官方文档:
https://docs.mongodb.com/manual/tutorial/deploy-replica-set-with-keyfile-access-control/#deploy-repl-set-with-auth
一、创建fileKey,秘钥文件复制集的成员一样,将秘钥复制给所有成员
|
openssl rand -base64 756 > <path-to-keyfile> chmod 400 <path-to-keyfile> |
| 实例:key/security.key: avslWt007EL8g0/omOnclstP+2cgpu6YChkc4KCJOU5bVG...省略 |
二、开启成员的访问控制
| security: keyFile: <path-to-keyfile> replication: replSetName: <replicaSetName> net: bindIp: localhost,<hostname(s)|ip address(es)> |
| 实例:etc/mongod1.conf 注意:后面有个空格 # mongod.conf # for documentation of all options, see: # http://docs.mongodb.org/manual/reference/configuration-options/ # where to write logging data. systemLog: destination: file logAppend: true path: /home/mongod/mongodb/log/mongod1.log # Where and how to store data. storage: dbPath: /home/mongod/mongodb/data/mongod1/ journal: enabled: true # engine: # mmapv1: # wiredTiger: # how the process runs processManagement: fork: true # fork and run in background pidFilePath: /var/run/mongodb/mongod1.pid # location of pidfile timeZoneInfo: /usr/share/zoneinfo # network interfaces net: port: 27018 bindIp: 127.0.0.1 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting. # keyFile privilege 400 security: authorization: enabled keyFile: /home/mongod/mongodb/key/security.key #operationProfiling: replication: replSetName: replTest #sharding: ## Enterprise-Only Options #auditLog: #snmp: |
三、创建目录,需要将以下目录的用户设置为mongod
| # ll |
四、初始化mongo replSet,域名替换为自己的域名或者IP生产环境建议使用域名
| rs.initiate({ _id : <replicaSetName>, members: [ { _id : 0, host : "mongo.example.net:27017" }, { _id : 1, host : "mongo.example.net:27018" }, { _id : 2, host : "mongo.example.net:27019" } ] } ) |
五、连接primary节点,在admin的数据库上创建用有userAdminAnyDatabase 角色管理员用户。使用rs.status()可以查看主节点的位置。
| db.createUser( { user: "replTest", pwd: "replTest", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } ) |
六、使用主节点的admin数据用户登录,并且创建集群管理员账号
| mongo 127.0.0.1:27018/admin(假如这个节点是主节点) db.createUser( { "user" : "cluster", "pwd" : "cluster", roles: [ { "role" : "clusterAdmin", "db" : "admin" } ] } ) |
七、创建普通数据的用户,用于操作数据库
| mongo 127.0.0.1:27018/admin use business; db.createUser( { "user": "test", "pwd": "test", "roles":[ { role: "dbOwner", "db": "reset" }, { role: "readWrite", db: "reset" } ] } ) |
八、在/etc/init.d/创建启动服务配置,将CONFIGFILE="/etc/mongod.conf"执行第二点配置路径
| /etc/init.d/mongod1(/etc/init.d/mongod2、/etc/init.d/mongod3) |
| #!/bin/bash # mongod - Startup script for mongod # chkconfig: 35 85 15 # description: Mongo is a scalable, document-oriented database. # processname: mongod # config: /etc/mongod.conf . /etc/rc.d/init.d/functions # NOTE: if you change any OPTIONS here, you get what you pay for: # this script assumes all options are in the config file. CONFIGFILE="/etc/mongod.conf" OPTIONS=" -f $CONFIGFILE" mongod=${MONGOD-/usr/bin/mongod} MONGO_USER=mongod MONGO_GROUP=mongod # All variables set before this point can be overridden by users, by # setting them directly in the SYSCONFIG file. Use this to explicitly # override these values, at your own risk. SYSCONFIG="/etc/sysconfig/mongod" if [ -f "$SYSCONFIG" ]; then . "$SYSCONFIG" fi # Handle NUMA access to CPUs (SERVER-3574) # This verifies the existence of numactl as well as testing that the command works NUMACTL_ARGS="--interleave=all" if which numactl >/dev/null 2>/dev/null && numactl $NUMACTL_ARGS ls / >/dev/null 2>/dev/null then NUMACTL="numactl $NUMACTL_ARGS" else NUMACTL="" fi # things from mongod.conf get there by mongod reading it PIDFILEPATH="`awk -F'[:=]' -v IGNORECASE=1 '/^[[:blank:]]*(processManagement\.)?pidfilepath[[:blank:]]*[:=][[:blank:]]*/{print $2}' \"$CONFIGFILE\" | tr -d \"[:blank:]\\"'\" | awk -F'#' '{print $1}'`" PIDDIR=`dirname $PIDFILEPATH` start() { # Make sure the default pidfile directory exists if [ ! -d $PIDDIR ]; then install -d -m 0755 -o $MONGO_USER -g $MONGO_GROUP $PIDDIR fi # Make sure the pidfile does not exist if [ -f "$PIDFILEPATH" ]; then echo "Error starting mongod. $PIDFILEPATH exists." RETVAL=1 return fi # Recommended ulimit values for mongod or mongos # See http://docs.mongodb.org/manual/reference/ulimit/#recommended-settings # ulimit -f unlimited ulimit -t unlimited ulimit -v unlimited ulimit -n 64000 ulimit -m unlimited ulimit -u 64000 ulimit -l unlimited echo -n $"Starting mongod: " daemon --user "$MONGO_USER" --check $mongod "$NUMACTL $mongod $OPTIONS >/dev/null 2>&1" RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/mongod } stop() { echo -n $"Stopping mongod: " mongo_killproc "$PIDFILEPATH" $mongod RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/mongod } restart () { stop start } # Send TERM signal to process and wait up to 300 seconds for process to go away. # If process is still alive after 300 seconds, send KILL signal. # Built-in killproc() (found in /etc/init.d/functions) is on certain versions of Linux # where it sleeps for the full $delay seconds if process does not respond fast enough to # the initial TERM signal. mongo_killproc() { local pid_file=$1 local procname=$2 local -i delay=300 local -i duration=10 local pid=`pidofproc -p "${pid_file}" ${procname}` kill -TERM $pid >/dev/null 2>&1 usleep 100000 local -i x=0 while [ $x -le $delay ] && checkpid $pid; do sleep $duration x=$(( $x + $duration)) done kill -KILL $pid >/dev/null 2>&1 usleep 100000 checkpid $pid # returns 0 only if the process exists local RC=$? [ "$RC" -eq 0 ] && failure "${procname} shutdown" || rm -f "${pid_file}"; success "${procname} shutdown" RC=$((! $RC)) # invert return code so we return 0 when process is dead. return $RC } RETVAL=0 case "$1" in start) start ;; stop) stop ;; restart|reload|force-reload) restart ;; condrestart) [ -f /var/lock/subsys/mongod ] && restart || : ;; status) status $mongod RETVAL=$? ;; *) echo "Usage: $0 {start|stop|status|restart|reload|force-reload|condrestart}" RETVAL=1 esac exit $RETVAL |
九、从节点无法执行find等错误
| rs.slaveOk(); |
十、写关注配置待补充