MongoDB 3.2.7 基於keyFile的認證在副本集+叢集分片中的使用
基於副本集的分片叢集打建好後,mongodb資料庫並沒有提供使用者安全認證,需要使用者手工配置,才能使得資料庫只接受特定使用者特定方式的連線,增加資料庫的安全性與穩定性。本文提供
MongoDB 3.2.7 基於keyFile的認證在副本集+叢集分片中的使用方法。
首先,參照博文MongoDB 3.2.7 for rhel6.4 副本集-分片叢集部署(http://blog.itpub.net/29357786/viewspace-2128515/)部署MongoDB 3.2.7叢集環境。
思路:為2個叢集分片,firstset、secondset分別建立超級使用者(用來分別管理Mongo叢集的分片),再為叢集建立一個管理使用者,控制外部連結對叢集程式Mongos的訪問。
1、為firstset建立分片管理超級使用者
[mongo@mongo2 conf]$ mongo admin --port 10001
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:10001/admin
firstset:PRIMARY> rs.status()
{
"set" : "firstset",
"date" : ISODate("2016-12-14T04:26:56.026Z"),
"myState" : 1,
"term" : NumberLong(15),
"heartbeatIntervalMillis" : NumberLong(2000),
"members" : [
{
"_id" : 0,
"name" : "192.168.144.120:10001",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 45,
"optime" : {
"ts" : Timestamp(1481689582, 1),
"t" : NumberLong(15)
},
"optimeDate" : ISODate("2016-12-14T04:26:22Z"),
"lastHeartbeat" : ISODate("2016-12-14T04:26:55.533Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T04:26:55.093Z"),
"pingMs" : NumberLong(0),
"syncingTo" : "192.168.144.130:10001",
"configVersion" : 1
},
{
"_id" : 1,
"name" : "192.168.144.130:10001",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 46,
"optime" : {
"ts" : Timestamp(1481689582, 1),
"t" : NumberLong(15)
},
"optimeDate" : ISODate("2016-12-14T04:26:22Z"),
"infoMessage" : "could not find member to sync from",
"electionTime" : Timestamp(1481689581, 1),
"electionDate" : ISODate("2016-12-14T04:26:21Z"),
"configVersion" : 1,
"self" : true
},
{
"_id" : 2,
"name" : "192.168.144.111:10001",
"health" : 1,
"state" : 7,
"stateStr" : "ARBITER",
"uptime" : 45,
"lastHeartbeat" : ISODate("2016-12-14T04:26:55.533Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T04:26:55.589Z"),
"pingMs" : NumberLong(1),
"configVersion" : 1
}
],
"ok" : 1
}
firstset:PRIMARY> db.createUser(
... {
... user:"firstset",
... pwd:"firstset",
... roles:[{role:"root",db:"admin"}]
... }
... );
Successfully added user: {
"user" : "firstset",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
firstset:PRIMARY> db.auth("firstset","firstset")
1
firstset:PRIMARY>
1、為secondset建立分片管理超級使用者
[root@mongo1 ~]# mongo --port 30001
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:30001/test
Server has startup warnings:
2016-12-13T21:45:13.366-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T21:45:13.366-0800 I CONTROL [main] ** enabling http interface
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten]
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten]
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten]
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten]
secondset:PRIMARY> rs.status()
{
"set" : "secondset",
"date" : ISODate("2016-12-14T05:46:03.841Z"),
"myState" : 1,
"term" : NumberLong(10),
"heartbeatIntervalMillis" : NumberLong(2000),
"members" : [
{
"_id" : 0,
"name" : "192.168.144.120:30001",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 50,
"optime" : {
"ts" : Timestamp(1481694325, 1),
"t" : NumberLong(10)
},
"optimeDate" : ISODate("2016-12-14T05:45:25Z"),
"electionTime" : Timestamp(1481694324, 1),
"electionDate" : ISODate("2016-12-14T05:45:24Z"),
"configVersion" : 1,
"self" : true
},
{
"_id" : 1,
"name" : "192.168.144.130:30001",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 29,
"optime" : {
"ts" : Timestamp(1481694325, 1),
"t" : NumberLong(10)
},
"optimeDate" : ISODate("2016-12-14T05:45:25Z"),
"lastHeartbeat" : ISODate("2016-12-14T05:46:02.779Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T05:46:03.584Z"),
"pingMs" : NumberLong(0),
"syncingTo" : "192.168.144.120:30001",
"configVersion" : 1
},
{
"_id" : 2,
"name" : "192.168.144.111:30001",
"health" : 1,
"state" : 7,
"stateStr" : "ARBITER",
"uptime" : 50,
"lastHeartbeat" : ISODate("2016-12-14T05:46:02.773Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T05:45:59.910Z"),
"pingMs" : NumberLong(0),
"configVersion" : 1
}
],
"ok" : 1
}
secondset:PRIMARY> show dbs
dns_testdb 0.002GB
local 0.003GB
secondset:PRIMARY> use admin
switched to db admin
secondset:PRIMARY> db.createUser(
... {
... user:"secondset",
... pwd:"secondset",
... roles:[{role:"root",db:"admin"}]
... }
... );
Successfully added user: {
"user" : "secondset",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
