Deploy Sharded Cluster with Keyfile Authentication使用密钥文件身份验证部署分片群集

On this page本页内容

Overview概述

Enforcing access control on a sharded cluster requires configuring:分片群集上实施访问控制需要配置:

For this tutorial, each member of the sharded cluster must use the same internal authentication mechanism and settings. 对于本教程,分片集群的每个成员必须使用相同的内部身份验证机制和设置。This means enforcing internal authentication on each mongos and mongod in the cluster.这意味着对集群中的每个mongosmongod实施内部身份验证。

The following tutorial uses a keyfile to enable internal authentication.以下教程使用密钥文件启用内部身份验证。

Enforcing internal authentication also enforces user access control. 强制内部身份验证还强制用户访问控制。To connect to the replica set, clients like mongosh need to use a user account. 要连接到副本集,像mongosh这样的客户端需要使用用户帐户See Access Control.请参见访问控制

CloudManager and OpsManagerCloudManager和OpsManager

If you are using Cloud Manager or Ops Manager to manage your deployment, see the respective Cloud Manager manual or the Ops Manager manual to enforce authentication.如果您使用Cloud Manager或Ops Manager管理部署,请参阅相应的Cloud管理器手册Ops管理器手册以强制验证。

Considerations注意事项

Important重要

To avoid configuration updates due to IP address changes, use DNS hostnames instead of IP addresses. 为了避免由于IP地址更改而导致的配置更新,请使用DNS主机名而不是IP地址。It is particularly important to use a DNS hostname instead of an IP address when configuring replica set members or sharded cluster members.在配置副本集成员或分片群集成员时,使用DNS主机名而不是IP地址尤为重要。

Use hostnames instead of IP addresses to configure clusters across a split network horizon. 使用主机名而不是IP地址来跨拆分的网络范围配置群集。Starting in MongDB 5.0, nodes that are only configured with an IP address will fail startup validation and will not start.从MongDB 5.0开始,仅配置IP地址的节点将无法启动验证,无法启动。

IP BindingIP绑定

Changed in version 3.6.在版本3.6中更改

Starting with MongoDB 3.6, MongoDB binaries, mongod and mongos, bind to localhost by default. 从MongoDB 3.6开始,MongoDB二进制文件mongodmongos默认绑定到localhostFrom MongoDB versions 2.6 to 3.4, only the binaries from the official MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives) and DEB (Debian, Ubuntu, and derivatives) packages would bind to localhost by default. 从MongoDB版本2.6到3.4,默认情况下,只有来自官方MongoDB RPM(Red Hat、CentOS、Fedora Linux和衍生产品)和DEB(Debian、Ubuntu和衍生软件)包的二进制文件会绑定到localhostTo learn more about this change, see Localhost Binding Compatibility Changes.要了解有关此更改的详细信息,请参阅本地主机绑定兼容性更改

Keyfile Security密钥文件安全

Keyfiles are bare-minimum forms of security and are best suited for testing or development environments. 密钥文件是最基本的安全形式,最适合测试或开发环境。For production environments we recommend using x.509 certificates.对于生产环境,我们建议使用x.509证书

Access Control访问控制

This tutorial covers creating the minimum number of administrative users on the admin database only. 本教程介绍在admin数据库上创建最小数量的管理用户。For the user authentication, the tutorial uses the default SCRAM authentication mechanism. 对于用户身份验证,本教程使用默认的SCRAM身份验证机制。Challenge-response security mechanisms are best suited for testing or development environments. 挑战-响应安全机制最适合测试或开发环境。For production environments, we recommend using x.509 certificates or LDAP Proxy Authentication(available for MongoDB Enterprise only) or Kerberos Authentication(available for MongoDB Enterprise only).对于生产环境,我们建议使用x.509证书LDAP代理身份验证(仅适用于MongoDB Enterprise)或Kerberos身份验证(只适用于MongoDB Enterprise)。

