Docs HomeMongoDB Manual

Externally Sourced Configuration File Values外部来源的配置文件值

On this page本页内容

New in version 4.2. 4.2版新增。

MongoDB supports using expansion directives in configuration files to load externally sourced values. MongoDB支持在配置文件中使用扩展指令来加载外部来源的值。Expansion directives can load values for specific configuration file options or load the entire configuration file. 扩展指令可以加载特定配置文件选项的值,也可以加载整个配置文件。Expansion directives help obscure confidential information like security certificates and passwords.扩展指令有助于隐藏安全证书和密码等机密信息。

storage:
  dbPath: "/var/lib/mongo"
systemLog:
  destination: file
  path: "/var/log/mongodb/mongod.log"
net:
  bindIp:
    __exec: "python /home/user/getIPAddresses.py"
    type: "string"
    trim: "whitespace"
    digest: 85fed8997aac3f558e779625f2e51b4d142dff11184308dc6aca06cff26ee9ad
    digest_key: 68656c6c30303030307365637265746d796f6c64667269656e64
  tls:
    mode: requireTLS
    certificateKeyFile: "/etc/tls/mongod.pem"
    certificateKeyFilePassword:
      __rest: "https://myrestserver.example.net/api/config/myCertKeyFilePassword"
      type: "string"
      digest: b08519162ba332985ac18204851949611ef73835ec99067b85723e10113f5c26
      digest_key: 6d795365637265744b65795374756666
  • If the configuration file includes the __rest expansion, on Linux/macOS, the read access to the configuration file must be limited to the user running the mongod / mongos process only.如果配置文件包括__rest扩展,则在Linux/macOS上,对配置文件的读取访问权限必须仅限于运行mongod/mongos进程的用户。
  • If the configuration file includes the __exec expansion, on Linux/macOS, the write access to the configuration file must be limited to the user running the mongod / mongos process only.如果配置文件包括__exec扩展,则在Linux/macOS上,对配置文件的写访问权限必须仅限于运行mongod/mongos进程的用户。

To use expansion directives, you must specify the --configExpand command-line option with the complete list of expansion directives used:若要使用扩展指令,必须指定--configExpand命令行选项以及所使用的扩展指令的完整列表:

mongod --config "/path/to/config/mongod.conf" --configExpand "rest,exec"

If you omit the --configExpand option or if you do not specify the complete list of expansion directives used in the configuration file, the mongod/mongos returns an error and terminates. 如果省略--configExpand选项,或者没有指定配置文件中使用的扩展指令的完整列表,mongod/mongos将返回错误并终止。You can only specify the --configExpand option on the command line.只能在命令行中指定--configExpand选项。

Use the __rest Expansion Directive使用__rest扩展指令

The __rest expansion directive loads configuration file values from a REST endpoint. __rest扩展指令从REST端点加载配置文件值。__rest supports loading specific values in the configuration file or loading the entire configuration file.__rest支持在配置文件中加载特定值或加载整个配置文件。

Specific Value特定值Full Configuration File完整配置文件

The following configuration file uses the __rest expansion directive to load the setting net.tls.certificateKeyFilePassword value from an external REST endpoint:以下配置文件使用__rest扩展指令从外部REST端点加载设置net.tls.certificateKeyFilePassword值:

storage:
  dbPath: "/var/lib/mongo"
systemLog:
  destination: file
  path: "/var/log/mongodb/mongod.log"
net:
  bindIp: 192.51.100.24,127.0.0.1
  tls:
    mode: requireTLS
    certificateKeyFile: "/etc/tls/mongod.pem"
    certificateKeyFilePassword:
      __rest: "https://myrestserver.example.net/api/config/myCertKeyFilePassword"
      type: "string"
File Permission文件权限
If the configuration file includes the __rest expansion, on Linux/macOS, the read access to the configuration file must be limited to the user running the mongod / mongos process only.如果配置文件包括__rest扩展,则在Linux/macOS上,对配置文件的读取访问权限必须仅限于运行mongod/mongos进程的用户。
Expansion Parsing展开分析

To parse the __rest blocks, start the mongod/mongos with the --configExpand "rest" option.要解析__rest块,请使用--configExpand "rest"选项启动mongod/mongos