secondset:PRIMARY> show users
{
"_id" : "admin.secondset",
"user" : "secondset",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
secondset:PRIMARY> db.auth("secondset","secondset")
1
secondset:PRIMARY>
3、為基於副本集的分片叢集建立超級管理使用者
[mongo@mongo1 data]$ mongo --port 27017
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:27017/test
mongos> use admin
switched to db admin
mongos> show users
{
"_id" : "admin.zhul",
"user" : "zhul",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
mongos> db.system.users.remove({user:"zhul"});
WriteResult({ "nRemoved" : 1 })
mongos> db.createUser(
... {
... user:"zhul",
... pwd:"zhul",
... roles:[{role:"root",db:"admin"}]
... }
... );
Successfully added user: {
"user" : "zhul",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
mongos> db.auth("zhul","zhul")
1
mongos> quit
4、關閉叢集程式
5、建立keyFile檔案
[mongo@arbiter keyfile]$ pwd
/opt/mongo/keyfile
[mongo@arbiter keyfile]$openssl rand -base64 1024 >keyfile
7kKsmJvLUgm/aiZfZGHbT5NCUN0ikWBod7yF4k+luVwOnBHKEYWgTECQsyB0B8Nq
UyFbcKrW6ymUm+i30ZM9LfRnLueQf8kdzK4RAWpOD+sJDxHDHkMVPfmUvNo4gkLO
cLbPLga2+C7T399t7KOziH9ZkbAd2pUUm8znk1jMUdPe+ZUaJb6Ov3Z+VxxH7WSD
nlx+A4+KwJ6BADwaFOklJkGAwTcijWB6+N31JQPhpiZuhLIfgQvnID/AhY4umNpQ
yRtnnvTtji3rnMHIH5cDZeRaL3rXe80LMIqES5DV/IVG+v2xTo/dCHCJSvWYyq5F
p4vZ8IuXTDmcp989AU7m8V7b4M1LZTBcsQZz07jdVlb6ZfdZuqJEf/KRnKuAFsW6
ruFaAICllrhFM0X9fuUPDFYDNVBEvatl7BcuPrBiK3z6nL0LHNfFW2iWerg7ifaG
fjvOBXe6fFnYPgbvpTswssAeVcIk6cxDbYw0yEDv3YUajAFHfYE7ErCuhBSXbiiN
cUcsbOPFwg90mcDAI3qqaB9KOswYnDkSLmHZkmr8ObMx66jN6zd+Ua1XiK2dfeLX
NeyizP5j+dZaRSIydH9u7tNbouYw4nXRnwQmS/wFFFz6Y9iGAQEWnJFcFi8lBZCx
5GsFlWB8Iv4ZbtGqs12m3nILgwNYzpXEs71jIgjgBlnu0m4oegj1obP4QRNYfpDF
TRCourikJ0IaynNtQ3L1iyb8mxBqxiFp2+LX4mi+0W4Te2nhDQQ/beJI6ZN+IkMq
cLW3g1rtSQ0a4ecWUWSGNK7AltacJ4NVjzbfRUbVHuWIH/UzWmw5v7Dutt0NcoAy
fHCGEJ+Ov2CLjHnM2RGCOw8Ixx6ESZTqcP30DjlYs6qQ7PrYJ6rg9Z7TqQrmwXgZ
QLoSGnNGQ56PVRG4WM4PhhFNi2ue5Y7dgQ0jdHPd68UoaCxJnF6cz0BDVOmmYoNA
V1eOtSRSxnEpXmCGZDYoaa05MgLg0wZuIatjtZ8YnZ+Xuink
[mongo@arbiter keyfile]$
[mongo@arbiter keyfile]# chmod 600 keyfile
[mongo@arbiter keyfile]# ls -l
total 4
-rw-------. 1 mongo mongo 1024 Dec 12 00:36 keyfile
6、在mongo1、mongo2上使用mongo使用者建立檔案目錄/opt/mongo/keyfile,然後將arbiter上的keyfile檔案scp到mongo1、mongo2對應的/opt/mongo/keyfile下
[mongo@mongo1 ~]$ cd /opt/mongo/keyfile/
[mongo@mongo1 keyfile]$ ls -l
total 4
-rw-------. 1 mongo mongo 1024 Dec 12 00:00 keyfile
[mongo@mongo1 keyfile]$
[mongo@mongo2 dns_repset2]$ cd /opt/mongo/keyfile/
[mongo@mongo2 keyfile]$ ls -l
total 4
-rw-------. 1 mongo mongo 1024 Dec 12 00:19 keyfile
[mongo@mongo2 keyfile]$
7、使用keyFile引數指定keyfile啟動分片firstset
[mongo@arbiter ~]$ mongod --dbpath /opt/mongo/data/dns_arbiter1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/dns_aribter1/aribter1.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:16:31.896-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:16:31.897-0800 I CONTROL [main] ** enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 2522
child process started successfully, parent exiting
[mongo@arbiter ~]$
[mongo@mongo1 conf]$ mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:16:34.296-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:16:34.296-0800 I CONTROL [main] ** enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 50009
child process started successfully, parent exiting
[mongo@mongo1 conf]$
[mongo@mongo2 ~]$ mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:17:02.179-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:17:02.181-0800 I CONTROL [main] ** enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 2542
child process started successfully, parent exiting
[mongo@mongo2 ~]$
8、firstset伺服器端基於keyfile的使用者口令認證測試
[mongo@mongo1 conf]$ mongo admin --port 10001 -u firstset -p firstset
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:10001/admin
Server has startup warnings:
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten]
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** WARNING: The server is started with the web server interface and access control.
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** The web interfaces (rest, httpinterface and/or jsonp) are insecure
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** and should be disabled unless required for backward compatibility.