For details on creating users for specific authentication mechanism, refer to the specific authentication mechanism pages.有关为特定验证机制创建用户的详细信息,请参阅特定验证机制页面。

See ➤ Configure Role-Based Access Control for best practices for user creation and management.有关用户创建和管理的最佳做法,请参阅➤ 配置基于角色的访问控制

Users用户

In general, to create users for a sharded clusters, connect to the mongos and add the sharded cluster users.通常,要为分片集群创建用户,请连接到mongos并添加分片集群用户。

However, some maintenance operations require direct connections to specific shards in a sharded cluster. 然而,一些维护操作需要直接连接到分片集群中的特定分片。To perform these operations, you must connect directly to the shard and authenticate as a shard-local administrative user.要执行这些操作,您必须直接连接到分片并作为分片本地管理用户进行身份验证。

Shard-local users exist only in the specific shard and should only be used for shard-specific maintenance and configuration. Shard本地用户仅存在于特定的Shard中,应仅用于特定于Shard的维护和配置。You cannot connect to the mongos with shard-local users.您不能使用shard本地用户连接到mongos

This tutorial requires creating sharded cluster users, but includes optional steps for adding shard-local users.本教程要求创建分片集群用户,但包括添加分片本地用户的可选步骤。

See the Users security documentation for more information.有关详细信息,请参阅用户安全文档。

Operating System操作系统

This tutorial uses the mongod and mongos programs. 本教程使用mongodmongos程序。Windows users should use the exe and exe programs instead.Windows用户应改用exeexe程序。

Deploy Sharded Cluster with Keyfile Access Control使用密钥文件访问控制部署分片群集

The following procedures involve creating a new sharded cluster that consists of a mongos, the config servers, and two shards.以下过程涉及创建一个新的分片集群,该集群由一个mongos、配置服务器和两个分片组成。

Important重要

To avoid configuration updates due to IP address changes, use DNS hostnames instead of IP addresses. 为了避免由于IP地址更改而导致的配置更新,请使用DNS主机名而不是IP地址。It is particularly important to use a DNS hostname instead of an IP address when configuring replica set members or sharded cluster members.在配置副本集成员或分片群集成员时,使用DNS主机名而不是IP地址尤为重要。

Use hostnames instead of IP addresses to configure clusters across a split network horizon. 使用主机名而不是IP地址来跨拆分的网络范围配置群集。Starting in MongDB 5.0, nodes that are only configured with an IP address will fail startup validation and will not start.从MongDB 5.0开始,仅配置IP地址的节点将无法启动验证,无法启动。

Create the Keyfile创建密钥文件

With keyfile authentication, each mongod or mongos instances in the sharded cluster uses the contents of the keyfile as the shared password for authenticating other members in the deployment. 通过密钥文件身份验证,分片集群中的每个mongodmongos实例使用密钥文件的内容作为共享密码,以验证部署中的其他成员。Only mongod or mongos instances with the correct keyfile can join the sharded cluster.只有具有正确密钥文件的mongodmongos实例才能加入分片集群。

Note注意

Starting in MongoDB 4.2, keyfiles for internal membership authentication use YAML format to allow for multiple keys in a keyfile. 从MongoDB 4.2开始,用于内部成员身份验证的密钥文件使用YAML格式,允许密钥文件中包含多个密钥。The YAML format accepts content of:YAML格式接受以下内容:

  • a single key string (same as in earlier versions),单个密钥串(与早期版本相同),
  • multiple key strings (each string must be enclosed in quotes), or多个键字符串(每个字符串必须用引号括起来),或
  • sequence of key strings.键串序列。

The YAML format is compatible with the existing single-key keyfiles that use the text file format.YAML格式与使用文本文件格式的现有单键密钥文件兼容。

A key's length must be between 6 and 1024 characters and may only contain characters in the base64 set. 密钥的长度必须介于6到1024个字符之间,并且只能包含base64集合中的字符。All members of the sharded cluster must share at least one common key.分片集群的所有成员必须至少共享一个公共密钥。

