On this page本页内容
Enforcing access control on a sharded cluster requires configuring:在分片群集上实施访问控制需要配置:
For this tutorial, each member of the sharded cluster must use the same internal authentication mechanism and settings. This means enforcing internal authentication on each mongos and mongod in the cluster.
The following tutorial uses a keyfile to enable internal authentication.
Enforcing internal authentication also enforces user access control. To connect to the replica set, clients like 要连接到副本集,像mongosh need to use a user account. mongosh这样的客户端需要使用用户帐户。See Access Control.请参见访问控制。
If Cloud Manager or Ops Manager is managing your deployment, internal authentication is automatically enforced.如果Cloud Manager或Ops Manager正在管理您的部署,则会自动执行内部身份验证。
To configure Access Control on a managed deployment, see: Configure Access Control for MongoDB Deployments in the Cloud Manager manual or in the Ops Manager manual.
To avoid configuration updates due to IP address changes, use DNS hostnames instead of IP addresses. 为了避免由于IP地址更改而导致的配置更新,请使用DNS主机名而不是IP地址。It is particularly important to use a DNS hostname instead of an IP address when configuring replica set members or sharded cluster members.在配置副本集成员或分片群集成员时,使用DNS主机名而不是IP地址尤为重要。
Use hostnames instead of IP addresses to configure clusters across a split network horizon. 使用主机名而不是IP地址来跨拆分的网络范围配置群集。Starting in MongDB 5.0, nodes that are only configured with an IP address will fail startup validation and will not start.从MongDB 5.0开始,仅配置IP地址的节点将无法启动验证,无法启动。
Changed in version 3.6.在版本3.6中更改。
Starting with MongoDB 3.6, MongoDB binaries, mongod and mongos, bind to localhost by default. From MongoDB versions 2.6 to 3.4, only the binaries from the official MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives) and DEB (Debian, Ubuntu, and derivatives) packages would bind to localhost by default. To learn more about this change, see Localhost Binding Compatibility Changes.
This tutorial primarily refers to the 本教程主要涉及mongod process. mongod过程。Windows users should use the Windows用户应改用exe program instead.exe程序。
Keyfiles are bare-minimum forms of security and are best suited for testing or development environments. 密钥文件是最基本的安全形式,最适合测试或开发环境。For production environments we recommend using x.509 certificates.
This tutorial covers creating the minimum number of administrative users on the admin database only. For the user authentication, the tutorial uses the default SCRAM authentication mechanism. Challenge-response security mechanisms are best suited for testing or development environments. For production environments, we recommend using x.509 certificates or LDAP Proxy Authentication(available for MongoDB Enterprise only) or Kerberos Authentication(available for MongoDB Enterprise only).
For details on creating users for specific authentication mechanism, refer to the specific authentication mechanism pages.有关为特定验证机制创建用户的详细信息,请参阅特定验证机制页面。
See ➤ Configure Role-Based Access Control for best practices for user creation and management.
In general, to create users for a sharded clusters, connect to the 通常,要为分片集群创建用户,请连接到mongos and add the sharded cluster users.mongos并添加分片集群用户。
However, some maintenance operations require direct connections to specific shards in a sharded cluster. 然而,一些维护操作需要直接连接到分片集群中的特定分片。To perform these operations, you must connect directly to the shard and authenticate as a shard-local administrative user.要执行这些操作,您必须直接连接到分片并作为分片本地管理用户进行身份验证。
Shard-local users exist only in the specific shard and should only be used for shard-specific maintenance and configuration. Shard本地用户仅存在于特定的Shard中,应仅用于特定于Shard的维护和配置。You cannot connect to the 您不能使用shard本地用户连接到mongos with shard-local users.mongos。
See the Users security documentation for more information.有关详细信息,请参阅用户安全文档。
Upgrading a sharded cluster to enforce access control requires downtime.升级分片集群以实施访问控制需要停机。
With keyfile authentication, each mongod or mongos instances in the sharded cluster uses the contents of the keyfile as the shared password for authenticating other members in the deployment. Only mongod or mongos instances with the correct keyfile can join the sharded cluster.
