On this page本页内容
Enforcing access control on a sharded cluster requires configuring:在分片群集上实施访问控制需要配置:
For this tutorial, each member of the sharded cluster must use the same internal authentication mechanism and settings. This means enforcing internal authentication on each mongos and mongod in the cluster.
The following tutorial uses a keyfile to enable internal authentication.
Enforcing internal authentication also enforces user access control. To connect to the replica set, clients like the mongo shell need to use a user account. See Access Control.
If you are using Cloud Manager or Ops Manager to manage your deployment, see the respective Cloud Manager manual or the Ops Manager manual to enforce authentication.
Tip
When possible, use a logical DNS hostname instead of an ip address, particularly when configuring replica set members or sharded cluster members. The use of logical DNS hostnames avoids configuration changes due to ip address changes.
Changed in version 3.6.在版本3.6中更改。
Starting with MongoDB 3.6, MongoDB binaries, mongod and mongos, bind to localhost by default. From MongoDB versions 2.6 to 3.4, only the binaries from the official MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives)
and DEB (Debian, Ubuntu, and derivatives) packages would bind to localhost by default. To learn more about this change, see Localhost Binding Compatibility Changes.
Keyfiles are bare-minimum forms of security and are best suited for testing or development environments. 密钥文件是最基本的安全形式,最适合于测试或开发环境。For production environments we recommend using x.509 certificates.对于生产环境,我们建议使用x.509证书。
This tutorial covers creating the minimum number of administrative users on the admin database only. For the user authentication, the tutorial uses the default SCRAM authentication mechanism. Challenge-response security mechanisms are best suited for testing or development environments. For production environments, we recommend using x.509 certificates or LDAP Proxy Authentication (available for MongoDB Enterprise only) or Kerberos Authentication (available for MongoDB Enterprise only).
For details on creating users for specific authentication mechanism, refer to the specific authentication mechanism pages.有关为特定身份验证机制创建用户的详细信息,请参阅特定身份验证机制页面。
See ➤ Configure Role-Based Access Control for best practices for user creation and management.
In general, to create users for a sharded clusters, connect to the mongos and add the sharded cluster users.
However, some maintenance operations require direct connections to specific shards in a sharded cluster. 然而,一些维护操作需要直接连接到分片集群中的特定分片。To perform these operations, you must connect directly to the shard and authenticate as a shard-local administrative user.要执行这些操作,必须直接连接到碎片,并作为碎片本地管理用户进行身份验证。
Shard-local users exist only in the specific shard and should only be used for shard-specific maintenance and configuration. 分片本地用户仅存在于特定分片中,且仅应用于特定分片的维护和配置。You cannot connect to the mongos with shard-local users.
This tutorial requires creating sharded cluster users, but includes optional steps for adding shard-local users.本教程要求创建分片集群用户,但包括添加分片本地用户的可选步骤。
See the Users security documentation for more information.有关更多信息,请参阅用户安全文档。
This tutorial uses the mongod and mongos programs. Windows users should use the mongod.exe and mongos.exe programs instead.
The following procedures involve creating a new sharded cluster that consists of a 以下过程涉及创建一个新的分片集群,该集群由一个mongos, the config servers, and two shards.mongos、配置服务器和两个分片组成。
Tip
When possible, use a logical DNS hostname instead of an ip address, particularly when configuring replica set members or sharded cluster members. 如果可能,请使用逻辑DNS主机名而不是ip地址,尤其是在配置副本集成员或分片集群成员时。The use of logical DNS hostnames avoids configuration changes due to ip address changes.使用逻辑DNS主机名可以避免由于ip地址更改而导致的配置更改。
With keyfile authentication, each mongod or mongos instances in the sharded cluster uses the contents of the keyfile as the shared password for authenticating other members in the deployment. Only mongod or mongos instances with the correct keyfile can join the sharded cluster.
Note
Starting in MongoDB 4.2, keyfiles for internal membership authentication use YAML format to allow for multiple keys in a keyfile. The YAML format accepts content of:
The YAML format is compatible with the existing single-key keyfiles that use the text file format.
A key’s length must be between 6 and 1024 characters and may only contain characters in the base64 set. All members of the sharded cluster must share at least one common key.
Note
On UNIX systems, the keyfile must not have group or world permissions. On Windows systems, keyfile permissions are not checked.
You can generate a keyfile using any method you choose. For example, the following operation uses openssl to generate a complex pseudo-random 1024 character string to use as a shared password. It then uses chmod to change file permissions to provide read permissions for the file owner only:
See Keyfiles for additional details and requirements for using keyfiles.