Note注意

On UNIX systems, the keyfile must not have group or world permissions. 在UNIX系统上,密钥文件不得具有组或世界权限。On Windows systems, keyfile permissions are not checked.在Windows系统上,不检查密钥文件权限。

You can generate a keyfile using any method you choose. 可以使用所选的任何方法生成密钥文件。For example, the following operation uses openssl to generate a complex pseudo-random 1024 character string to use as a shared password. 例如,下面的操作使用openssl生成一个复杂的伪随机1024字符串,用作共享密码。It then uses chmod to change file permissions to provide read permissions for the file owner only:然后,它使用chmod更改文件权限,以仅为文件所有者提供读取权限:

openssl rand -base64 756 > <path-to-keyfile>
chmod 400 <path-to-keyfile>

See Keyfiles for additional details and requirements for using keyfiles.有关使用密钥文件的其他详细信息和要求,请参阅密钥文件。

Distribute the Keyfile分发密钥文件

Copy the keyfile to each server hosting the sharded cluster members. 将密钥文件复制到托管分片集群成员的每个服务器。Ensure that the user running the mongod or mongos instances is the owner of the file and can access the keyfile.确保运行mongodmongos实例的用户是文件的所有者,并且可以访问密钥文件。

Avoid storing the keyfile on storage mediums that can be easily disconnected from the hardware hosting the mongod or mongos instances, such as a USB drive or a network attached storage device.避免将密钥文件存储在容易与托管mongodmongos实例的硬件断开连接的存储介质上,例如USB驱动器或网络连接的存储设备。

Create the Config Server Replica Set创建配置服务器副本集

The following steps deploys a config server replica set.以下步骤部署配置服务器副本集。

For a production deployment, deploys a config server replica set with at least three members. 对于生产部署,部署至少有三个成员的配置服务器副本集。For testing purposes, you can create a single-member replica set.出于测试目的,您可以创建单个成员副本集。

1

Start each mongod in the config server replica set. 启动配置服务器副本集中的每个mongodInclude the keyFile setting. 包括keyFile设置。The keyFile setting enforces both Internal/Membership Authentication and Role-Based Access Control.keyFile设置强制执行内部/成员身份验证基于角色的访问控制

You can specify the mongod settings either via a configuration file or the command line.您可以通过配置文件或命令行指定mongod设置。

Configuration File配置文件

If using a configuration file, set security.keyFile to the keyfile's path, sharding.clusterRole to configsvr, and replication.replSetName to the desired name of the config server replica set.如果使用配置文件,请将security.keyFile设置为密钥文件的路径,将sharding.clusterRole设置为configsvr,将replication.replSetName设置为配置服务器副本集的所需名称。

security:
  keyFile: <path-to-keyfile>
sharding:
  clusterRole: configsvr
replication:
  replSetName: <setname>

Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the net.bindIp setting. 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定net.bindIp设置。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改

Start the mongod specifying the --config option and the path to the configuration file.启动mongod,指定--config选项和配置文件的路径。

mongod --config <path-to-config-file>

Command Line命令行

If using the command line parameters, start the mongod with the --keyFile, --configsvr, and --replSet parameters.如果使用命令行参数,请使用--keyFile--configsvr--replSet参数启动mongod

mongod --keyFile <path-to-keyfile> --configsvr --replSet <setname> --dbpath <path>

Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ipFor more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改

2

Connect to a member of the replica set over the localhost interface.通过本地主机接口连接到副本集的成员。

Connect mongosh to one of the mongod instances over the localhost interface. 通过localhost接口mongosh连接到其中一个mongod实例。You must run mongosh on the same physical machine as the mongod instance.您必须在与mongod实例相同的物理机器上运行mongosh

The localhost interface is only available since no users have been created for the deployment. localhost接口仅可用,因为尚未为部署创建用户。The localhost interface closes after the creation of the first user.localhost接口在创建第一个用户后关闭。

