1、 生成密钥文件
openssl rand -base64 741 > /home/keyfile
chmod 600 keyfile
建议把密钥文件的权限设置为600(针对启动mongo实例的那个用户)
接着需要把这个密钥文件拷贝到集群中每一个结点上(路由结点,元配置结点,分片结点上都要有这个密钥文件) ;
注:开启了keyFile,隐含就开启了auth,连接副本集就需要进行认证了,否则只能通过本地例外方式操作数据库。
在副本集中添加用户需要在服务未加--keyFile参数启动的情况加按照单实例方法添加(访问任意一个副本器操作,其他副本集会自动同步),账户添加、授权成功后重新加入keyFile启动服务,即可完成并使用。
12
cp /home/keyfile /opt/config/data/
cp /home/keyfile /opt/mongos/
cp /home/keyfile /opt/shard1/data/
cp /home/keyfile /opt/shard2/data/
cp /home/keyfile /opt/shard3/data/
cp /home/keyfile /opt/shard4/data/
cp /home/keyfile /opt/shard5/data/
scp /ho keyfile 13/14/15/16
13
scp /ho keyfile IP:/opt/config/data/
scp /ho keyfile IP:/opt/mongos/
scp /ho keyfile IP:/opt/shard1/data/
scp /ho keyfile IP:/opt/shard2/data/
scp /ho keyfile IP:/opt/shard3/data/
scp /ho keyfile IP:/opt/shard4/data/
scp /ho keyfile IP:/opt/shard5/data/
14
scp /ho keyfile IP:/opt/config/data/
scp /ho keyfile IP:/opt/mongos/
scp /ho keyfile IP:/opt/shard1/data/
scp /ho keyfile IP:/opt/shard2/data/
scp /ho keyfile IP:/opt/shard3/data/
scp /ho keyfile IP:/opt/shard4/data/
scp /ho keyfile IP:/opt/shard5/data/
15
scp /ho keyfile IP:/opt/config/data/
scp /ho keyfile IP:/opt/mongos/
scp /ho keyfile IP:/opt/shard1/data/
scp /ho keyfile IP:/opt/shard2/data/
scp /ho keyfile IP:/opt/shard3/data/
scp /ho keyfile IP:/opt/shard4/data/
scp /ho keyfile IP:/opt/shard5/data/
16
scp /ho keyfile IP:/opt/config/data/
scp /ho keyfile IP:/opt/mongos/
scp /ho keyfile IP:/opt/shard1/data/
scp /ho keyfile IP:/opt/shard2/data/
scp /ho keyfile IP:/opt/shard3/data/
scp /ho keyfile IP:/opt/shard4/data/
scp /ho keyfile IP:/opt/shard5/data/
find /opt/ -name keyfile
db.createUser({
... user: "rootadminAAA",
... pwd: "admDDDDin@2018DDDDMDDDDWEEEEDntQ",
... roles: [
... {role: "clusterAdmin", db: "admin"},
... {role: "readWriteAnyDatabase", db: "admin"},
... {role: "userAdminAnyDatabase", db: "admin"},
... {role: "dbAdminAnyDatabase", db: "admin"}]
... })
db.auth("rootadmin","admDDDDin@2018DDDDMDDDDWEEEEDntQ")
注:在 3步时,查看集群里有哪个用户信息及权限;
12
root 3684 1 1 Jan28 ? 21:43:41 /usr/local/mongodb-3.6.2/bin/mongos --config /usr/local/mongodb-3.6.2/conf/mongos.conf
root 3775 1 0 Jan28 ? 13:37:34 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard1.conf
root 3817 1 0 Jan28 ? 12:36:42 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard4.conf
root 3854 1 1 Jan28 ? 1-00:42:30 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard5.conf
root 179829 179810 0 19:36 pts/
13
root@mongodb-2:/root# ps -ef|grep mongodb
root 3590 1 1 Jan28 ? 20:57:43 /usr/local/mongodb-3.6.2/bin/mongos --config /usr/local/mongodb-3.6.2/conf/mongos.conf
root 3675 1 0 Jan28 ? 13:11:40 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard1.conf
root 3705 1 1 Jan28 ? 1-03:28:35 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard2.conf
root 3736 1 1 Jan28 ? 1-01:06:04 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard5.conf
root 126060 125886 0 19:45 pts/0 00:00:00 grep --color=auto mongodb
root@mongodb-2:/
root@mongodb-3:/root# ps -ef|grep mongodb
root 3632 1 1 Jan28 ? 19:46:19 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/config.conf
root 3860 1 0 Jan28 ? 13:37:56 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard1.conf
root 3888 1 1 Jan28 ? 1-07:32:44 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard2.conf
root 3915 1 31 Jan28 ? 24-13:32:59 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard3.conf
root 155784 155565 0 19:47 pts/0 00:00:00 grep --color=auto mongodb
root@mongodb-3:/root#
15
root@mongodb-4:/root# ps -ef|grep mongodb
root 3569 1 0 Jan28 ? 16:42:16 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/config.conf
root 3743 1 1 Jan28 ? 1-05:20:08 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard2.conf
root 3770 1 7 Jan28 ? 6-01:45:03 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard3.conf
root 3797 1 0 Jan28 ? 13:08:35 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard4.conf
root 155083 154867 0 19:48 pts/0 00:00:00 grep --color=auto mongodb
root@mongodb-4:/root#
16
root@mongodb-5:/root# ps -ef|grep mongodb
root 3571 1 0 Jan28 ? 16:41:09 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/config.conf
root 3753 1 7 Jan28 ? 6-01:51:58 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard3.conf
root 3780 1 0 Jan28 ? 12:35:49 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard4.conf
root 3808 1 1 Jan28 ? 1-11:18:29 /usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard5.conf
root 55001 54787 0 19:48 pts/0 00:00:00 grep --color=auto mongodb
root@mongodb-5:/root#
5、关闭原先的集群:db.shutdownServer()
注意,需要按照 路由结点(mongos) -> 配置结点(config) -> 分片结点(shard1-5) 的顺序,依次关闭各结点的进程
6、重新启动集群 :,需要按照 配置结点(config) -> 分片结点(shard1-5)->路由结点(mongos) 的顺序
/usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/config.conf --keyFile /opt/config/data/keyfile
/usr/local/mongodb-3.6.2/bin/mongos --config /usr/local/mongodb-3.6.2/conf/mongos.conf --keyFile /opt/mongos/keyfile
/usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard1.conf --keyFile /opt/shard1/data/keyfile
/usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard2.conf --keyFile /opt/shard2/data/keyfile
/usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard3.conf --keyFile /opt/shard3/data/keyfile
/usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard4.conf --keyFile /opt/shard4/data/keyfile
/usr/local/mongodb-3.6.2/bin/mongod --config /usr/local/mongodb-3.6.2/conf/shard5.conf --keyFile /opt/shard5/data/keyfile
7、 验证集群的认证
root@node:/root#mongo IP:20000
mongos> db
test
mongos> show collections;
2018-04-09T16:31:17.604+0800 E QUERY [thread1] Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on test to execute command { listCollections: 1.0, filter: {},
mongos> use admin
switched to db admin
mongos> show collections;
2018-04-09T16:31:26.158+0800 E QUERY [thread1] Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listCollections: 1.0, filter: {},
账户认证后状态
#admin库认证
mongo IP:20000/admin -u rootadmin -p admin@2018MintQ
mongos> show collections;
system.indexes
system.users
system.version