Starting in MongoDB 4.2, keyfiles for internal membership authentication use YAML format to allow for multiple keys in a keyfile. The YAML format accepts content of:YAML格式接受以下内容:
The YAML format is compatible with the existing single-key keyfiles that use the text file format.YAML格式与使用文本文件格式的现有单键密钥文件兼容。
A key's length must be between 6 and 1024 characters and may only contain characters in the base64 set. 密钥的长度必须介于6到1024个字符之间,并且只能包含base64集合中的字符。All members of the sharded cluster must share at least one common key.分片集群的所有成员必须至少共享一个公共密钥。
On UNIX systems, the keyfile must not have group or world permissions. 在UNIX系统上,密钥文件不得具有组或世界权限。On Windows systems, keyfile permissions are not checked.在Windows系统上,不检查密钥文件权限。
You can generate a keyfile using any method you choose. 可以使用所选的任何方法生成密钥文件。For example, the following operation uses openssl to generate a complex pseudo-random 1024 character string to use as a shared password. It then uses chmod to change file permissions to provide read permissions for the file owner only:
openssl rand -base64 756 > <path-to-keyfile> chmod 400 <path-to-keyfile>
See Keyfiles for additional details and requirements for using keyfiles.有关使用密钥文件的其他详细信息和要求,请参阅密钥文件。
Every server hosting a mongod or mongos component of the sharded cluster must contain a copy of the keyfile.
Copy the keyfile to each server hosting the sharded cluster members. Ensure that the user running the mongod or mongos instances is the owner of the file and can access the keyfile.
Avoid storing the keyfile on storage mediums that can be easily disconnected from the hardware hosting the mongod or mongos instances, such as a USB drive or a network attached storage device.
sh.stopBalancer()
The balancer may not stop immediately if a migration is in progress. 如果正在进行迁移,平衡器可能不会立即停止。The sh.stopBalancer() method blocks the shell until the balancer stops.sh.stopBalancer()方法阻塞shell,直到平衡器停止。
Starting in MongoDB 4.2, sh.stopBalancer() also disables auto-splitting for the sharded cluster.
Use sh.getBalancerState() to verify that the balancer has stopped.
sh.getBalancerState()
See Manage Sharded Cluster Balancer for tutorials on configuring sharded cluster balancer behavior.有关配置分片群集平衡器行为的教程,请参阅管理分片群集均衡器。
mongos instances for the sharded cluster.Connect mongosh to each mongos and shut them down.
Use the db.shutdownServer() method on the admin database to safely shut down the mongos:
db.getSiblingDB("admin").shutdownServer()
Repeat until all mongos instances in the cluster are offline.
Once this step is complete, all mongos instances in the cluster should be offline.
mongod instances.Connect mongosh to each mongod in the config server deployment and shut them down.
For replica set config server deployments, shut down the primary member last.
Use the db.shutdownServer() method on the admin database to safely shut down the mongod:
db.getSiblingDB("admin").shutdownServer()
Repeat until all config servers are offline.重复此操作,直到所有配置服务器脱机。
mongod instances.mongod实例。For each shard replica set, connect mongosh to each mongod member in the replica set and shut them down. Shut down the primary member last.
Use the db.shutdownServer() method on the admin database to safely shut down the mongod:
db.getSiblingDB("admin").shutdownServer()
Repeat this step for each shard replica set until all 对每个分片副本集重复此步骤,直到所有分片副本集中的所有mongod instances in all shard replica sets are offline.mongod实例都脱机。
Once this step is complete, the entire sharded cluster should be offline.一旦这一步骤完成,整个分片集群就应该离线。
Start each mongod in the config server replica set. Include the keyFile setting. The keyFile setting enforces both Internal/Membership Authentication and Role-Based Access Control.