3

The rs.initiate() method initiates the replica set and can take an optional replica set configuration document. rs.initiate()方法启动副本集,并可以获取可选的副本集配置文档In the replica set configuration document, include:副本集配置文档中,包括:

  • The _id. _idThe _id must match the --replSet parameter passed to the mongod._id必须与传递给mongod--replSet参数匹配。
  • The members field. members字段。The members field is an array and requires a document per each member of the replica set.members字段是一个数组,每个副本集成员都需要一个文档。
  • The configsvr field. configsvr字段。The configsvr field must be set to true for the config server replica set.对于配置服务器副本集,configsvr字段必须设置为true

See Replica Set Configuration for more information on replica set configuration documents.有关副本集配置文档的更多信息,请参阅副本集配置

Initiate the replica set using the rs.initiate() method and a configuration document:使用rs.initiate()方法和配置文档启动副本集:

rs.initiate(
  {
    _id: "myReplSet",
    configsvr: true,
    members: [
      { _id : 0, host : "cfg1.example.net:27019" },
      { _id : 1, host : "cfg2.example.net:27019" },
      { _id : 2, host : "cfg3.example.net:27019" }
    ]
  }
)

Once the config server replica set (CSRS) is initiated and up, proceed to creating the shard replica sets.配置服务器副本集(CSRS)启动并启动后,继续创建分片副本集。

Create the Shard Replica Sets创建分片副本集

For a production deployment, use a replica set with at least three members. 对于生产部署,请使用至少有三个成员的副本集。For testing purposes, you can create a single-member replica set.出于测试目的,您可以创建单个成员副本集。

These steps include optional procedures for adding shard-local users. 这些步骤包括添加分片本地用户的可选过程。Executing them now ensures that there are users available for each shard to perform shard-level maintenance.现在执行它们可以确保每个分片都有用户可以执行分片级维护。

1

Start each member of the replica set with access control enabled.在启用访问控制的情况下启动副本集的每个成员。

Running a mongod with the keyFile parameter enforces both Internal/Membership Authentication and Role-Based Access Control.使用keyFile参数运行mongod会强制执行内部/成员身份验证基于角色的访问控制

Start each mongod in the replica set using either a configuration file or the command line.使用配置文件或命令行启动副本集中的每个mongod

Configuration File配置文件

If using a configuration file, set the security.keyFile option to the keyfile's path, the replication.replSetName to the desired name of the replica set, and the sharding.clusterRole option to shardsvr.如果使用配置文件,请将security.keyFile选项设置为密钥文件的路径,将replication.replSetName设置为所需的副本集名称,将sharding.clusterRole选项设置为shardsvr

security:
  keyFile: <path-to-keyfile>
sharding:
  clusterRole: shardsvr
replication:
  replSetName: <replSetName>
storage:
   dbPath: <path>

Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the net.bindIp setting. 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定net.bindIp设置。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改

Start the mongod specifying the --config option and the path to the configuration file.启动mongod,指定--config选项和配置文件的路径。

mongod --config <path-to-config-file>

Command Line命令行

If using the command line option, when starting the component, specify the --keyFile, replSet, and --shardsvr parameters, as in the following example:如果使用命令行选项,在启动组件时,请指定--keyFilereplSet--shardsvr参数,如下例所示:

mongod --keyFile <path-to-keyfile> --shardsvr --replSet <replSetName>  --dbpath <path>

Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ipFor more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改

2

Connect to a member of the replica set over the localhost interface.通过本地主机接口连接到副本集的成员。

Connect mongosh to one of the mongod instances over the localhost interface. 通过localhost接口mongosh连接到其中一个mongod实例。You must run mongosh on the same physical machine as the mongod instance.您必须在与mongod实例相同的物理机器上运行mongosh

The localhost interface is only available since no users have been created for the deployment. localhost接口仅可用,因为尚未为部署创建用户。The localhost interface closes after the creation of the first user.localhost接口在创建第一个用户后关闭。