Copy the keyfile to each server hosting the sharded cluster members. Ensure that the user running the mongod or mongos instances is the owner of the file and can access the keyfile.
Avoid storing the keyfile on storage mediums that can be easily disconnected from the hardware hosting the mongod or mongos instances, such as a USB drive or a network attached storage device.
The following steps deploys a config server replica set.
For a production deployment, deploys a config server replica set with at least three members. For testing purposes, you can create a single-member replica set.
Start each mongod in the config server replica set. Include the keyFile setting. The keyFile setting enforces both Internal/Membership Authentication and Role-Based Access Control.
You can specify the mongod settings either via a configuration file or the command line.
Configuration File
If using a configuration file, set security.keyFile to the keyfile’s path, sharding.clusterRole to configsvr, and replication.replSetName to the desired name of the config server replica set.
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the net.bindIp setting. For more information, see Localhost Binding Compatibility Changes.
Start the mongod specifying the --config option and the path to the configuration file.
Command Line
If using the command line parameters, start the mongod with the --keyFile, --configsvr, and --replSet parameters.
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.
Connect a mongo shell to one of the mongod instances over the localhost interface. You must run the mongo shell on the same physical machine as the mongod instance.
The localhost interface is only available since no users have been created for the deployment. The localhost interface closes after the creation of the first user.
The rs.initiate() method initiates the replica set and can take an optional replica set configuration document. In the replica set configuration document, include:
_id. The _id must match the --replSet parameter passed to the mongod.members field. The members field is an array and requires a document per each member of the replica set.configsvr field. The configsvr field must be set to true for the config server replica set.See Replica Set Configuration for more information on replica set configuration documents.
Initiate the replica set using the rs.initiate() method and a configuration document:
Once the config server replica set (CSRS) is initiated and up, proceed to creating the shard replica sets.
For a production deployment, use a replica set with at least three members. For testing purposes, you can create a single-member replica set.
These steps include optional procedures for adding shard-local users. Executing them now ensures that there are users available for each shard to perform shard-level maintenance.
Running a mongod with the keyFile parameter enforces both Internal/Membership Authentication and Role-Based Access Control.
Start each mongod in the replica set using either a configuration file or the command line.
Configuration File
If using a configuration file, set the security.keyFile option to the keyfile’s path, the replication.replSetName to the desired name of the replica set, and the sharding.clusterRole option to shardsvr.
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the net.bindIp setting. For more information, see Localhost Binding Compatibility Changes.
Start the mongod specifying the --config option and the path to the configuration file.
Command Line
If using the command line option, when starting the component, specify the --keyFile, replSet, and --shardsvr parameters, as in the following example:
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.
Connect a mongo shell to one of the mongod instances over the localhost interface. You must run the mongo shell on the same physical machine as the mongod instance.
The localhost interface is only available since no users have been created for the deployment. The localhost interface closes after the creation of the first user.
From the mongo shell, run the rs.initiate() method.
rs.initiate() can take an optional replica set configuration document. In the replica set configuration document, include:
_id field set to the replica set name specified in either the replication.replSetName or the --replSet option.members array with a document per each member of the replica set.The following example initates a three member replica set.
rs.initiate() triggers an election and elects one of the members to be the primary.
Connect to the primary before continuing. Use rs.status() to locate the primary member.
Important
After you create the first user, the localhost exception is no longer available.
The first user must have privileges to create other users, such as a user with the userAdminAnyDatabase. This ensures that you can create additional users after the Localhost Exception closes.
If at least one user does not have privileges to create users, once the localhost exception closes you may be unable to create or modify users with new privileges, and therefore unable to access necessary operations.
Add a user using the db.createUser() method. The user should have at minimum the userAdminAnyDatabase role on the admin database.
You must be connected to the primary to create users.
The following example creates the user fred with the userAdminAnyDatabase role on the admin database.
Important
Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.
Tip
Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo shell.
Enter the password when prompted. See Database User Roles for a full list of built-in roles and related to database administration operations.
Authenticate to the admin database.
In the mongo shell, use db.auth() to authenticate. For example, the following authenticate as the user administrator fred:
Tip
Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo shell.
Alternatively, connect a new mongo shell to the primary replica set member using the -u <username>, -p <password>, and the --authenticationDatabase parameters.
If you do not specify the password to the -p command-line option, the mongo shell prompts for the password.
The shard-local cluster administrator user has the clusterAdmin role, which provides privileges that allow access to replication operations.
For a full list of roles related to replica set operations see Cluster Administration Roles.
Create a cluster administrator user and assign the clusterAdmin role in the admin database:
Tip
Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo shell.