You can specify the mongod settings either via a configuration file or the command line.
Configuration File
If using a configuration file, for a config server replica set, set security.keyFile to the keyfile's path, sharding.clusterRole to configsvr, and replication.replSetName to the name of the config server replica set.
security: keyFile: <path-to-keyfile> sharding: clusterRole: configsvr replication: replSetName: <setname> storage: dbpath: <path>
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定net.bindIp setting. net.bindIp设置。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
Start the 启动mongod specifying the --config option and the path to the configuration file.mongod,指定--config选项和配置文件的路径。
mongod --config <path-to-config>
Command Line
If using the command line parameters, for a config server replica set, start the 如果使用命令行参数,对于配置服务器副本集,请使用mongod with the -keyFile, --configsvr, and --replSet parameters.-keyFile、--configsvr和--replSet参数启动mongod。
mongod --keyFile <path-to-keyfile> --configsvr --replSet <setname> --dbpath <path>
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
For more information on command line options, see the 有关命令行选项的更多信息,请参阅mongod reference page.mongod参考页面。
Make sure to use the original replica set name when restarting each member. 重新启动每个成员时,请确保使用原始副本集名称。You cannot change the name of a replica set.您不能更改副本集的名称。
Running a mongod with the keyFile parameter enforces both Internal/Membership Authentication and Role-Based Access Control.
Start each mongod in the replica set using either a configuration file or the command line.
Configuration File
If using a configuration file, set the security.keyFile option to the keyfile's path and the replication.replSetName option to the original name of the replica set.
security: keyFile: <path-to-keyfile> replication: replSetName: <setname> storage: dbPath: <path>
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定net.bindIp setting. net.bindIp设置。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
Start the 启动mongod specifying the --config option and the path to the configuration file.mongod,指定--config选项和配置文件的路径。
mongod --config <path-to-config-file>
Command Line
If using the command line parameters, start the 如果使用命令行参数,请启动mongod and specify the --keyFile and --replSet parameters.mongod并指定--keyFile和--replSet参数。
mongod --keyfile <path-to-keyfile> --replSet <setname> --dbpath <path>
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
For more information on startup parameters, see the 有关启动参数的更多信息,请参阅mongod reference page.mongod参考页面。
Make sure to use the original replica set name when restarting each member. You cannot change the name of a replica set.重新启动每个成员时,请确保使用原始副本集名称。您不能更改副本集的名称。
Repeat this step until all shards in the cluster are online.重复此步骤,直到群集中的所有分片都联机。
The Localhost Exception allows clients connected over the localhost interface to create users on a mongod enforcing access control. After creating the first user, the Localhost Exception closes.
The first user must have privileges to create other users, such as a user with the 第一个用户必须具有创建其他用户的权限,例如具有userAdminAnyDatabase. userAdminAnyDatabase的用户。This ensures that you can create additional users after the Localhost Exception closes.这确保您可以在Localhost异常关闭后创建其他用户。
If at least one user does not have privileges to create users, once the localhost exception closes you may be unable to create or modify users with new privileges, and therefore unable to access certain functions or operations.如果至少有一个用户没有创建用户的权限,那么一旦localhost异常关闭,您可能无法创建或修改具有新权限的用户,因此无法访问某些功能或操作。
For each shard replica set in the cluster, connect mongosh to the primary member over the localhost interface. You must run mongosh on the same machine as the target mongod to use the localhost interface.
Create a user with the userAdminAnyDatabase role on the admin database. This user can create additional users for the shard replica set as necessary. Creating this user also closes the Localhost Exception.
The following example creates the shard-local user fred on the admin database.
Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.
Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo shell.
admin = db.getSiblingDB("admin") admin.createUser( { user: "fred", pwd: passwordPrompt(), // or cleartext password roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )
mongos servers.Running a mongod with the keyFile parameter enforces both Internal/Membership Authentication and Role-Based Access Control.
Start each mongos in the replica set using either a configuration file or the command line.