3

Initiate the replica set.启动复制集。

From mongosh, run the rs.initiate() method.mongosh运行rs.initiate()方法。

rs.initiate() can take an optional replica set configuration document. 可以使用可选的副本集配置文档In the replica set configuration document, include:副本集配置文档中,包括:

  • The _id field set to the replica set name specified in either the replication.replSetName or the --replSet option._id字段设置为replication.replSetName--replSet选项中指定的副本集名称。
  • The members array with a document per each member of the replica set.members数组中的每个副本集成员都有一个文档。

The following example initates a three member replica set.下面的示例初始化一个三成员副本集。

rs.initiate(
  {
    _id : "myReplSet",
    members: [
      { _id : 0, host : "s1-mongo1.example.net:27018" },
      { _id : 1, host : "s1-mongo2.example.net:27018" },
      { _id : 2, host : "s1-mongo3.example.net:27018" }
    ]
  }
)

rs.initiate() triggers an election and elects one of the members to be the primary.rs.initiate()触发一次选举,并选择其中一名成员作为主要成员。

Connect to the primary before continuing. 继续之前,请连接到主服务器。Use rs.status() to locate the primary member.使用rs.status()查找主成员。

4

Create the shard-local user administrator (optional).创建分片本地用户管理员(可选)。

Important重要

After you create the first user, the localhost exception is no longer available.创建第一个用户后,localhost异常不再可用。

The first user must have privileges to create other users, such as a user with the userAdminAnyDatabase. 第一个用户必须具有创建其他用户的权限,例如具有userAdminAnyDatabase的用户。This ensures that you can create additional users after the Localhost Exception closes.这确保您可以在Localhost异常关闭后创建其他用户。

If at least one user does not have privileges to create users, once the localhost exception closes you may be unable to create or modify users with new privileges, and therefore unable to access necessary operations.如果至少有一个用户没有创建用户的权限,那么一旦localhost异常关闭,您可能无法创建或修改具有新权限的用户,因此无法访问必要的操作。

Add a user using the db.createUser() method. 使用db.createUser()方法添加用户。The user should have at minimum the userAdminAnyDatabase role on the admin database.用户在admin数据库上至少应具有userAdminAnyDatabase角色。

You must be connected to the primary to create users.您必须连接到primary才能创建用户。

The following example creates the user fred with the userAdminAnyDatabase role on the admin database.下面的示例在admin数据库上创建具有userAdminAnyDatabase角色的用户fred

Important重要

Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.密码应随机、长且复杂,以确保系统安全并防止或延迟恶意访问。

Tip提示

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用,提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the mongo shell.但是,您仍然可以像使用早期版本的mongoshell那样直接指定密码。

admin = db.getSiblingDB("admin")
admin.createUser(
  {
    user: "fred",
    pwd: passwordPrompt(), // or cleartext password
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

Enter the password when prompted. 出现提示时输入密码。See Database User Roles for a full list of built-in roles and related to database administration operations.有关内置角色和与数据库管理操作相关的完整列表,请参阅数据库用户角色

5

Authenticate as the shard-local user administrator (optional).以分片本地用户管理员身份进行身份验证(可选)。

Authenticate to the admin database.admin数据库进行身份验证。

In mongosh, use db.auth() to authenticate. mongosh中,使用db.auth()进行身份验证。For example, the following authenticate as the user administrator fred:例如,以下用户作为用户管理员fred进行身份验证:

Tip提示

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用,提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the mongo shell.但是,您仍然可以像使用早期版本的mongoshell那样直接指定密码。 

db.getSiblingDB("admin").auth("fred", passwordPrompt()) // or cleartext password

Alternatively, connect a new mongosh instance to the primary replica set member using the -u <username>, -p <password>, and the --authenticationDatabase parameters.或者,使用-u <username>-p <password>--authenticationDatabase参数将新的mongosh实例连接到主副本集成员。

mongosh -u "fred" -p  --authenticationDatabase "admin"

If you do not specify the password to the -p command-line option, mongosh prompts for the password.如果没有为-p命令行选项指定密码,mongosh会提示输入密码。