The mongod/mongos issues a GET request against specified URL. mongod/mongos针对指定的URL发出GET请求。If successful, the mongod/mongos replaces the value of certificateKeyFilePassword with the returned value. 如果成功,mongod/mongos将用返回的值替换certificateKeyFilePassword的值。If the URL fails to resolve or if the REST endpoint returns an invalid value, the mongod/mongos throws an error and terminates.如果URL无法解析,或者REST端点返回无效值,mongod/mongos将抛出错误并终止。

The following configuration file uses the __rest expansion directive to load the configuration file from an external REST endpoint. 以下配置文件使用__rest扩展指令从外部REST端点加载配置文件。The expansion directive and its options must be the only values specified in the configuration file.扩展指令及其选项必须是配置文件中指定的唯一值。

__rest: "https://myrestserver.example.net/api/config/fullConfig"
type: "yaml"
File Permission文件权限
If the configuration file includes the __rest expansion, on Linux/macOS, the read access to the configuration file must be limited to the user running the mongod / mongos process only.如果配置文件包括__rest扩展,则在Linux/macOS上,对配置文件的读取访问权限必须仅限于运行mongod/mongos进程的用户。
Expansion Parsing展开分析

To parse the __rest blocks, start the mongod/mongos with the --configExpand "rest" option.要解析__rest块,请使用--configExpand "rest"选项启动mongod/mongos

The mongod/mongos issues a GET request against the specified URL. mongod/mongos针对指定的URL发出GET请求。If successful, the mongod/mongos parses the returned configuration yaml file and uses it during startup. 如果成功,mongod/mongos将解析返回的配置yaml文件,并在启动期间使用它。If the URL fails to resolve or return a properly formatted yaml file, the mongod/mongos throws an error and terminates.如果URL未能解析或返回格式正确的yaml文件,mongod/mongos将抛出错误并终止。

Important

The value returned by the specified REST endpoint cannot include any additional expansion directives. 指定的REST终结点返回的值不能包含任何其他扩展指令。The mongod/mongos does not perform additional processing on the returned data and will terminate with an error code if the returned data includes additional expansion directives.mongod/mongos不会对返回的数据执行额外的处理,如果返回的数据包括额外的扩展指令,则会终止并返回错误代码。

Use the __exec Expansion Directive使用__exec扩展指令

The __exec expansion directive loads configuration file values from a shell or terminal command. __exec扩展指令从shell或终端命令加载配置文件值。__exec supports loading specific values in the configuration file or loading the entire configuration file.支持在配置文件中加载特定值加载整个配置文件。

Specific Value特定值Full Configuration File完整配置文件

The following example configuration file uses the __exec expansion directive to to load the setting net.tls.certificateKeyFilePassword value from the output of a shell or terminal command:以下示例配置文件使用__exec扩展指令从shell或终端命令的输出中加载设置net.tls.certificateKeyFilePassword值:

storage:
  dbPath: "/var/lib/mongo"
systemLog:
  destination: file
  path: "/var/log/mongodb/mongod.log"
net:
  bindIp: 192.51.100.24,127.0.0.1
  tls:
    mode: requireTLS
    certificateKeyFile: "/etc/tls/mongod.pem"
    certificateKeyFilePassword:
      __exec: "python /home/myUserName/getPEMPassword.py"
      type: "string"
File Permission文件权限
If the configuration file includes the __exec expansion, on Linux/macOS, the write access to the configuration file must be limited to the user running the mongod / mongos process only.如果配置文件包括__exec扩展,则在Linux/macOS上,对配置文件的写访问权限必须仅限于运行mongod/mongos进程的用户。
Expansion Parsing展开分析

To parse the __exec blocks, start the mongod/mongos with the --configExpand "exec" option.要解析__exec块,请使用--configExpand "exec"选项启动mongod/mongos

The mongod/mongos attempts to execute the specified operation. mongod/mongos尝试执行指定的操作。If the command executes successfully, the mongod/mongos replaces the value of certificateKeyFilePassword with the returned value. 如果命令执行成功,mongod/mongos将用返回的值替换certificateKeyFilePassword的值。If the command fails or returns an invalid value for the configuration file setting, the mongod/mongos throws an error and terminates.如果命令失败或返回配置文件设置的无效值,mongod/mongos将抛出错误并终止。

The following example configuration file uses the __exec expansion directive to load the configuration file from the output of a shell or terminal command. 以下示例配置文件使用__exec扩展指令从shell或终端命令的输出加载配置文件。The __exec expansion directive and its options must be the only values specified in the configuration file.__exec扩展指令及其选项必须是配置文件中指定的唯一值。

