-rw-r--r--. 1 root root 28412 6月  16 2018 install.log
-rw-r--r--. 1 root root  8105 6月  16 2018 install.log.syslog
-rw-r--r--. 1 root root  1020 4月  15 20:23 keyfile
-rwxr-xr-x. 1 root root   357 7月   8 2018 mongo_start.sh
-rwxr-xr-x. 1 root root   348 7月   8 2018 mongo_stop.sh
-rwxr-xr-x. 1 root root    78 8月   2 2018 redis_link.sh
-rwxr-xr-x. 1 root root   140 8月  10 2018 redis_start.sh

[root@centos01 ~]# chmod 600 ./keyfile
[root@centos01 ~]#

 复制文件到其他节点

scp -r  /root/keyfile  root@192.168.96.202:/root/
scp -r  /root/keyfile  root@192.168.96.203:/root/
[root@centos01 ~]# scp -r  /root/keyfile  root@192.168.96.202:/root/
keyfile                                                    100% 1020     1.0KB/s   00:00    
[root@centos01 ~]# scp -r  /root/keyfile  root@192.168.96.203:/root/
keyfile                                                    100% 1020     1.0KB/s   00:00    
[root@centos01 ~]#

2、登陆到mongo的config节点

./mongo --port 21000

[root@centos01 bin]# pwd/mysys/mongodb/bin[root@centos01 bin]# /mysys/mongodb/bin/mongo --port 21000
MongoDB shell version v3.6.1 connecting to: mongodb://127.0.0.1:21000/ 
MongoDB server version: 3.6.1 Server has startup warnings: 
2020-04-15T20:04:01.342+0800 I STORAGE [initandlisten] 
2020-04-15T20:04:01.342+0800 I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2020-04-15T20:04:01.342+0800 I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem 
2020-04-15T20:04:03.307+0800 I CONTROL [initandlisten] 
2020-04-15T20:04:03.314+0800 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database. 
2020-04-15T20:04:03.314+0800 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted. 
2020-04-15T20:04:03.314+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended. 
2020-04-15T20:04:03.314+0800 I CONTROL [initandlisten] configs:PRIMARYARY>

3、建立管理员账号,赋所有权限(admin和config数据库),必须在  PRIMARY 节点执行 

use admin
db.createUser({user: "admin",pwd: "123456",roles: [ { role: "root", db: "admin" } ]}) 
db.auth("admin","123456")

use config
db.createUser({user: "admin",pwd: "123456",roles: [ { role: "root", db: "admin" } ]}) 
db.auth("admin","123456")
configs:PRIMARY> use admin
switched to db admin
configs:PRIMARY> db.createUser({user: "admin",pwd: "123456",roles: [ { role: "root", db: "admin" } ]}) 
Successfully added user: {
    "user" : "admin",
    "roles" : [
        {
            "role" : "root",
            "db" : "admin"
        }
    ]
}
configs:PRIMARY> db.auth("admin","123456")
1
configs:PRIMARY> 
configs:PRIMARY> use config
switched to db config
configs:PRIMARY> db.createUser({user: "admin",pwd: "123456",roles: [ { role: "root", db: "admin" } ]}) 
Successfully added user: {
    "user" : "admin",
    "roles" : [
        {
            "role" : "root",
            "db" : "admin"
        }
    ]
}
configs:PRIMARY> db.auth("admin","123456")
1
configs:PRIMARY>

4、关闭所有mongod、mongos、configsvr,编辑配置文件,重新启动每台服务器每个实例
      为每一个mongod、mongos、配置服务器的实例其中的配置文件添加认证属性或者在启动实例时添加--authorization、--keyFile选项

       Shard和Configserver配置文件添加相关配置信息

#开启权限验证
auth=true
keyFile=/root/keyfile

      mongos配置文件中添加如下配置

#指向keyFile
keyFile=/root/keyfile

执行添加

echo 'auth=true' >> config.conf
echo 'keyFile=/root/keyfile' >> config.conf
echo 'auth=true' >> shard1.conf
echo 'keyFile=/root/keyfile' >> shard1.conf
echo 'auth=true' >> shard2.conf
echo 'keyFile=/root/keyfile' >> shard2.conf
echo 'auth=true' >> shard3.conf
echo 'keyFile=/root/keyfile' >> shard3.conf

echo 'keyFile=/root/keyfile' >> mongos.conf

创建用户

db.createUser( 
{
  user: "admin",
  pwd: "123456",
  roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]}
)


登陆mongo后创建程序使用的数据库
  use tps
创建用户
db.createUser(
  {
    user: "test",
    pwd: "123456",
    roles: [ { role: "readWrite", db: "testdb" } ]
  }
)

 

5、重启后验证

 show user 查看用户

 

 

方法二

一、生成keyfile文件
1、openssl rand -base64 753  > keyfile
2、chmod 600 ./keyfile  #权限必须是600
3、把生成好的文件放到 /mydata/mongodb/keyfile
分发到各个节点
scp -r  /root/keyfile  root@192.168.96.202:/mydata/mongodb

二、无验证登陆mongo   ./mongod -port [端口]
1、创建管理用户
db.createUser( {user: "admin",pwd: "12345",roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]})
三修改配置文件
1、在config  shard配置文件末尾加入如下
auth=true
keyFile=/mydata/mongodb/keyfile
2、在mongods配置文件末尾加入
keyFile=/mydata/mongodb/keyfile
四、重启服务
1、killall mongod
2、killall mongos
重启每个节点的mongo
五、创建程序使用的数据库和用户
1、登陆mongo后创建程序使用的数据库
  use tps
2、创建用户
db.createUser(
  {
    user: "test",
    pwd: "12345",
    roles: [ { role: "readWrite", db: "testdb" } ]
  }
)

 

 

 

结束

posted @ 2020-04-23 11:57  桥头堡洗脚城  阅读(481)  评论(0编辑  收藏  举报