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten]
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten]
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten]
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten]
firstset:PRIMARY> rs.status()
{
"set" : "firstset",
"date" : ISODate("2016-12-14T06:25:51.423Z"),
"myState" : 1,
"term" : NumberLong(19),
"heartbeatIntervalMillis" : NumberLong(2000),
"members" : [
{
"_id" : 0,
"name" : "192.168.144.120:10001",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 43,
"optime" : {
"ts" : Timestamp(1481696719, 1),
"t" : NumberLong(19)
},
"optimeDate" : ISODate("2016-12-14T06:25:19Z"),
"electionTime" : Timestamp(1481696718, 1),
"electionDate" : ISODate("2016-12-14T06:25:18Z"),
"configVersion" : 1,
"self" : true
},
{
"_id" : 1,
"name" : "192.168.144.130:10001",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 33,
"optime" : {
"ts" : Timestamp(1481696719, 1),
"t" : NumberLong(19)
},
"optimeDate" : ISODate("2016-12-14T06:25:19Z"),
"lastHeartbeat" : ISODate("2016-12-14T06:25:50.660Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T06:25:49.677Z"),
"pingMs" : NumberLong(0),
"syncingTo" : "192.168.144.120:10001",
"configVersion" : 1
},
{
"_id" : 2,
"name" : "192.168.144.111:10001",
"health" : 1,
"state" : 7,
"stateStr" : "ARBITER",
"uptime" : 43,
"lastHeartbeat" : ISODate("2016-12-14T06:25:50.705Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T06:25:47.164Z"),
"pingMs" : NumberLong(0),
"configVersion" : 1
}
],
"ok" : 1
}
firstset:PRIMARY> show dbs
admin 0.000GB
dns_testdb 0.004GB
local 0.008GB
firstset:PRIMARY> use admin
switched to db admin
firstset:PRIMARY> show collections
system.users
system.version
firstset:PRIMARY> exit
bye
[mongo@mongo1 conf]$ mongo admin --port 10001
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:10001/admin
firstset:PRIMARY> show dbs
2016-12-13T22:26:34.889-0800 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
firstset:PRIMARY> exit
bye
[mongo@mongo1 conf]$
9、使用keyFile引數指定keyfile啟動分片secondset
[mongo@arbiter ~]$ mongod --dbpath /opt/mongo/data/dns_arbiter2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/dns_aribter2/aribter2.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:17:34.638-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:17:34.638-0800 I CONTROL [main] ** enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 2556
child process started successfully, parent exiting
[mongo@arbiter ~]$
[mongo@mongo1 dns_repset2]$ mongod --dbpath /opt/mongo/data/dns_repset2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/secondset/secondset.log --logappend --nojournal --directoryperdb --repair
2016-12-13T23:32:57.940-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:32:57.940-0800 I CONTROL [main] ** enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 3294
child process started successfully, parent exiting
[mongo@mongo1 dns_repset2]$
[mongo@mongo2 ~]$ mongod --dbpath /opt/mongo/data/dns_repset2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/secondset/secondset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:17:55.822-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:17:55.823-0800 I CONTROL [main] ** enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 2625
child process started successfully, parent exiting
[mongo@mongo2 ~]$
10、secondset伺服器端基於keyfile的使用者口令認證測試
[mongo@mongo2 conf]$ mongo --port 30001
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:30001/test
secondset:PRIMARY> show dbs
2016-12-13T22:28:01.851-0800 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
secondset:PRIMARY> exit
bye
[mongo@mongo2 conf]$ mongo admin --port 30001 -u secondset -p secondset
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:30001/admin
Server has startup warnings:
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten]
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** WARNING: The server is started with the web server interface and access control.
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** The web interfaces (rest, httpinterface and/or jsonp) are insecure
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** and should be disabled unless required for backward compatibility.
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten]
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten]
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten]
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten]
secondset:PRIMARY> rs.status()
{
"set" : "secondset",
"date" : ISODate("2016-12-14T06:28:24.817Z"),
"myState" : 1,
"term" : NumberLong(12),
"heartbeatIntervalMillis" : NumberLong(2000),
"members" : [
{
"_id" : 0,
"name" : "192.168.144.120:30001",
"health" : 0,
"state" : 8,
"stateStr" : "(not reachable/healthy)",
"uptime" : 0,
"optime" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"optimeDate" : ISODate("1970-01-01T00:00:00Z"),
"lastHeartbeat" : ISODate("2016-12-14T06:28:24.511Z"),
"lastHeartbeatRecv" : ISODate("1970-01-01T00:00:00Z"),
"pingMs" : NumberLong(0),
"lastHeartbeatMessage" : "Connection refused",
"configVersion" : -1
},
{
"_id" : 1,
"name" : "192.168.144.130:30001",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 36,
"optime" : {
"ts" : Timestamp(1481696879, 1),
"t" : NumberLong(12)
},
"optimeDate" : ISODate("2016-12-14T06:27:59Z"),
"electionTime" : Timestamp(1481696878, 1),
"electionDate" : ISODate("2016-12-14T06:27:58Z"),
"configVersion" : 1,
"self" : true
},
{
"_id" : 2,
"name" : "192.168.144.111:30001",
"health" : 1,
"state" : 7,
"stateStr" : "ARBITER",
"uptime" : 36,
"lastHeartbeat" : ISODate("2016-12-14T06:28:24.479Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T06:28:23.725Z"),
"pingMs" : NumberLong(0),
"configVersion" : 1
}
],
"ok" : 1
}
secondset:PRIMARY> show dbs
admin 0.000GB
dns_testdb 0.002GB
local 0.003GB
secondset:PRIMARY> exit