__exec: "python /home/myUserName/getFullConfig.py"
type: "yaml"
File Permission文件权限
If the configuration file includes the __exec expansion, on Linux/macOS, the write access to the configuration file must be limited to the user running the mongod / mongos process only.如果配置文件包括__exec扩展,则在Linux/macOS上,对配置文件的写访问权限必须仅限于运行mongod/mongos进程的用户。
Expansion Parsing展开分析

To parse the __exec blocks, start the mongod/mongos with the --configExpand "rest" option.要解析__exec块,请使用--configExpand "rest"选项启动mongod/mongos

If the command executes successfully, the mongod/mongos parses the returned configuration yaml file and uses it during startup. 如果命令执行成功,mongod/mongos将解析返回的配置yaml文件,并在启动期间使用它。If the command fails or returns an invalid yaml file, the mongod/mongos throws an error and terminates.如果命令失败或返回无效的yaml文件,mongod/mongos将抛出错误并终止。

Important

The data returned by executing the specified __exec string cannot include any additional expansion directives. 执行指定的__exec字符串返回的数据不能包含任何其他扩展指令。The mongod/mongos does not perform additional processing on the returned data and will terminate with an error code if the returned data includes additional expansion directives.mongod/mongos不会对返回的数据执行额外的处理,如果返回的数据包括额外的扩展指令,则会终止并返回错误代码。

Expansion Directives Reference扩展指令参考

__rest

The __rest expansion directive loads configuration file values from a REST endpoint. __rest扩展指令从REST端点加载配置文件值。__rest supports loading specific values in the configuration file or loading the entire configuration file. 支持在配置文件中加载特定值或加载整个配置文件。The mongod/mongos then starts using the externally sourced values as part of its configuration.mongod/mongos然后开始使用外部来源的值作为其配置的一部分。

The __rest expansion directive has the following syntax:__rest扩展指令具有以下语法:

  • To specify a REST endpoint for a specific configuration file setting or settings:要为一个或多个特定配置文件设置指定REST端点,请执行以下操作:

    <some configuration file setting>:
      __rest: "<string>"
      type: "string"
      trim: "none|whitespace"
      digest: "<string>"
      digest_key: "<string>"
  • To specify a REST endpoint for the entire configuration file:要为整个配置文件指定REST端点,请执行以下操作:

    __rest: "<string>"
    type: "yaml"
    trim: "none|whitespace"

    If specifying the entire configuration file via REST endpoint, the expansion directive and its options must be the only values specified in the configuration file.如果通过REST端点指定整个配置文件,则扩展指令及其选项必须是配置文件中唯一指定的值。

