On this page本页内容
Enforcing access control on a replica set requires configuring:对副本集强制实施访问控制需要配置:
For this tutorial, each member of the replica set uses the same internal authentication mechanism and settings.对于本教程,副本集的每个成员都使用相同的内部身份验证机制和设置。
Enforcing internal authentication also enforces user access control.强制内部身份验证还强制用户访问控制。To connect to the replica set, clients like the 要连接到副本集,像mongo shell need to use a user account.mongoshell这样的客户端需要使用用户帐户。See Users and Authentication Mechanisms.请参阅用户和身份验证机制。
If you are currently using or are planning to use Cloud Manager or Ops Manager, see the Cloud Manager manual or the Ops Manager manual for enforcing access control.如果您当前正在使用或计划使用Cloud Manager或Ops Manager,请参阅Cloud管理器手册或Ops管理器手册以强制访问控制。
Tip
When possible, use a logical DNS hostname instead of an ip address, particularly when configuring replica set members or sharded cluster members.如果可能,请使用逻辑DNS主机名而不是ip地址,特别是在配置副本集成员或分片群集成员时。The use of logical DNS hostnames avoids configuration changes due to ip address changes.使用逻辑DNS主机名可以避免由于ip地址更改而导致的配置更改。
Changed in version 3.6.在版本3.6中更改。
Starting in MongoDB 3.6, 从MongoDB 3.6开始,mongod and mongos bind to localhost by default.mongod和mongos默认绑定到localhost。If the members of your deployment are run on different hosts or if you wish remote clients to connect to your deployment, you must specify 如果部署的成员在不同的主机上运行,或者希望远程客户端连接到部署,则必须指定--bind_ip or net.bindIp.--bind_ip或net.bindIp。For more information, see Localhost Binding Compatibility Changes.有关更多信息,请参阅Localhost绑定兼容性更改。
This tutorial primarily refers to the 本教程主要介绍mongod process.mongod过程。Windows users should use the Windows用户应改用mongod.exe program instead.mongod.exe编程。
Keyfiles are bare-minimum forms of security and are best suited for testing or development environments.密钥文件是最基本的安全形式,最适合于测试或开发环境。For production environments we recommend using x.509 certificates.对于生产环境,我们建议使用x.509证书。
This tutorial covers creating the minimum number of administrative users on the 本教程仅介绍如何在管理数据库上创建最少数量的admin database only.admin用户。For the user authentication, the tutorial uses the default SCRAM authentication mechanism.对于用户身份验证,本教程使用默认的SCRAM身份验证机制。Challenge-response security mechanisms are best suited for testing or development environments.质询-响应安全机制最适合于测试或开发环境。For production environments, we recommend using x.509 certificates or LDAP Proxy Authentication (available for MongoDB Enterprise only) or Kerberos Authentication (available for MongoDB Enterprise only).对于生产环境,我们建议使用x.509证书或LDAP代理身份验证(仅适用于MongoDB企业版)或Kerberos身份验证(仅适用于MongoDB企业版)。
For details on creating users for specific authentication mechanism, refer to the specific authentication mechanism pages.有关为特定身份验证机制创建用户的详细信息,请参阅特定身份验证机制页面。
See ➤ Configure Role-Based Access Control for best practices for user creation and management.有关用户创建和管理的最佳实践,请参阅➤ 配置基于角色的访问控制。
Tip
When possible, use a logical DNS hostname instead of an ip address, particularly when configuring replica set members or sharded cluster members.如果可能,请使用逻辑DNS主机名而不是ip地址,特别是在配置副本集成员或分片群集成员时。The use of logical DNS hostnames avoids configuration changes due to ip address changes.使用逻辑DNS主机名可以避免由于ip地址更改而导致的配置更改。
With keyfile authentication, each 对于keyfile身份验证,副本集中的每个mongod instances in the replica set uses the contents of the keyfile as the shared password for authenticating other members in the deployment.mongod实例都使用keyfile的内容作为共享密码,用于对部署中的其他成员进行身份验证。Only 只有具有正确密钥文件的mongod instances with the correct keyfile can join the replica set.mongod实例才能加入副本集。
Note
Starting in MongoDB 4.2, keyfiles for internal membership authentication use YAML format to allow for multiple keys in a keyfile.从MongoDB 4.2开始,用于内部成员身份验证的keyfiles使用YAML格式来允许一个keyfile中有多个密钥。The YAML format accepts content of:YAML格式接受以下内容:
The YAML format is compatible with the existing single-key keyfiles that use the text file format.YAML格式与使用文本文件格式的现有单键密钥文件兼容。
A key’s length must be between 6 and 1024 characters and may only contain characters in the base64 set.键的长度必须介于6到1024个字符之间,并且只能包含base64集合中的字符。All members of the replica set must share at least one common key.副本集的所有成员必须至少共享一个公共密钥。
Note