Configuration File
If using a configuration file, set the security.keyFile to the keyfile`s path and the sharding.configDB to the replica set name and at least one member of the replica set in <replSetName>/<host:port> format.
security: keyFile: <path-to-keyfile> sharding: configDB: <configReplSetName>/cfg1.example.net:27019,cfg2.example.net:27019,...
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the net.bindIp setting. For more information, see Localhost Binding Compatibility Changes.
Start the mongos specifying the --config option and the path to the configuration file.
mongos --config <path-to-config-file>
Command Line
If using command line parameters start the mongos and specify the --keyFile and --configdb parameters.
mongos --keyFile <path-to-keyfile> --configdb <configReplSetName>/cfg1.example.net:27019,cfg2.example.net:27019,...
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.
At this point, the entire sharded cluster is back online and can communicate internally using the keyfile specified. However, external programs like mongosh need to use a correctly provisioned user in order to read or write to the cluster.
mongos instance over the localhost interface.Connect mongosh to one of the mongos instances over the localhost interface. You must run mongosh on the same physical machine as the mongos instance.
The localhost interface is only available since no users have been created for the deployment. The localhost interface closes after the creation of the first user.
After you create the first user, the localhost exception is no longer available.
The first user must have privileges to create other users, such as a user with the userAdminAnyDatabase. This ensures that you can create additional users after the Localhost Exception closes.
If at least one user does not have privileges to create users, once the localhost exception closes you cannot create or modify users, and therefore may be unable to perform necessary operations.
Add a user using the db.createUser() method. The user should have at minimum the userAdminAnyDatabase role on the admin database.
Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.
The following example creates the user fred on the admin database:
Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo shell.
admin = db.getSiblingDB("admin") admin.createUser( { user: "fred", pwd: passwordPrompt(), // or cleartext password roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )
See Database User Roles for a full list of built-in roles and related to database administration operations.
Use db.auth() to authenticate as the user administrator to create additional users:
Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo shell.
db.getSiblingDB("admin").auth("fred", passwordPrompt()) // or cleartext password
Enter the password when prompted.
Alternatively, connect a new mongosh session to the target replica set member using the -u <username>, -p <password>, and the --authenticationDatabase "admin" parameters. You must use the Localhost Exception to connect to the mongos.
mongosh -u "fred" -p --authenticationDatabase "admin"
If you do not specify the password to the -p command-line option, mongosh prompts for the password.
The cluster administrator user has the clusterAdmin role for the sharded cluster and not the shard-local cluster administrator.
The following example creates the user ravi on the admin database.
Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.
Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo shell.
db.getSiblingDB("admin").createUser(
{
"user" : "ravi",
"pwd" : passwordPrompt(),
// or cleartext password
roles: [ { "role" : "clusterAdmin", "db" : "admin" } ]
}
)
See Cluster Administration Roles for a full list of built-in roles related to replica set and sharded cluster operations.
To perform sharding operations, authenticate as a clusterAdmin user with either the db.auth() method or a new mongosh session with the username, password, and authenticationDatabase parameters.
This is the cluster administrator for the sharded cluster and not the shard-local cluster administrator.
Start the balancer.
sh.startBalancer()
Starting in MongoDB 4.2, sh.startBalancer() also enables auto-splitting for the sharded cluster.
Use the sh.getBalancerState() to verify the balancer has started.
See Manage Sharded Cluster Balancer for tutorials on the sharded cluster balancer.
Create users to allow clients to connect and access the sharded cluster. See Database User Roles for available built-in roles, such as read and readWrite. You may also want additional administrative users. For more information on users, see Users.
To create additional users, you must authenticate as a user with userAdminAnyDatabase or userAdmin roles.
For details on using x.509 for internal authentication, see Use x.509 Certificate for Membership Authentication.
To upgrade from keyfile internal authentication to x.509 internal authentication, see Upgrade from Keyfile Authentication to x.509 Authentication.