__rest takes the following fields:采用以下字段:

Field字段Type类型Description描述
__reststringRequired. 必需的。The URL against which the mongod/mongos issues a GET request to retrieve the externally sourced value.mongod/mongos发出GET请求以检索外部来源值的URL。
For non-localhost REST endpoints (e.g. a REST endpoint hosted on a remote server), __rest requires encrypted (https://) URLs where both the host machine and the remote server support TLS 1.1 or later.对于非本地主机REST端点(例如,托管在远程服务器上的REST端点),__rest需要加密的(https://)URL,其中主机和远程服务器都支持TLS 1.1或更高版本。
If the REST endpoint specified in the URL requires authentication, encode credentials into the URL with the standard RFC 3986 User Information format.如果URL中指定的REST端点需要身份验证,请使用标准RFC 3986用户信息格式将凭据编码到URL中。
For localhost REST endpoints (e.g. a REST endpoint listening on the host machine), __rest allows unencrypted (http://) URLs. 对于localhost REST端点(例如,在主机上侦听的REST端点),__rest允许未加密(http://)URL。
Important
The value returned by the specified REST endpoint cannot include any additional expansion directives. 指定的REST终结点返回的值不能包含任何其他扩展指令。The mongod/mongos does not perform additional processing on the returned data and will terminate with an error code if the returned data includes additional expansion directives. mongod/mongos不会对返回的数据执行额外的处理,如果返回的数据包括额外的扩展指令,则会终止并返回错误代码。
typestringOptional.可选的。Controls how __rest parses the returned value from the specified URL.控制__rest如何解析指定URL的返回值。
Possible values are:可能的值为:
  • string (Default)
    Directs __rest to parse the returned data as a literal string. 指示__rest将返回的数据作为文本字符串进行分析。If specifying string, the entire __rest block and supporting options must be nested under the field for which you are loading externally sourced values.如果指定string,则整个__rest块和支持选项必须嵌套在加载外部源值的字段下。
  • yaml
    Directs __rest to parse the returned data as a yaml formatted file. 指示__rest将返回的数据解析为yaml格式的文件。If specifying yaml, the __rest block must be the only content in the configuration file. 如果指定yaml__rest块必须是配置文件中的唯一内容。The mongod/mongos replaces the configuration file contents with the yaml retrieved from the REST resource.mongod/mongos用从REST资源检索到的yaml替换配置文件内容。
trimstringOptional.可选的。Specify whitespace to direct __rest to trim any leading or trailing whitespace, specifically occurrences of " ", "\r", "\n", "\t", "\v", and "\f". 指定空白以指示__rest修剪任何前导或尾随空白,特别是出现的" ""\r""\n""\t""\v""\f"Defaults to none, or no trimming.默认为none或“无修剪”。
digeststringOptional.可选的。The SHA-256 digest of the expansion result.扩展结果的SHA-256摘要。
If specified, you must also specify the digest_key. 如果指定了,还必须指定digest_key
digest_keystringOptional.可选的。The hexadecimal string representation of the secret used to calculate the SHA-256 digest.用于计算SHA-256digest的秘密的十六进制字符串表示形式。
If specified, you must also specify the digest. 如果指定了,还必须指定digest
Note
  • If the configuration file includes the __rest expansion, on Linux/macOS, the read access to the configuration file must be limited to the user running the mongod / mongos process only.如果配置文件包括__rest扩展,则在Linux/macOS上,对配置文件的读取访问权限必须仅限于运行mongod/mongos进程的用户。
  • To enable parsing of the __rest expansion directive, start the mongod/mongos with the --configExpand "rest" option.要启用__rest扩展指令的解析,请使用--configExpand "rest"选项启动mongod/mongos

For examples, see Use the __rest Expansion Directive.有关示例,请参阅使用__rest扩展指令

__exec

The __exec expansion directive loads configuration file values from the output of a shell or terminal command. __exec扩展指令从shell或终端命令的输出加载配置文件值。__exec supports loading specific values in the configuration file or loading the entire configuration file. __exec支持在配置文件中加载特定值加载整个配置文件。The mongod/mongos then starts using the externally sourced values as part of its configuration.mongod/mongos然后开始使用外部来源的值作为其配置的一部分。

The __exec expansion directive has the following syntax:__exec扩展指令具有以下语法:

  • To specify a shell or terminal command for a specific configuration file setting or settings:要为特定的一个或多个配置文件设置指定shell或终端命令,请执行以下操作:

    <some configuration file setting>:
      __exec: "<string>"
      type: "string"
      trim: "none|whitespace"
  • To specify a a shell or terminal command for the entire configuration file:要为整个配置文件指定shell或终端命令,请执行以下操作:

    __exec: "<string>"
    type: "yaml"
    trim: "none|whitespace"

    If specifying the entire configuration file via a terminal or shell command, the expansion directive and its options must be the only values specified in the configuration file.如果通过terminal或shell命令指定整个配置文件,则扩展指令及其选项必须是配置文件中唯一指定的值。