Enter the password when prompted.
See Cluster Administration Roles for a full list of built-in roles related to replica set and sharded cluster operations.
mongos to the Sharded Cluster¶mongos to the cluster¶Start a mongos specifying the keyfile using either a configuration file or a command line parameter.
Configuration File
If using a configuration file, set the security.keyFile to the keyfile’s path and the sharding.configDB to the replica set name and at least one member of the replica set in <replSetName>/<host:port> format.
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the net.bindIp setting. For more information, see Localhost Binding Compatibility Changes.
Start the mongos specifying the --config option and the path to the configuration file.
Command Line
If using command line parameters start the mongos and specify the --keyFile and --configdb parameters.
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.
mongos over the localhost interface.¶Connect a mongo shell to one of the mongos instances over the localhost interface. You must run the mongo shell on the same physical machine as the mongos instance.
The localhost interface is only available since no users have been created for the deployment. The localhost interface closes after the creation of the first user.
Important
After you create the first user, the localhost exception is no longer available.
The first user must have privileges to create other users, such as a user with the userAdminAnyDatabase. This ensures that you can create additional users after the Localhost Exception closes.
If at least one user does not have privileges to create users, once the localhost exception closes you cannot create or modify users, and therefore may be unable to perform necessary operations.
Add a user using the db.createUser() method. The user should have at minimum the userAdminAnyDatabase role on the admin database.
Important
Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.
The following example creates the user fred on the admin database:
Tip
Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo shell.
See Database User Roles for a full list of built-in roles and related to database administration operations.
Use db.auth() to authenticate as the user administrator to create additional users:
Tip
Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo shell.
Enter the password when prompted.
Alternatively, connect a new mongo shell to the target replica set member using the -u <username>, -p <password>, and the --authenticationDatabase "admin" parameters. You must use the Localhost Exception to connect to the mongos.
If you do not specify the password to the -p command-line option, the mongo shell prompts for the password.
The cluster administrator user has the clusterAdmin role, which grants access to replication and sharding operations.
Create a clusterAdmin user in the admin database.
The following example creates the user ravi on the admin database.
Important
Passwords should be random, long, and complex to ensure system security and to prevent or delay malicious access.
Tip
Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo shell.
See Cluster Administration Roles for a full list of built-in roles related to replica set and sharded cluster operations.
Create users to allow clients to connect and access the sharded cluster. See Database User Roles for available built-in roles, such as read and readWrite. You may also want additional administrative users. For more information on users, see Users.
To create additional users, you must authenticate as a user with userAdminAnyDatabase or userAdmin roles.
To proceed, you must be connected to the mongos and authenticated as the cluster administrator user for the sharded cluster.
Note
This is the cluster administrator for the sharded cluster and not the shard-local cluster administrator.
To add each shard to the cluster, use the sh.addShard() method. If the shard is a replica set, specify the name of the replica set and specify a member of the set. In production deployments, all
shards should be replica sets.
The following operation adds a single shard replica set to the cluster:
The following operation is an example of adding a standalone mongod shard to the cluster:
Repeat these steps until the cluster includes all shards. At this point, the sharded cluster enforces access control for the cluster as well as for internal communications between each sharded cluster component.
To proceed, you must be connected to the mongos and authenticated as the cluster administrator user for the sharded cluster.
Note
This is the cluster administrator for the sharded cluster and not the shard-local cluster administrator.
Enabling sharding on a database makes it possible to shard collections within the database. Use the sh.enableSharding() method to enable sharding on the target database.
To proceed, you must be connected to the mongos and authenticated as the cluster administrator user for the sharded cluster.
Note
This is the cluster administrator for the sharded cluster and not the shard-local cluster administrator.
To shard a collection, use the sh.shardCollection() method. You must specify the full namespace of the collection and a document containing the shard key.
Your selection of shard key affects the efficiency of sharding, as well as your ability to take advantage of certain sharding features such as zones. See the selection considerations listed in the Choosing a Shard Key.
If the collection already contains data, you must create an index on the shard key using the db.collection.createIndex() method before using shardCollection().
If the collection is empty, MongoDB creates the index as part of sh.shardCollection().
The following is an example of the sh.shardCollection() method:
Create users to allow clients to connect to and interact with the sharded cluster.
See Database User Roles for basic built-in roles to use in creating read-only and read-write users.
For details on using x.509 for internal authentication, see Use x.509 Certificate for Membership Authentication.
To upgrade from keyfile internal authentication to x.509 internal authentication, see Upgrade from Keyfile Authentication to x.509 Authentication.