bye
[mongo@mongo2 conf]$
11、三個節點啟動分片叢集的配置資料庫服務程式
[mongo@arbiter ~]$ mongod --configsvr --dbpath /opt/mongo/data/dns_sdconfig1 --port 20001 --fork --logpath /opt/mongo/logs/dns_config1/config1.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 2585
child process started successfully, parent exiting
[mongo@arbiter ~]$
[mongo@mongo1 ~]$ mongod --configsvr --dbpath /opt/mongo/data/dns_shard1 --port 20001 --fork --logpath /opt/mongo/logs/dns_sd1/sd1_mymongo1.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 3437
child process started successfully, parent exiting
[mongo@mongo1 ~]$
[mongo@mongo2 ~]$ mongod --configsvr --dbpath /opt/mongo/data/dns_shard2 --port 20001 --fork --logpath /opt/mongo/logs/dns_sd2/sd1_mymongo2.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 2712
child process started successfully, parent exiting
[mongo@mongo2 ~]$
12、在mongo1、mongo2啟動mongos程式
[mongo@mongo1 ~]$ mongos --configdb 192.168.144.111:20001,192.168.144.120:20001,192.168.144.130:20001 --port 27017 --chunkSize 1 --fork --logpath /opt/mongo/logs/dns_sd.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 3512
child process started successfully, parent exiting
[mongo@mongo1 ~]$
[mongo@mongo2 ~]$ mongos --configdb 192.168.144.111:20001,192.168.144.120:20001,192.168.144.130:20001 --port 27017 --chunkSize 1 --fork --logpath /opt/mongo/logs/dns_sd.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 2823
child process started successfully, parent exiting
[mongo@mongo2 ~]$
13、測試分片叢集基於keyfile的使用者口令認證
[mongo@mongo1 ~]$ mongo admin --port 27017 -u zhul -p zhul
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:27017/admin
mongos> show dbs
admin 0.000GB
config 0.001GB
dns_testdb 0.006GB
mongos> use admin
switched to db admin
mongos> show collections
system.users
system.version
mongos> use dns_testdb
switched to db dns_testdb
mongos> show collections
test_collection
mongos> exit
bye
[mongo@mongo1 ~]$ mongo admin --port 27017
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:27017/admin
mongos> show dbs
2016-12-13T23:41:11.803-0800 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
mongos> exit
bye
[mongo@mongo1 ~]$
14、三個節點上的mongo相關程式
[mongo@arbiter ~]$ ps -ef|grep mongo
root 2497 2477 0 Dec13 pts/0 00:00:00 su - mongo
mongo 2498 2497 0 Dec13 pts/0 00:00:00 -bash
mongo 2522 1 0 Dec13 ? 00:00:32 mongod --dbpath /opt/mongo/data/dns_arbiter1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/dns_aribter1/aribter1.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo 2556 1 0 Dec13 ? 00:00:32 mongod --dbpath /opt/mongo/data/dns_arbiter2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/dns_aribter2/aribter2.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo 2585 1 0 Dec13 ? 00:00:38 mongod --configsvr --dbpath /opt/mongo/data/dns_sdconfig1 --port 20001 --fork --logpath /opt/mongo/logs/dns_config1/config1.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo 3072 2498 0 00:55 pts/0 00:00:00 ps -ef
mongo 3073 2498 0 00:55 pts/0 00:00:00 grep mongo
[mongo@arbiter ~]$
[mongo@mongo1 ~]$ ps -ef|grep mongo
root 2965 2948 0 Dec13 pts/0 00:00:00 su - mongo
mongo 2966 2965 0 Dec13 pts/0 00:00:00 -bash
mongo 2993 1 1 Dec13 ? 00:01:07 mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo 3343 1 0 Dec13 ? 00:00:44 mongod --dbpath /opt/mongo/data/dns_repset2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/secondset/secondset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo 3437 1 0 Dec13 ? 00:00:24 mongod --configsvr --dbpath /opt/mongo/data/dns_shard1 --port 20001 --fork --logpath /opt/mongo/logs/dns_sd1/sd1_mymongo1.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo 3512 1 0 Dec13 ? 00:00:12 mongos --configdb 192.168.144.111:20001,192.168.144.120:20001,192.168.144.130:20001 --port 27017 --chunkSize 1 --fork --logpath /opt/mongo/logs/dns_sd.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo 4037 2966 0 00:56 pts/0 00:00:00 ps -ef
mongo 4038 2966 0 00:56 pts/0 00:00:00 grep mongo
[mongo@mongo1 ~]$
[mongo@mongo2 ~]$ ps -ef|grep mongo
root 2513 2497 0 Dec13 pts/0 00:00:00 su - mongo
mongo 2514 2513 0 Dec13 pts/0 00:00:00 -bash
mongo 2542 1 0 Dec13 ? 00:00:59 mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo 2625 1 1 Dec13 ? 00:01:04 mongod --dbpath /opt/mongo/data/dns_repset2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/secondset/secondset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo 2712 1 0 Dec13 ? 00:00:30 mongod --configsvr --dbpath /opt/mongo/data/dns_shard2 --port 20001 --fork --logpath /opt/mongo/logs/dns_sd2/sd1_mymongo2.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo 2823 1 0 Dec13 ? 00:00:12 mongos --configdb 192.168.144.111:20001,192.168.144.120:20001,192.168.144.130:20001 --port 27017 --chunkSize 1 --fork --logpath /opt/mongo/logs/dns_sd.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo 3312 2514 0 00:58 pts/0 00:00:00 ps -ef
mongo 3313 2514 0 00:58 pts/0 00:00:00 grep mongo
[mongo@mongo2 ~]$
15、mongChef客戶端連線配置
firstset連線配置
secondset配置
mongos連線配置
16、完成配置後的登入
MongoDB 3.2.7 基於keyFile的認證在副本集+叢集分片中的使用方法。
首先,參照博文MongoDB 3.2.7 for rhel6.4 副本集-分片叢集部署(http://blog.itpub.net/29357786/viewspace-2128515/)部署MongoDB 3.2.7叢集環境。
思路:為2個叢集分片,firstset、secondset分別建立超級使用者(用來分別管理Mongo叢集的分片),再為叢集建立一個管理使用者,控制外部連結對叢集程式Mongos的訪問。
1、為firstset建立分片管理超級使用者
[mongo@mongo2 conf]$ mongo admin --port 10001
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:10001/admin
firstset:PRIMARY> rs.status()
{
"set" : "firstset",
"date" : ISODate("2016-12-14T04:26:56.026Z"),
"myState" : 1,
"term" : NumberLong(15),
"heartbeatIntervalMillis" : NumberLong(2000),
"members" : [
{
"_id" : 0,
"name" : "192.168.144.120:10001",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 45,
"optime" : {
"ts" : Timestamp(1481689582, 1),
"t" : NumberLong(15)
},
"optimeDate" : ISODate("2016-12-14T04:26:22Z"),