6

Create the shard-local cluster administrator (optional).创建分片本地集群管理员(可选)。

The shard-local cluster administrator user has the clusterAdmin role, which provides privileges that allow access to replication operations.shard本地集群管理员用户具有clusterAdmin角色,该角色提供允许访问复制操作的权限。

For a full list of roles related to replica set operations see Cluster Administration Roles.有关与副本集操作相关的角色的完整列表,请参阅群集管理角色

Create a cluster administrator user and assign the clusterAdmin role in the admin database:创建群集管理员用户,并在admin数据库中分配clusterAdmin角色:

Tip提示

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用,提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the mongo shell.但是,您仍然可以像使用早期版本的mongoshell那样直接指定密码。 

db.getSiblingDB("admin").createUser(
  {
    "user" : "ravi",
    "pwd" : passwordPrompt(),
     // or cleartext password
    roles: [ { "role" : "clusterAdmin", "db" : "admin" } ]
  }
)

Enter the password when prompted.出现提示时输入密码。

See Cluster Administration Roles for a full list of built-in roles related to replica set and sharded cluster operations.有关与副本集和分片群集操作相关的内置角色的完整列表,请参阅群集管理角色

Connect a mongos to the Sharded Clustermongos连接到分片群集

1

Connect a mongos to the clustermongos连接到集群

Start a mongos specifying the keyfile using either a configuration file or a command line parameter.使用配置文件或命令行参数启动指定密钥文件的mongos

Configuration File配置文件

If using a configuration file, set the security.keyFile to the keyfile's path and the sharding.configDB to the replica set name and at least one member of the replica set in <replSetName>/<host:port> format.如果使用配置文件,请将security.keyFile设置为密钥文件的路径,将sharding.configDB设置为副本集名称,并至少将副本集的一个成员设置为<replSetName>/<host:port>格式。

security:
  keyFile: <path-to-keyfile>
sharding:
  configDB: <configReplSetName>/cfg1.example.net:27019,cfg2.example.net:27019,...

Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the net.bindIp setting. 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定net.bindIp设置。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改

Start the mongos specifying the --config option and the path to the configuration file.启动mongos,指定--config选项和配置文件的路径。

mongos --config <path-to-config>

Command Line命令行

If using command line parameters start the mongos and specify the --keyFile and --configdb parameters.如果使用命令行参数,则启动mongos并指定--keyFile--configdb参数。

mongos --keyFile <path-to-keyfile> --configdb <configReplSetName>/cfg1.example.net:27019,cfg2.example.net:27019,...

Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ipFor more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改

2

Connect to a mongos over the localhost interface.通过本地主机接口连接到mongos

Connect mongosh to one of the mongos instances over the localhost interface. 通过localhost接口mongosh连接到其中一个mongos实例。You must run mongosh on the same physical machine as the mongos instance.您必须在与mongos实例相同的物理机器上运行mongosh

The localhost interface is only available since no users have been created for the deployment. localhost接口仅可用,因为尚未为部署创建用户。The localhost interface closes after the creation of the first user.localhost接口在创建第一个用户后关闭。

3

Create the user administrator.创建用户管理员。

Important重要

After you create the first user, the localhost exception is no longer available.创建第一个用户后,localhost异常不再可用。

The first user must have privileges to create other users, such as a user with the userAdminAnyDatabase. 第一个用户必须具有创建其他用户的权限,例如具有userAdminAnyDatabase的用户。This ensures that you can create additional users after the Localhost Exception closes.这确保您可以在Localhost异常关闭后创建其他用户。

If at least one user does not have privileges to create users, once the localhost exception closes you cannot create or modify users, and therefore may be unable to perform necessary operations.如果至少有一个用户没有创建用户的权限,那么一旦localhost异常关闭,您就无法创建或修改用户,因此可能无法执行必要的操作。

Add a user using the db.createUser() method. 使用db.createUser()方法添加用户。The user should have at minimum the userAdminAnyDatabase role on the admin database.用户在管理数据库上至少应具有userAdminAnyDatabase角色。

