标签:local log 通信 成员 ref MLOG primary 开启认证 bin
副本集架构中需要开启用户的授权认证,也要配置副本集内部、成员身份验证。副本集对于成员的内部身份验证,MongoDB可以使用keyfiles或x.509证书。我们需要创建管理员用户
创建秘钥文件
开启认证
重启服务
副本集成员:
192.168.6.17:27031
192.168.6.17:27032
192.168.6.17:27033
systemLog:
destination: file
logAppend: true
path: /data/mdb1/logs/mongod.log
storage:
dbPath: /data/mdb1/data
journal:
enabled: true
directoryPerDB: true
wiredTiger:
engineConfig:
directoryForIndexes: true
processManagement:
fork: true
pidFilePath: /data/mdb1/pid/mongod.pid
net:
port: 27031
bindIp: 192.168.6.17,localhost
maxIncomingConnections: 50
#security:
# keyFile: /data/mdb1/conf/keyfile
# authorization: enabled
replication:
replSetName: rs02
[root@VM_6_17_centos ~]# /root/mongodb-4.2.1/bin/mongo 192.168.6.17:27031
rs02:PRIMARY> use admin
switched to db admin
rs02:PRIMARY>db.createUser({
user:"mydba",
pwd:"12348970",
roles:
[
{
role:"root",
db:"admin"
}
]})
rs02:PRIMARY> db.getUsers() //查看admin数据库的用户
[
{
"_id" : "admin.mydba",
"userId" : UUID("11aefd2d-ca1b-405e-b4d2-c79ec66c2a7e"),
"user" : "mydba",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
]
rs02:PRIMARY>
创建秘钥文件
openssl rand-base64 756 > keyfile
chmod 400 keyfile
[root@VM_6_17_centos ~]# cp keyfile /data/mdb1/conf/
[root@VM_6_17_centos ~]# cp keyfile /data/mdb2/conf/
[root@VM_6_17_centos ~]# cp keyfile /data/mdb3/conf/
开启认证:
systemLog:
destination: file
logAppend: true
path: /data/mdb1/logs/mongod.log
storage:
dbPath: /data/mdb1/data
journal:
enabled: true
directoryPerDB: true
wiredTiger:
engineConfig:
directoryForIndexes: true
processManagement:
fork: true
pidFilePath: /data/mdb1/pid/mongod.pid
net:
port: 27031
bindIp: 192.168.6.17,localhost
maxIncomingConnections: 50
security:
keyFile: /data/mdb1/conf/keyfile //内部使用keyfile
authorization: enabled //开启认证
replication:
replSetName: rs02
现在我们在连接PRIMARY节点
[root@VM_6_17_centos ~]# /root/mongodb-4.2.1/bin/mongo 192.168.6.17:27031/admin -u mydba -p
MongoDB shell version v4.2.1
Enter password: //输入密码
rs02:PRIMARY> show dbs;
admin 0.000GB
config 0.000GB
local 0.001GB
test_jia 0.000GB
rs02:PRIMARY> use test_jia
switched to db test_jia
rs02:PRIMARY> show tables;
user_hobby
user_info
rs02:PRIMARY>
rs02:PRIMARY> db.createUser({
... user:"haijiao", //我们创建普通用户并授权
... pwd:"87690544",
... roles:
... [
... {
... role:"readWrite",
... db:"test_jia"
... }
... ]})
Successfully added user: {
"user" : "haijiao",
"roles" : [
{
"role" : "readWrite",
"db" : "test_jia"
}
[root@VM_6_17_centos ~]# /root/mongodb-4.2.1/bin/mongo 192.168.6.17:27031/test_jia -u haijiao -p
MongoDB shell version v4.2.1
Enter password:
connecting to: mongodb://192.168.6.17:27031/test_jia?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("bfa70dfe-2710-473c-90fb-59ab1ab97437") }
MongoDB server version: 4.2.1
rs02:PRIMARY> show tables;
user_hobby
user_info
rs02:PRIMARY> show dbs
test_jia 0.000GB
rs02:PRIMARY>
[root@VM_6_17_centos ~]# /root/mongodb-4.2.1/bin/mongo 192.168.6.17:27032/test_jia
MongoDB shell version v4.2.1
connecting to: mongodb://192.168.6.17:27032/test_jia?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("2f7b17b3-bb01-46c4-ac37-a89c2e4586e4") }
MongoDB server version: 4.2.1
rs02:PRIMARY> show dbs; //没有权限
rs02:PRIMARY> db.auth("haijiao","87690544") //认证
1
rs02:PRIMARY> show dbs;
test_jia 0.000GB
rs02:PRIMARY>
rs02:PRIMARY> show tables;
user_hobby
user_info
rs02:PRIMARY>
总结:我们在线上部署时副本集使用域名进行配置,可以避免由于ip地址更改而导致的配置更改,
尽量使用复杂的密码,服务器的数据端口使用防火墙进行限制,外网全部禁用,
内部可以允许某个ip或者网段访问,并且开启客户端认证授权。
下一章我们了解认证授权的详细内容。
标签:local log 通信 成员 ref MLOG primary 开启认证 bin
原文地址:https://blog.51cto.com/jiachen/2499673