"lastHeartbeat" : ISODate("2016-12-14T04:26:55.533Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T04:26:55.093Z"),
"pingMs" : NumberLong(0),
"syncingTo" : "192.168.144.130:10001",
"configVersion" : 1
},
{
"_id" : 1,
"name" : "192.168.144.130:10001",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 46,
"optime" : {
"ts" : Timestamp(1481689582, 1),
"t" : NumberLong(15)
},
"optimeDate" : ISODate("2016-12-14T04:26:22Z"),
"infoMessage" : "could not find member to sync from",
"electionTime" : Timestamp(1481689581, 1),
"electionDate" : ISODate("2016-12-14T04:26:21Z"),
"configVersion" : 1,
"self" : true
},
{
"_id" : 2,
"name" : "192.168.144.111:10001",
"health" : 1,
"state" : 7,
"stateStr" : "ARBITER",
"uptime" : 45,
"lastHeartbeat" : ISODate("2016-12-14T04:26:55.533Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T04:26:55.589Z"),
"pingMs" : NumberLong(1),
"configVersion" : 1
}
],
"ok" : 1
}
firstset:PRIMARY> db.createUser(
... {
... user:"firstset",
... pwd:"firstset",
... roles:[{role:"root",db:"admin"}]
... }
... );
Successfully added user: {
"user" : "firstset",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
firstset:PRIMARY> db.auth("firstset","firstset")
1
firstset:PRIMARY>
1、為secondset建立分片管理超級使用者
[root@mongo1 ~]# mongo --port 30001
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:30001/test
Server has startup warnings:
2016-12-13T21:45:13.366-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T21:45:13.366-0800 I CONTROL [main] ** enabling http interface
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten]
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten]
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten]
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-12-13T21:45:13.444-0800 I CONTROL [initandlisten]
secondset:PRIMARY> rs.status()
{
"set" : "secondset",
"date" : ISODate("2016-12-14T05:46:03.841Z"),
"myState" : 1,
"term" : NumberLong(10),
"heartbeatIntervalMillis" : NumberLong(2000),
"members" : [
{
"_id" : 0,
"name" : "192.168.144.120:30001",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 50,
"optime" : {
"ts" : Timestamp(1481694325, 1),
"t" : NumberLong(10)
},
"optimeDate" : ISODate("2016-12-14T05:45:25Z"),
"electionTime" : Timestamp(1481694324, 1),
"electionDate" : ISODate("2016-12-14T05:45:24Z"),
"configVersion" : 1,
"self" : true
},
{
"_id" : 1,
"name" : "192.168.144.130:30001",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 29,
"optime" : {
"ts" : Timestamp(1481694325, 1),
"t" : NumberLong(10)
},
"optimeDate" : ISODate("2016-12-14T05:45:25Z"),
"lastHeartbeat" : ISODate("2016-12-14T05:46:02.779Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T05:46:03.584Z"),
"pingMs" : NumberLong(0),
"syncingTo" : "192.168.144.120:30001",
"configVersion" : 1
},
{
"_id" : 2,
"name" : "192.168.144.111:30001",
"health" : 1,
"state" : 7,
"stateStr" : "ARBITER",
"uptime" : 50,
"lastHeartbeat" : ISODate("2016-12-14T05:46:02.773Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T05:45:59.910Z"),
"pingMs" : NumberLong(0),
"configVersion" : 1
}
],
"ok" : 1
}
secondset:PRIMARY> show dbs
dns_testdb 0.002GB
local 0.003GB
secondset:PRIMARY> use admin
switched to db admin
secondset:PRIMARY> db.createUser(
... {
... user:"secondset",
... pwd:"secondset",
... roles:[{role:"root",db:"admin"}]
... }
... );
Successfully added user: {
"user" : "secondset",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
secondset:PRIMARY> show users
{
"_id" : "admin.secondset",
"user" : "secondset",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
secondset:PRIMARY> db.auth("secondset","secondset")
1
secondset:PRIMARY>
3、為基於副本集的分片叢集建立超級管理使用者
[mongo@mongo1 data]$ mongo --port 27017
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:27017/test
mongos> use admin
switched to db admin
mongos> show users
{
"_id" : "admin.zhul",
"user" : "zhul",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
mongos> db.system.users.remove({user:"zhul"});
WriteResult({ "nRemoved" : 1 })
mongos> db.createUser(
... {
... user:"zhul",
... pwd:"zhul",
... roles:[{role:"root",db:"admin"}]
... }
... );
Successfully added user: {
"user" : "zhul",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
mongos> db.auth("zhul","zhul")
1
mongos> quit
4、關閉叢集程式
5、建立keyFile檔案
[mongo@arbiter keyfile]$ pwd
/opt/mongo/keyfile
[mongo@arbiter keyfile]$openssl rand -base64 1024 >keyfile
7kKsmJvLUgm/aiZfZGHbT5NCUN0ikWBod7yF4k+luVwOnBHKEYWgTECQsyB0B8Nq
UyFbcKrW6ymUm+i30ZM9LfRnLueQf8kdzK4RAWpOD+sJDxHDHkMVPfmUvNo4gkLO
cLbPLga2+C7T399t7KOziH9ZkbAd2pUUm8znk1jMUdPe+ZUaJb6Ov3Z+VxxH7WSD
nlx+A4+KwJ6BADwaFOklJkGAwTcijWB6+N31JQPhpiZuhLIfgQvnID/AhY4umNpQ
yRtnnvTtji3rnMHIH5cDZeRaL3rXe80LMIqES5DV/IVG+v2xTo/dCHCJSvWYyq5F
p4vZ8IuXTDmcp989AU7m8V7b4M1LZTBcsQZz07jdVlb6ZfdZuqJEf/KRnKuAFsW6
ruFaAICllrhFM0X9fuUPDFYDNVBEvatl7BcuPrBiK3z6nL0LHNfFW2iWerg7ifaG
fjvOBXe6fFnYPgbvpTswssAeVcIk6cxDbYw0yEDv3YUajAFHfYE7ErCuhBSXbiiN
cUcsbOPFwg90mcDAI3qqaB9KOswYnDkSLmHZkmr8ObMx66jN6zd+Ua1XiK2dfeLX
NeyizP5j+dZaRSIydH9u7tNbouYw4nXRnwQmS/wFFFz6Y9iGAQEWnJFcFi8lBZCx
5GsFlWB8Iv4ZbtGqs12m3nILgwNYzpXEs71jIgjgBlnu0m4oegj1obP4QRNYfpDF
TRCourikJ0IaynNtQ3L1iyb8mxBqxiFp2+LX4mi+0W4Te2nhDQQ/beJI6ZN+IkMq
cLW3g1rtSQ0a4ecWUWSGNK7AltacJ4NVjzbfRUbVHuWIH/UzWmw5v7Dutt0NcoAy
fHCGEJ+Ov2CLjHnM2RGCOw8Ixx6ESZTqcP30DjlYs6qQ7PrYJ6rg9Z7TqQrmwXgZ
QLoSGnNGQ56PVRG4WM4PhhFNi2ue5Y7dgQ0jdHPd68UoaCxJnF6cz0BDVOmmYoNA
V1eOtSRSxnEpXmCGZDYoaa05MgLg0wZuIatjtZ8YnZ+Xuink
[mongo@arbiter keyfile]$
[mongo@arbiter keyfile]# chmod 600 keyfile
[mongo@arbiter keyfile]# ls -l
total 4
-rw-------. 1 mongo mongo 1024 Dec 12 00:36 keyfile
6、在mongo1、mongo2上使用mongo使用者建立檔案目錄/opt/mongo/keyfile,然後將arbiter上的keyfile檔案scp到mongo1、mongo2對應的/opt/mongo/keyfile下
[mongo@mongo1 ~]$ cd /opt/mongo/keyfile/
[mongo@mongo1 keyfile]$ ls -l
total 4
-rw-------. 1 mongo mongo 1024 Dec 12 00:00 keyfile
[mongo@mongo1 keyfile]$
[mongo@mongo2 dns_repset2]$ cd /opt/mongo/keyfile/
