17.MongoDB 分片集群安全认证

 

1.启动分片集群的所有节点

2.登录路由节点添加一个管理员帐号

1
2
3
4
mongos> use admin
switched to db admin
mongos> db.createUser({user:"myroot",pwd:"123456",roles:["root"]})
Successfully added user: { "user" : "myroot", "roles" : [ "root" ] }

3.创建副本集认证的key文件

(1) 生成一个 key 文件

1
2
3
4
5
[root@localhost sharded_cluster]# openssl rand -base64 90 -out ./mongo.keyfile
[root@localhost sharded_cluster]# chmod 400 ./mongo.keyfile
[root@localhost sharded_cluster]# ls -l
total 4
-r--------. 1 root root 122 Mar 27 17:16 mongo.keyfile

(2) 将 key 文件分别拷贝到每个节点中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@localhost sharded_cluster]# cp mongo.keyfile myshardrs01_27018/
[root@localhost sharded_cluster]# cp mongo.keyfile myshardrs01_27118/
[root@localhost sharded_cluster]# scp mongo.keyfile root@192.168.76.132:/mongodb/sharded_cluster/myshardrs01_27218/

[root@localhost sharded_cluster]# cp mongo.keyfile myshardrs02_27318/
[root@localhost sharded_cluster]# cp mongo.keyfile myshardrs02_27418/
[root@localhost sharded_cluster]# scp mongo.keyfile root@192.168.76.132:/mongodb/sharded_cluster/myshardrs02_27518/

[root@localhost sharded_cluster]# cp mongo.keyfile myconfigrs_27019/
[root@localhost sharded_cluster]# cp mongo.keyfile myconfigrs_27119/
[root@localhost sharded_cluster]# cp mongo.keyfile myconfigrs_27219/

[root@localhost sharded_cluster]# cp mongo.keyfile mymongos_27017/
[root@localhost sharded_cluster]# cp mongo.keyfile mymongos_27117/

4.修改配置文件指定keyfile

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@localhost sharded_cluster]# vim myshardrs01_27018/mongod.conf
[root@localhost sharded_cluster]# vim myshardrs01_27118/mongod.conf
[root@localhost sharded_cluster]# vim myshardrs01_27218/mongod.conf

[root@localhost sharded_cluster]# vim myshardrs02_27318/mongod.conf
[root@localhost sharded_cluster]# vim myshardrs02_27418/mongod.conf
[root@localhost sharded_cluster]# vim myshardrs02_27518/mongod.conf

[root@localhost sharded_cluster]# vim myconfigrs_27019/mongod.conf
[root@localhost sharded_cluster]# vim myconfigrs_27119/mongod.conf
[root@localhost sharded_cluster]# vim myconfigrs_27219/mongod.conf

[root@localhost sharded_cluster]# vim mymongos_27017/mongos.conf
[root@localhost sharded_cluster]# vim mymongos_27117/mongos.conf

添加配置

  1. 数据分片节点 和 配置节点 的配置
1
2
3
4
5
security:
#KeyFile鉴权文件
keyFile: /mongodb/sharded_cluster/myshardrs01_27018/mongo.keyfile
#开启认证方式运行
authorization: enabled
  1. 路由节点的配置
1
2
3
security:
#KeyFile鉴权文件
keyFile: /mongodb/sharded_cluster/mymongos_27017/mongo.keyfile

路由节点 mongos 比 mongod 少了 authorization:enabled 的配置,mongos 只做路由,不保存数据

5.依次启动节点

依次启动配置节点、分片节点、路由节点

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@localhost bin]# ./mongod -f /mongodb/sharded_cluster/myconfigrs_27019/mongod.conf
[root@localhost bin]# ./mongod -f /mongodb/sharded_cluster/myconfigrs_27119/mongod.conf
[root@localhost bin]# ./mongod -f /mongodb/sharded_cluster/myconfigrs_27219/mongod.conf

[root@localhost bin]# ./mongod -f /mongodb/sharded_cluster/myshardrs01_27018/mongod.conf
[root@localhost bin]# ./mongod -f /mongodb/sharded_cluster/myshardrs01_27118/mongod.conf
[root@localhost bin]# ./mongod -f /mongodb/sharded_cluster/myshardrs01_27218/mongod.conf
[root@localhost bin]# ./mongod -f /mongodb/sharded_cluster/myshardrs02_27318/mongod.conf
[root@localhost bin]# ./mongod -f /mongodb/sharded_cluster/myshardrs02_27418/mongod.conf
[root@localhost bin]# ./mongod -f /mongodb/sharded_cluster/myshardrs02_27518/mongod.conf

[root@localhost bin]# ./mongos -f /mongodb/sharded_cluster/mymongos_27017/mongos.conf
[root@localhost bin]# ./mongos -f /mongodb/sharded_cluster/mymongos_27117/mongos.conf

6.创建账号和认证

(1) 创建一个普通账号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@localhost bin]# ./mongo --host=192.168.76.128 --port=27017

mongos> use admin
switched to db admin
mongos> db.auth("myroot", "123456")
1

mongos> use articledb
switched to db articledb
mongos> show collections
author
comment
mongos> db.createUser({ user: "denial", pwd: "123456", roles: [{ role: "readWrite", db: "articledb"}] })
Successfully added user: {
"user" : "denial",
"roles" : [
{
"role" : "readWrite",
"db" : "articledb"
}
]
}

通过mongos添加的账号信息,只会保存到配置节点的服务中,具体的数据节点不保存账号信息,因此,分片中的账号信息不涉及到同步问题

(2) 退出登录,使用普通账号登录

1
2
3
4
5
6
7
8
9
10
11
[root@localhost bin]# ./mongo --host=192.168.76.128 --port=27017

mongos> use articledb
switched to db articledb
mongos> db.auth("denial", "123456")
1
mongos> show collections
author
comment
mongos> db.comment.count()
1000

7.SpringDataMongoDB连接认证

application.yml

1
2
3
4
spring:
data:
mongodb:
uri: mongodb://denial:123456@192.168.76.128:27017,192.168.76.128:27117/articledb

8.Compass 连接认证

(1) 登录 myroot 用户

(2) 登录普通用户