On UNIX systems, the keyfile must not have group or world permissions.在UNIX系统上,密钥文件不能具有组或世界权限。On Windows systems, keyfile permissions are not checked.在Windows系统上,不检查keyfile权限。
You can generate a keyfile using any method you choose.您可以使用选择的任何方法生成密钥文件。For example, the following operation uses 例如,下面的操作使用openssl to generate a complex pseudo-random 1024 character string to use as a shared password.openssl生成一个复杂的伪随机1024字符字符串,用作共享密码。It then uses 然后使用chmod to change file permissions to provide read permissions for the file owner only:chmod更改文件权限,以便仅为文件所有者提供读取权限:
See Keyfiles for additional details and requirements for using keyfiles.有关使用密钥文件的其他详细信息和要求,请参见密钥文件。
Copy the keyfile to each server hosting the replica set members.将密钥文件复制到承载复制集成员的每个服务器。Ensure that the user running the 确保运行mongod instances is the owner of the file and can access the keyfile.mongod实例的用户是文件的所有者,并且可以访问密钥文件。
Avoid storing the keyfile on storage mediums that can be easily disconnected from the hardware hosting the 避免将密钥文件存储在存储介质上,这些存储介质可以很容易地从托管mongod instances, such as a USB drive or a network attached storage device.mongod实例的硬件断开连接,例如USB驱动器或网络连接存储设备。
For each member in the replica set, start the 对于副本集中的每个成员,使用mongod with either the security.keyFile configuration file setting or the --keyFile command-line option.security.keyFile文件配置文件设置或--keyFile命令行选项启动mongod。Running 配合mongod with the --keyFile command-line option or the security.keyFile configuration file setting enforces both Internal/Membership Authentication and Role-Based Access Control.--keyFile命令行选项或security.keyFile配置文件设置运行mongod同时强制内部/成员身份验证和基于角色的访问控制。
If using a configuration file, set如果使用配置文件,请设置
security.keyFilereplication.replSetNameInclude additional options as required for your configuration.包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定net.bindIp setting.net.bindIp文件设置。For more information, see Localhost Binding Compatibility Changes.有关更多信息,请参阅Localhost绑定兼容性更改。
Start the 使用配置文件启动mongod using the configuration file:mongod:
For more information on the configuration file, see configuration options.有关配置文件的详细信息,请参阅配置选项。
If using the command line options, start the 如果使用命令行选项,请使用以下选项启动mongod with the following options:mongod:
--keyFile--replSetInclude additional options as required for your configuration.包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip.--bind_ip。For more information, see Localhost Binding Compatibility Changes.有关更多信息,请参阅Localhost绑定兼容性更改。
Tip
When possible, use a logical DNS hostname instead of an ip address, particularly when configuring replica set members or sharded cluster members.如果可能,请使用逻辑DNS主机名而不是ip地址,特别是在配置副本集成员或分片群集成员时。The use of logical DNS hostnames avoids configuration changes due to ip address changes.使用逻辑DNS主机名可以避免由于ip地址更改而导致的配置更改。
For more information on command-line options, see the 有关命令行选项的更多信息,请参阅mongod reference page.mongod参考页。
Connect a 通过localhost接口将mongo shell to one of the mongod instances over the localhost interface.mongo shell连接到其中一个mongod实例。You must run the 必须在与mongo shell on the same physical machine as the mongod instance.mongod实例相同的物理计算机上运行mongoshell。
The localhost interface is only available since no users have been created for the deployment.localhost接口仅在没有为部署创建用户时可用。The localhost interface closes after the creation of the first user.创建第一个用户后,localhost接口关闭。
From the 从mongo shell, run the rs.initiate() method.mongo shell运行rs.initiate()方法。
rs.initiate() can take an optional replica set configuration document.rs.initiate()可以获取可选的副本集配置文档。In the replica set configuration document, include:在副本集配置文档中,包括:
_id field set to the replica set name specified in either the replication.replSetName or the --replSet option._id字段设置为replication.replSetName或--replSet选项中指定的副本集名称。members array with a document per each member of the replica set.members数组中每个副本集成员都有一个文档。The following example initates a three member replica set.下面的示例初始化一个三成员副本集。
Important
Run 在且仅在副本集的一个rs.initiate() on just one and only one mongod instance for the replica set.mongod实例上运行rs.initiate()。
Tip
When possible, use a logical DNS hostname instead of an ip address, particularly when configuring replica set members or sharded cluster members.如果可能,请使用逻辑DNS主机名而不是ip地址,特别是在配置副本集成员或分片群集成员时。The use of logical DNS hostnames avoids configuration changes due to ip address changes.使用逻辑DNS主机名可以避免由于ip地址更改而导致的配置更改。