[mongo@mongo2 keyfile]$ ls -l
total 4
-rw-------. 1 mongo mongo 1024 Dec 12 00:19 keyfile
[mongo@mongo2 keyfile]$
7、使用keyFile引數指定keyfile啟動分片firstset
[mongo@arbiter ~]$ mongod --dbpath /opt/mongo/data/dns_arbiter1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/dns_aribter1/aribter1.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:16:31.896-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:16:31.897-0800 I CONTROL [main] ** enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 2522
child process started successfully, parent exiting
[mongo@arbiter ~]$
[mongo@mongo1 conf]$ mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:16:34.296-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:16:34.296-0800 I CONTROL [main] ** enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 50009
child process started successfully, parent exiting
[mongo@mongo1 conf]$
[mongo@mongo2 ~]$ mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:17:02.179-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:17:02.181-0800 I CONTROL [main] ** enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 2542
child process started successfully, parent exiting
[mongo@mongo2 ~]$
8、firstset伺服器端基於keyfile的使用者口令認證測試
[mongo@mongo1 conf]$ mongo admin --port 10001 -u firstset -p firstset
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:10001/admin
Server has startup warnings:
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten]
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** WARNING: The server is started with the web server interface and access control.
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** The web interfaces (rest, httpinterface and/or jsonp) are insecure
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** and should be disabled unless required for backward compatibility.
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten]
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten]
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten]
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-12-13T22:25:08.203-0800 I CONTROL [initandlisten]
firstset:PRIMARY> rs.status()
{
"set" : "firstset",
"date" : ISODate("2016-12-14T06:25:51.423Z"),
"myState" : 1,
"term" : NumberLong(19),
"heartbeatIntervalMillis" : NumberLong(2000),
"members" : [
{
"_id" : 0,
"name" : "192.168.144.120:10001",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 43,
"optime" : {
"ts" : Timestamp(1481696719, 1),
"t" : NumberLong(19)
},
"optimeDate" : ISODate("2016-12-14T06:25:19Z"),
"electionTime" : Timestamp(1481696718, 1),
"electionDate" : ISODate("2016-12-14T06:25:18Z"),
"configVersion" : 1,
"self" : true
},
{
"_id" : 1,
"name" : "192.168.144.130:10001",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 33,
"optime" : {
"ts" : Timestamp(1481696719, 1),
"t" : NumberLong(19)
},
"optimeDate" : ISODate("2016-12-14T06:25:19Z"),
"lastHeartbeat" : ISODate("2016-12-14T06:25:50.660Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T06:25:49.677Z"),
"pingMs" : NumberLong(0),
"syncingTo" : "192.168.144.120:10001",
"configVersion" : 1
},
{
"_id" : 2,
"name" : "192.168.144.111:10001",
"health" : 1,
"state" : 7,
"stateStr" : "ARBITER",
"uptime" : 43,
"lastHeartbeat" : ISODate("2016-12-14T06:25:50.705Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T06:25:47.164Z"),
"pingMs" : NumberLong(0),
"configVersion" : 1
}
],
"ok" : 1
}
firstset:PRIMARY> show dbs
admin 0.000GB
dns_testdb 0.004GB
local 0.008GB
firstset:PRIMARY> use admin
switched to db admin
firstset:PRIMARY> show collections
system.users
system.version
firstset:PRIMARY> exit
bye
[mongo@mongo1 conf]$ mongo admin --port 10001
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:10001/admin
firstset:PRIMARY> show dbs
2016-12-13T22:26:34.889-0800 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
firstset:PRIMARY> exit
bye
[mongo@mongo1 conf]$
9、使用keyFile引數指定keyfile啟動分片secondset
[mongo@arbiter ~]$ mongod --dbpath /opt/mongo/data/dns_arbiter2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/dns_aribter2/aribter2.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:17:34.638-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:17:34.638-0800 I CONTROL [main] ** enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 2556
child process started successfully, parent exiting
[mongo@arbiter ~]$
[mongo@mongo1 dns_repset2]$ mongod --dbpath /opt/mongo/data/dns_repset2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/secondset/secondset.log --logappend --nojournal --directoryperdb --repair
2016-12-13T23:32:57.940-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:32:57.940-0800 I CONTROL [main] ** enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 3294
child process started successfully, parent exiting
[mongo@mongo1 dns_repset2]$
[mongo@mongo2 ~]$ mongod --dbpath /opt/mongo/data/dns_repset2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/secondset/secondset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:17:55.822-0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:17:55.823-0800 I CONTROL [main] ** enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 2625
child process started successfully, parent exiting
[mongo@mongo2 ~]$
10、secondset伺服器端基於keyfile的使用者口令認證測試
[mongo@mongo2 conf]$ mongo --port 30001
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:30001/test
secondset:PRIMARY> show dbs
2016-12-13T22:28:01.851-0800 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
secondset:PRIMARY> exit
bye
[mongo@mongo2 conf]$ mongo admin --port 30001 -u secondset -p secondset
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:30001/admin
Server has startup warnings:
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten]
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** WARNING: The server is started with the web server interface and access control.