Important重要

Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.密码应随机、长且复杂,以确保系统安全并防止或延迟恶意访问。

The following example creates the user fred on the admin database:以下示例在admin数据库上创建用户fred

Tip提示

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用,提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the mongo shell.但是,您仍然可以像使用早期版本的mongoshell那样直接指定密码。

admin = db.getSiblingDB("admin")
admin.createUser(
  {
    user: "fred",
    pwd:  passwordPrompt(),
     // or cleartext password
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

See Database User Roles for a full list of built-in roles and related to database administration operations.有关内置角色和与数据库管理操作相关的完整列表,请参阅数据库用户角色

4

Authenticate as the user administrator.以用户管理员身份进行身份验证。

Use db.auth() to authenticate as the user administrator to create additional users:

Tip提示

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用,提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the mongo shell.但是,您仍然可以像使用早期版本的mongoshell那样直接指定密码。 

db.getSiblingDB("admin").auth("fred", passwordPrompt()) // or cleartext password

Enter the password when prompted.出现提示时输入密码。

Alternatively, connect a new mongosh session to the target replica set member using the -u <username>, -p <password>, and the --authenticationDatabase "admin" parameters. 或者,使用-u <username>-p <password>--authenticationDatabase "admin"参数将新的mongosh会话连接到目标副本集成员。You must use the Localhost Exception to connect to the mongos.必须使用Localhost Exception连接到mongos

mongosh -u "fred" -p  --authenticationDatabase "admin"

If you do not specify the password to the -p command-line option, mongosh prompts for the password.如果没有为-p命令行选项指定密码,mongosh会提示输入密码。

5

Create Administrative User for Cluster Management为群集管理创建管理用户

The cluster administrator user has the clusterAdmin role, which grants access to replication and sharding operations.群集管理员用户具有clusterAdmin角色,该角色授予复制和分片操作的访问权限。

Create a clusterAdmin user in the admin database.admin数据库中创建clusterAdmin用户。

The following example creates the user ravi on the admin database.下面的示例在admin数据库上创建用户ravi

Important重要

Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.密码应随机、长且复杂,以确保系统安全并防止或延迟恶意访问。

Tip提示

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用,提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the mongo shell.但是,您仍然可以像使用早期版本的mongoshell那样直接指定密码。

db.getSiblingDB("admin").createUser(
  {
    "user" : "ravi",
    "pwd" : passwordPrompt(),
     // or cleartext password
    roles: [ { "role" : "clusterAdmin", "db" : "admin" } ]
  }
)

See Cluster Administration Roles for a full list of built-in roles related to replica set and sharded cluster operations.有关与副本集和分片群集操作相关的内置角色的完整列表,请参阅群集管理角色

6

Create additional users (Optional).创建其他用户(可选)。

Create users to allow clients to connect and access the sharded cluster. 创建用户以允许客户端连接和访问分片集群。See Database User Roles for available built-in roles, such as read and readWrite. 有关可用的内置角色(如read and readWrite),请参阅数据库用户角色You may also want additional administrative users. 您可能还需要其他管理用户。For more information on users, see Users.有关用户的详细信息,请参阅用户

To create additional users, you must authenticate as a user with userAdminAnyDatabase or userAdmin roles.要创建其他用户,您必须以userAdminAnyDatabaseuserAdmin角色的用户身份进行身份验证。

Add Shards to the Cluster将分片添加到群集

To proceed, you must be connected to the mongos and authenticated as the cluster administrator user for the sharded cluster.要继续,您必须连接到mongos,并作为分片集群的集群管理员用户进行身份验证。

Note注意

This is the cluster administrator for the sharded cluster and not the shard-local cluster administrator.这是分片集群的集群管理员,而不是分片本地集群管理员。

