今天在安装MongoDB3.4 副本集的时候遇到一个问题。在启动三个MongoDB实例(进程)之后,需要初始化副本集,将三个独立的实例联系起来组成副本集。
使用服务器具体ip:端口的方式连接到mongodb的shell中执行初始化,报错
"errmsg" : "not authorized on admin to execute command
mongo 10.238.162.33:27017> cfg={_id:'rs01',version:1,members:[{_id:0,host:'10.238.162.33:27017'},{_id:1,host:'10.238.162.33:27018'},{_id:2,host:'10.238.162.33:27019',arbiterOnly:true}]};
{
"_id" : "rs01",
"version" : 1,
"members" : [
{
"_id" : 0,
"host" : "10.238.162.33:27017"
},
{
"_id" : 1,
"host" : "10.238.162.33:27018"
},
{
"_id" : 2,
"host" : "10.238.162.33:27019",
"arbiterOnly" : true
}
]
}
> rs.initiate(cfg);
{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { replSetInitiate: { _id: \"rs01\", version: 1.0, members: [ { _id: 0.0, host: \"10.238.162.33:27017\" }, { _id: 1.0, host: \"10.238.162.33:27018\" }, { _id: 2.0, host: \"10.238.162.33:27019\", arbiterOnly: true } ] } }",
"code" : 13,
"codeName" : "Unauthorized"
}没有权限去执行命令。然后尝试添加超级管理员账号
> use admin;
switched to db admin
> db.createUser(
... {
... user: "admin",
... pwd: "admin",
... roles: [ { role: "root", db: "admin" } ]
... }
... );
2018-12-19T21:58:46.366+0800 E QUERY [thread1] Error: couldn't add user: not authorized on admin to execute command { createUser: "admin", pwd: "xxx", roles: [ { role: "root", db: "admin" } ], digestPassword: false, writeConcern: { w: "majority", wtimeout: 600000.0 } } :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.createUser@src/mongo/shell/db.js:1292:15
@(shell):1:1因为MongoDB的配置文件中采用了keyfile的认证方式,所以副本集默认开启了安全认证,那现在如何解决这个问题呢?难道我要注释掉参数#keyFile= 然后初始化副本集,创建用户再把参数keyFile打开吗?这样太麻烦了吧。
没关系 enableLocalhostAuthBypass 可以帮你解决这个问题
查看MongoDB配置文件中有参数
setParameter=enableLocalhostAuthBypass=1
该参数是什么意思呢?参看官网对该参数的解释
https://docs.mongodb.com/v3.4/core/security-users/#localhost-exception
Localhost Exception
The localhost exception allows you to enable access control and then create the first user in the system. With the localhost exception, after you enable access control, connect to the localhost interface and create the first user in the admin database. The first user must have privileges to create other users, such as a user with the userAdmin or userAdminAnyDatabase role.
翻译如下:
localhost exception(本地例外) 允许你在开启安全认证的同时在系统中创建第一个用户。在你开启安全认证之后,你可以使用 localhost exception这个特性去连接到mongo shell,然后在admin数据库下创建第一个账号。该账号必须有创建其他账号的权限,比如有userAdmin或者userAdminAnyDatabase角色的账号
自己的理解:
localhost exception 可以理解为通过本地 连接到MongoDB中创建第一个用户不会被安全认证所限制,本地可以理解为使用 mongo 127.0.0.1:27017 或者 mongo 连接shell中。
参数使用方法
enableLocalhostAuthBypass
Available for both mongod and mongos.
Specify 0 or false to disable localhost authentication bypass. Enabled by default.
enableLocalhostAuthBypass is not available using setParameter database command. Use the setParameter option in the configuration file or the --setParameter option on the command line.
翻译如下
该参数对 mongod 和 mongos都有效
当设置值为0 或者 false的时关闭localhost不受权限认证。默认是开启的。
可以在配置文件中进行配置,格式:setParameter=enableLocalhostAuthBypass=1
了解了该参数后,就可以利用这个特性初始化副本集了;通过mongo 127.0.0.1:27017连接到数据库中,
# mongo 127.0.0.1:27017
MongoDB shell version v3.4.18
connecting to: mongodb://127.0.0.1:27017/test
MongoDB server version: 3.4.18
或者
# mongo
MongoDB shell version v3.4.18
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.18初始化副本集,初始化成功后看到命令行提示符由rs01:SECONDARY> 变为 rs01:PRIMARY>
[root@localhost mongodb27017]# mongo
MongoDB shell version v3.4.18
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.18
> cfg={_id:'rs01',version:1,members:[{_id:0,host:'10.238.162.33:27017'},{_id:1,host:'10.238.162.33:27018'},{_id:2,host:'10.238.162.33:27019',arbiterOnly:true}]};
{
"_id" : "rs01",
"version" : 1,
"members" : [
{
"_id" : 0,
"host" : "10.238.162.33:27017"
},
{
"_id" : 1,
"host" : "10.238.162.33:27018"
},
{
"_id" : 2,
"host" : "10.238.162.33:27019",
"arbiterOnly" : true
}
]
}
> rs.initiate(cfg);
{ "ok" : 1 }创建用户
rs01:PRIMARY> use admin;
switched to db admin
rs01:PRIMARY>
rs01:PRIMARY> db.createUser({user:"admin",pwd:"admin",roles: [{ role: "root", db: "admin" }]});
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}这样就避免了在搭建MongoDB副本集时,如果想要开启keyfile参数,需要在初始化后再修改参数文件重启mongo实例的麻烦了