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** The web interfaces (rest, httpinterface and/or jsonp) are insecure
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** and should be disabled unless required for backward compatibility.
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten]
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten]
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten]
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2016-12-13T22:27:48.244-0800 I CONTROL [initandlisten]
secondset:PRIMARY> rs.status()
{
"set" : "secondset",
"date" : ISODate("2016-12-14T06:28:24.817Z"),
"myState" : 1,
"term" : NumberLong(12),
"heartbeatIntervalMillis" : NumberLong(2000),
"members" : [
{
"_id" : 0,
"name" : "192.168.144.120:30001",
"health" : 0,
"state" : 8,
"stateStr" : "(not reachable/healthy)",
"uptime" : 0,
"optime" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"optimeDate" : ISODate("1970-01-01T00:00:00Z"),
"lastHeartbeat" : ISODate("2016-12-14T06:28:24.511Z"),
"lastHeartbeatRecv" : ISODate("1970-01-01T00:00:00Z"),
"pingMs" : NumberLong(0),
"lastHeartbeatMessage" : "Connection refused",
"configVersion" : -1
},
{
"_id" : 1,
"name" : "192.168.144.130:30001",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 36,
"optime" : {
"ts" : Timestamp(1481696879, 1),
"t" : NumberLong(12)
},
"optimeDate" : ISODate("2016-12-14T06:27:59Z"),
"electionTime" : Timestamp(1481696878, 1),
"electionDate" : ISODate("2016-12-14T06:27:58Z"),
"configVersion" : 1,
"self" : true
},
{
"_id" : 2,
"name" : "192.168.144.111:30001",
"health" : 1,
"state" : 7,
"stateStr" : "ARBITER",
"uptime" : 36,
"lastHeartbeat" : ISODate("2016-12-14T06:28:24.479Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T06:28:23.725Z"),
"pingMs" : NumberLong(0),
"configVersion" : 1
}
],
"ok" : 1
}
secondset:PRIMARY> show dbs
admin 0.000GB
dns_testdb 0.002GB
local 0.003GB
secondset:PRIMARY> exit
bye
[mongo@mongo2 conf]$
11、三個節點啟動分片叢集的配置資料庫服務程式
[mongo@arbiter ~]$ mongod --configsvr --dbpath /opt/mongo/data/dns_sdconfig1 --port 20001 --fork --logpath /opt/mongo/logs/dns_config1/config1.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 2585
child process started successfully, parent exiting
[mongo@arbiter ~]$
[mongo@mongo1 ~]$ mongod --configsvr --dbpath /opt/mongo/data/dns_shard1 --port 20001 --fork --logpath /opt/mongo/logs/dns_sd1/sd1_mymongo1.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 3437
child process started successfully, parent exiting
[mongo@mongo1 ~]$
[mongo@mongo2 ~]$ mongod --configsvr --dbpath /opt/mongo/data/dns_shard2 --port 20001 --fork --logpath /opt/mongo/logs/dns_sd2/sd1_mymongo2.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 2712
child process started successfully, parent exiting
[mongo@mongo2 ~]$
12、在mongo1、mongo2啟動mongos程式
[mongo@mongo1 ~]$ mongos --configdb 192.168.144.111:20001,192.168.144.120:20001,192.168.144.130:20001 --port 27017 --chunkSize 1 --fork --logpath /opt/mongo/logs/dns_sd.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 3512
child process started successfully, parent exiting
[mongo@mongo1 ~]$
[mongo@mongo2 ~]$ mongos --configdb 192.168.144.111:20001,192.168.144.120:20001,192.168.144.130:20001 --port 27017 --chunkSize 1 --fork --logpath /opt/mongo/logs/dns_sd.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 2823
child process started successfully, parent exiting
[mongo@mongo2 ~]$
13、測試分片叢集基於keyfile的使用者口令認證
[mongo@mongo1 ~]$ mongo admin --port 27017 -u zhul -p zhul
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:27017/admin
mongos> show dbs
admin 0.000GB
config 0.001GB
dns_testdb 0.006GB
mongos> use admin
switched to db admin
mongos> show collections
system.users
system.version
mongos> use dns_testdb
switched to db dns_testdb
mongos> show collections
test_collection
mongos> exit
bye
[mongo@mongo1 ~]$ mongo admin --port 27017
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:27017/admin
mongos> show dbs
2016-12-13T23:41:11.803-0800 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
mongos> exit
bye
[mongo@mongo1 ~]$
14、三個節點上的mongo相關程式
[mongo@arbiter ~]$ ps -ef|grep mongo
root 2497 2477 0 Dec13 pts/0 00:00:00 su - mongo
mongo 2498 2497 0 Dec13 pts/0 00:00:00 -bash