__exec takes the following fields:采用以下字段:

Field字段Type类型Description描述
__execstringRequired. 必需的。The string which the mongod/mongos executes on the terminal or shell to retrieve the externally sourced value.mongod/mongos在终端或shell上执行的字符串,用于检索外部来源的值。
On Linux and OSX hosts, execution is handled via POSIX popen(). 在Linux和OSX主机上,执行是通过POSIXpopen()处理的。On Windows hosts, execution is handled via the process control API. 在Windows主机上,执行是通过进程控制API处理的。__exec opens a read-only pipe as the same user that started the mongod or mongos. __exec以启动mongodmongos的同一用户的身份打开一个只读管道。
Important
The data returned by executing the specified command cannot include any additional expansion directives. 执行指定命令返回的数据不能包含任何其他扩展指令。The mongod/mongos does not perform additional processing on the returned data and will terminate with an error code if the returned data includes additional expansion directives. mongod/mongos不会对返回的数据执行额外的处理,如果返回的数据包括额外的扩展指令,则会终止并返回错误代码。
typestringOptional.可选的。Controls how __exec parses the value returned by the executed command.控制__exec如何解析执行的命令返回的值。
Possible values are:可能的值为:
  • string (Default )
    Directs __exec to parse the returned data as a literal string. 指示__exec将返回的数据作为文本字符串进行分析。If specifying string, the entire __exec block and supporting options must be nested under the field for which you are loading externally sourced values.如果指定string,则整个__exec块和支持选项必须嵌套在加载外部源值的字段下。
  • yaml
    Directs __exec to parse the returned data as a yaml formatted file. 指示__exec将返回的数据解析为yaml格式的文件。If specifying yaml, the __exec block must be the only content in the configuration file. 如果指定yaml__exec块必须是配置文件中的唯一内容。The mongod/mongos replaces the configuration file contents with the yaml retrieved from the executed command.mongod/mongos用从执行的命令中检索到的yaml替换配置文件内容。
trimstringOptional.可选的。Specify whitespace to direct __exec to trim any leading or trailing whitespace, specifically occurrences of " ", "\r", "\n", "\t", "\v", and "\f". Defaults to none, or no trimming.指定空白以指示__exec修剪任何前导或尾随的空白,特别是出现的" ""\r""\n""\t""\v""\f"。默认为none或“无修剪”。
digeststringOptional.可选的。The SHA-256 digest of the expansion result.扩展结果的SHA-256摘要。
If specified, you must also specify the digest_key 如果指定,还必须指定digest_key
digest_keystringOptional.可选的。The hexadecimal string representation of the secret used to calculate the SHA-256 digest.用于计算SHA-256digest的秘密的十六进制字符串表示形式。
If specified, you must also specify the digest 如果指定,还必须指定digest
Note
  • If the configuration file includes the __exec expansion, on Linux/macOS, the write access to the configuration file must be limited to the user running the mongod / mongos process only.如果配置文件包括__exec扩展,则在Linux/macOS上,对配置文件的写访问权限必须仅限于运行mongod/mongos进程的用户。
  • To enable parsing of the __exec expansion directives, start the mongod/mongos with the --configExpand "exec" option.要启用__exec扩展指令的解析,请使用--configExpand "exec"选项启动mongod/mongos

For examples, see Use the __exec Expansion Directive.有关示例,请参阅使用__exec扩展指令

Output the Configuration File with Resolved Expansion Directive Values输出具有解析的扩展指令值的配置文件

You can test the final output of a configuration file that specifies one or more expansion directives by starting the mongod/mongos with the --outputConfig option. 通过使用--outputConfig选项启动mongod/mongos,可以测试指定一个或多个扩展指令的配置文件的最终输出。A mongod/mongos started with --outputConfig outputs the resolved YAML configuration document to stdout and halts. --outputConfig开头的mongod/mongos将解析的YAML配置文档输出到stdout并停止。If any expansion directive specified in the configuration file returns additional expansion directives, the mongod/mongos throws an error and terminates.如果配置文件中指定的任何扩展指令返回额外的扩展指令,mongod/mongos将抛出错误并终止。

Warning

The --outputConfig option returns the resolved values for any field using an expansion directive. --outputConfig选项使用扩展指令返回任何字段的解析值。This includes any private or sensitive information previously obscured by using an external source for the configuration option.这包括以前通过使用配置选项的外部源而隐藏的任何私人或敏感信息。

For example, the following configuration file mongod.conf contains a __rest expansion directive:例如,以下配置文件mongod.conf包含__rest扩展指令:

storage:
  dbPath: "/var/lib/mongo"
systemLog:
  destination: file
  path: "/var/log/mongodb/mongod.log"
net:
  port:
    __rest: "https://mongoconf.example.net:8080/record/1"
    type: string

The string recorded at the specified URL is 20128指定URL中记录的字符串为20128

If the configuration file includes the __rest expansion, on Linux/macOS, the read access to the configuration file must be limited to the user running the mongod / mongos process only.如果配置文件包括__rest扩展,则在Linux/macOS上,对配置文件的读取访问权限必须仅限于运行mongod/mongos进程的用户。

Start the mongod with the --configExpand "rest" and --outputConfig options:使用--configExpand "rest"--outputConfig选项启动mongod

mongod -f mongod.conf --configExpand rest --outputConfig

The mongod outputs the following to stdout before terminating:mongod在终止之前将以下内容输出到stdout

config: mongod.conf
storage:
  dbPath: "/var/lib/mongo"
systemLog:
  destination: file
  path: "/var/log/mongodb/mongod.log"
net:
  port: 20128
outputConfig: true