To add each shard to the cluster, use the sh.addShard() method. 要将每个分片添加到群集中,请使用sh.addShard()方法。If the shard is a replica set, specify the name of the replica set and specify a member of the set. In production deployments, all shards should be replica sets.如果分片是副本集,请指定副本集的名称并指定该集的成员。在生产部署中,所有分片都应该是副本集。

The following operation adds a single shard replica set to the cluster:以下操作将单个分片副本集添加到集群:

sh.addShard( "<replSetName>/s1-mongo1.example.net:27017")

The following operation is an example of adding a standalone mongod shard to the cluster:以下操作是将独立mongod分片添加到集群的示例:

sh.addShard( "s1-mongo1.example.net:27017")

Repeat these steps until the cluster includes all shards. 重复这些步骤,直到集群包含所有分片。At this point, the sharded cluster enforces access control for the cluster as well as for internal communications between each sharded cluster component.此时,分片集群对集群以及每个分片集群组件之间的内部通信实施访问控制。

Enable Sharding for a Database为数据库启用分片

To proceed, you must be connected to the mongos and authenticated as the cluster administrator user for the sharded cluster.要继续,您必须连接到mongos,并作为分片集群的集群管理员用户进行身份验证。

Note注意

This is the cluster administrator for the sharded cluster and not the shard-local cluster administrator.这是分片集群的集群管理员,而不是分片本地集群管理员。

Enabling sharding on a database makes it possible to shard collections within the database. 在数据库上启用分片可以在数据库中分片集合。Use the sh.enableSharding() method to enable sharding on the target database.使用sh.enableSharding()方法在目标数据库上启用分片。

sh.enableSharding("<database>")

Shard a Collection分享集合

To proceed, you must be connected to the mongos and authenticated as the cluster administrator user for the sharded cluster.要继续,您必须连接到mongos,并作为分片集群的集群管理员用户进行身份验证。

Note注意

This is the cluster administrator for the sharded cluster and not the shard-local cluster administrator.这是分片集群的集群管理员,而不是分片本地集群管理员。

To shard a collection, use the sh.shardCollection() method. You must specify the full namespace of the collection and a document containing the shard key.要分割集合,请使用sh.shardCollection()方法。您必须指定集合的完整名称空间和包含分片键的文档。

Your selection of shard key affects the efficiency of sharding, as well as your ability to take advantage of certain sharding features such as zones. 您选择的分片键会影响分片的效率,以及您利用某些分片功能(如分区)的能力。See the selection considerations listed in the Choose a Shard Key.请参见 选择分片键中列出的选择注意事项。

If the collection already contains data, you must create an index on the shard key using the db.collection.createIndex() method before using shardCollection().如果集合已经包含数据,则在使用shardCollection()之前,必须使用db.collection.createIndex()方法在分片键上创建索引。

If the collection is empty, MongoDB creates the index as part of sh.shardCollection().如果集合为空,MongoDB将创建索引作为sh.shardCollection()的一部分。

The following is an example of the sh.shardCollection() method:以下是sh.shardCollection()方法的示例:

sh.shardCollection("<database>.<collection>", { <key> : <direction> } )

Next Steps接下来的步骤

Create users to allow clients to connect to and interact with the sharded cluster.创建用户以允许客户端连接到分片集群并与之交互。

See Database User Roles for basic built-in roles to use in creating read-only and read-write users.有关创建只读和读写用户时使用的基本内置角色,请参阅数据库用户角色

x.509 Internal Authenticationx、 509内部身份验证

For details on using x.509 for internal authentication, see Use x.509 Certificate for Membership Authentication.有关将x.509用于内部身份验证的详细信息,请参阅使用x.509证书进行成员身份验证

To upgrade from keyfile internal authentication to x.509 internal authentication, see Upgrade from Keyfile Authentication to x.509 Authentication.要从密钥文件内部身份验证升级到x.509内部身份验证,请参阅从密钥文件身份验证升级为x.509身份验证

Tip提示
See also: 参阅:
←  Update Replica Set to Keyfile Authentication (No Downtime)Update Sharded Cluster to Keyfile Authentication →