mongo 2522 1 0 Dec13 ? 00:00:32 mongod --dbpath /opt/mongo/data/dns_arbiter1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/dns_aribter1/aribter1.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo 2556 1 0 Dec13 ? 00:00:32 mongod --dbpath /opt/mongo/data/dns_arbiter2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/dns_aribter2/aribter2.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo 2585 1 0 Dec13 ? 00:00:38 mongod --configsvr --dbpath /opt/mongo/data/dns_sdconfig1 --port 20001 --fork --logpath /opt/mongo/logs/dns_config1/config1.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo 3072 2498 0 00:55 pts/0 00:00:00 ps -ef
mongo 3073 2498 0 00:55 pts/0 00:00:00 grep mongo
[mongo@arbiter ~]$
[mongo@mongo1 ~]$ ps -ef|grep mongo
root 2965 2948 0 Dec13 pts/0 00:00:00 su - mongo
mongo 2966 2965 0 Dec13 pts/0 00:00:00 -bash
mongo 2993 1 1 Dec13 ? 00:01:07 mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo 3343 1 0 Dec13 ? 00:00:44 mongod --dbpath /opt/mongo/data/dns_repset2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/secondset/secondset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo 3437 1 0 Dec13 ? 00:00:24 mongod --configsvr --dbpath /opt/mongo/data/dns_shard1 --port 20001 --fork --logpath /opt/mongo/logs/dns_sd1/sd1_mymongo1.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo 3512 1 0 Dec13 ? 00:00:12 mongos --configdb 192.168.144.111:20001,192.168.144.120:20001,192.168.144.130:20001 --port 27017 --chunkSize 1 --fork --logpath /opt/mongo/logs/dns_sd.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo 4037 2966 0 00:56 pts/0 00:00:00 ps -ef
mongo 4038 2966 0 00:56 pts/0 00:00:00 grep mongo
[mongo@mongo1 ~]$
[mongo@mongo2 ~]$ ps -ef|grep mongo
root 2513 2497 0 Dec13 pts/0 00:00:00 su - mongo
mongo 2514 2513 0 Dec13 pts/0 00:00:00 -bash
mongo 2542 1 0 Dec13 ? 00:00:59 mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo 2625 1 1 Dec13 ? 00:01:04 mongod --dbpath /opt/mongo/data/dns_repset2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/secondset/secondset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo 2712 1 0 Dec13 ? 00:00:30 mongod --configsvr --dbpath /opt/mongo/data/dns_shard2 --port 20001 --fork --logpath /opt/mongo/logs/dns_sd2/sd1_mymongo2.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo 2823 1 0 Dec13 ? 00:00:12 mongos --configdb 192.168.144.111:20001,192.168.144.120:20001,192.168.144.130:20001 --port 27017 --chunkSize 1 --fork --logpath /opt/mongo/logs/dns_sd.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo 3312 2514 0 00:58 pts/0 00:00:00 ps -ef
mongo 3313 2514 0 00:58 pts/0 00:00:00 grep mongo
[mongo@mongo2 ~]$
15、mongChef客戶端連線配置
firstset連線配置
secondset配置
mongos連線配置
16、完成配置後的登入
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/29357786/viewspace-2130594/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- MongoDB副本集keyFile認證檔案必須滿足的條件MongoDB
- 使用副本集搭建MongoDB叢集MongoDB
- MongoDB 3.2.7 for rhel6.4 副本集-分片叢集部署MongoDB
- mongodb叢集搭建及配置安全認證MongoDB
- Mongodb分散式叢集副本集+分片MongoDB分散式
- 基於 Docker 的 MongoDB 主從叢集DockerMongoDB
- 使用Docker搭建MongoDB 5.0版本副本集叢集DockerMongoDB
- mongodb 4.0副本集搭建MongoDB
- MongoDB 6.0.3副本集搭建MongoDB
- 搭建高可用MongoDB叢集(二): 副本集MongoDB
- 2.MongoDB 4.2副本集環境基於時間點的恢復MongoDB
- linux下Mongodb叢集搭建:分片+副本集LinuxMongoDB
- 【MongoDB】分片(sharding)+副本集(replSet)叢集搭建MongoDB
- Mongodb副本集+分片叢集環境部署記錄MongoDB
- MongoDB健壯叢集——用副本集做分片MongoDB
- 修改mongodb3.0副本集使用者密碼遇到的坑MongoDB密碼
- Mongodb主從複製/ 副本集/分片叢集介紹MongoDB
- mongodb的使用者認證MongoDB
- MongoDB日常運維-04副本集搭建MongoDB運維
- 【Mongo】mongodb的使用者認證MongoDB
- 搭建高可用MongoDB叢集(三):深入副本集內部機制MongoDB
- Hadoop叢集機器的SSH認證配置Hadoop
- MongoDB日常運維-05副本集故障切換MongoDB運維
- 高可用的MongoDB叢集MongoDB
- MongoDB:使用者認證MongoDB
- MongoDB 4.2副本集新增/刪除副本(一主一副一仲裁)MongoDB
- Mongodb3.0.5副本集搭建及spring和java連線副本集配置MongoDBSpringJava
- 【最佳實踐】高可用mongodb叢集(1分片+3副本):規劃及部署MongoDB
- Elastic認證叢集環境準備AST
- 【認證與授權】2、基於session的認證方式Session
- MongoDB 4.2副本集自動故障轉移(一主一副一仲裁)MongoDB
- MongoDB分片叢集chunk的概念MongoDB
- 在滴滴雲上搭建 MongoDB 叢集 (一):MongoDB
- Mongodb叢集搭建一篇就夠了-複製集、分片、帶認證、不帶認證等(帶詳細步驟說明)MongoDB
- MongoDB 4.2分片叢集搭建及與3.4分片叢集搭建時的一些異同MongoDB
- 基於Dokcer搭建Redis叢集(主從叢集)Redis
- 在Windows上使用Docker 建立MongoDB 副本集的極簡方法(翻譯)WindowsDockerMongoDB
- 基於MongodbDB的使用者認證-運維筆記MongoDB運維筆記