rs.initiate() triggers an election and elects one of the members to be the primary.rs.initiate()触发选举并选出其中一名成员作为主要成员。
Connect to the primary before continuing.继续之前先连接到主服务器。Use 使用rs.status() to locate the primary member.rs.status()以定位主要成员。
Important
After you create the first user, the localhost exception is no longer available.创建第一个用户后,localhost异常不再可用。
The first user must have privileges to create other users, such as a user with the 第一个用户必须具有创建其他用户的权限,例如具有userAdminAnyDatabase.userAdminAnyDatabase的用户。This ensures that you can create additional users after the Localhost Exceptioncloses.这样可以确保在Localhost异常关闭之后创建其他用户。
If at least one user does not have privileges to create users, once the localhost exception closes you may be unable to create or modify users with new privileges, and therefore unable to access necessary operations.如果至少有一个用户没有创建用户的权限,那么一旦localhost异常关闭,您可能无法创建或修改具有新权限的用户,因此无法访问必要的操作。
Add a user using the 使用数据库db.createUser() method.db.createUser()方法。The user should have at minimum the 用户在userAdminAnyDatabase role on the admin database.admin数据库上至少应具有userAdminAnyDatabase角色。
You must be connected to the primary to create users.您必须连接到主服务器才能创建用户。
The following example creates the user 下面的示例在fred with the userAdminAnyDatabase role on the admin database.admin数据库上创建具有userAdminAnyDatabase角色的用户fred。
Important
Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.密码应该是随机的、长的和复杂的,以确保系统安全并防止或延迟恶意访问。
Tip
Starting in version 4.2 of the 从mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call.mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the 但是,您仍然可以像使用早期版本的mongo shell.mongoshell一样直接指定密码。
Enter the password when prompted.出现提示时输入密码。See Database User Roles for a full list of built-in roles and related to database administration operations.有关内置角色和与数据库管理操作相关的完整列表,请参见数据库用户角色。
Authenticate to the 对admin database.admin数据库进行身份验证。
In the 在mongo shell, use db.auth() to authenticate.mongo shell中,使用db.auth()进行身份验证。For example, the following authenticate as the user administrator 例如,以下用户将以用户管理员fred:fred身份进行身份验证:
Tip
Starting in version 4.2 of the 从mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call.mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the 但是,您仍然可以像使用早期版本的mongo shell.mongoshell一样直接指定密码。
Alternatively, connect a new 或者,使用mongo shell to the primary replica set member using the -u <username>, -p <password>, and the --authenticationDatabase parameters.-u<username>、-p<password>和--authenticationDatabase参数将新mongo shell连接到主副本集成员。
If you do not specify the password to the 如果没有为-p command-line option, the mongo shell prompts for the password.-p命令行选项指定密码,mongo shell将提示输入密码。
The clusterAdmin role grants access to replication operations, such as configuring the replica set.clusterAdmin角色授予对复制操作的访问权,例如配置副本集。
Create a cluster administrator user and assign the 创建群集管理员用户并在clusterAdmin role in the admin database:admin数据库中分配clusterAdmin角色:
Tip
Starting in version 4.2 of the 从mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call.mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the 但是,您仍然可以像使用早期版本的mongo shell.mongoshell一样直接指定密码。
Enter the password when prompted.出现提示时输入密码。
See Cluster Administration Roles for a full list of built-in roles related to replica set and sharded cluster operations.有关与副本集和分片群集操作相关的内置角色的完整列表,请参阅群集管理角色。
Create users to allow clients to connect and interact with the replica set.创建用户以允许客户端连接副本集并与之交互。See Database User Roles for basic built-in roles to use in creating read-only and read-write users.有关创建只读和读写用户时使用的基本内置角色,请参见数据库用户角色。
You may also want additional administrative users.您可能还需要其他管理用户。
For more information on users, see Users.有关用户的详细信息,请参阅用户。
For details on using x.509 for internal authentication, see Use x.509 Certificate for Membership Authentication.有关使用x.509进行内部身份验证的详细信息,请参阅使用x.509证书进行成员身份验证。
To upgrade from keyfile internal authentication to x.509 internal authentication, see Upgrade from Keyfile Authentication to x.509 Authentication.要从keyfile内部身份验证升级到x.509内部身份验证,请参阅从keyfile身份验证升级到x.509身份验证。