https://docs.mongodb.com/manual/tutorial/enable-authentication/
Overview
Enabling access control on a MongoDB deployment enforces authentication, requiring users to identify themselves. When accessing a MongoDB deployment that has access control enabled, users can only perform actions as determined by their roles.
For authentication, MongoDB supports various Authentication Mechanisms.
The following tutorial enables access control on a standalone mongod instance and uses the default authentication mechanism.
Replica sets and sharded clusters
Replica sets and sharded clusters require internal authentication between members when access control is enabled. For more details, please see Internal Authentication.
User Administrator
With access control enabled, ensure you have a user with userAdmin or userAdminAnyDatabase role in the admin database. This user can administrate user and roles such as: create users, grant or revoke roles from users, and create or modify customs roles.
You can create users either before or after enabling access control. If you enable access control before creating any user, MongoDB provides a localhost exception which allows you to create a user administrator in theadmin database. Once created, you must authenticate as the user administrator to create additional users as needed.
Procedure
The following procedure first adds a user administrator to a MongoDB instance running without access control and then enables access control.
Start MongoDB without access control.
For example, the following starts a standalone mongod instance without access control.
mongod --port 27017 --dbpath /data/db1
Create the user administrator.
In the admin database, add a user with the userAdminAnyDatabase role. For example, the following creates the user myUserAdmin in the admin database:
NOTE
The database where you create the user (in this example, admin) is the user’s authentication database. Although the user would authenticate to this database, the user can have roles in other databases; i.e. the user’s authentication database does not limit the user’s privileges.
use admin
db.createUser(
{
user: "myUserAdmin",
pwd: "abc123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Disconnect the mongo shell.
Re-start the MongoDB instance with access control.
Re-start the mongod instance with the --auth command line option or, if using a configuration file, thesecurity.authorization setting.
mongod --auth --port 27017 --dbpath /data/db1
Clients that connect to this instance must now authenticate themselves as a MongoDB user. Clients can only perform actions as determined by their assigned roles.
Connect and authenticate as the user administrator.
Using the mongo shell, you can:
- Connect with authentication by passing in user credentials, or
- Connect first withouth authentication, and then issue the
db.auth()method to authenticate.
To authenticate during connection
Start a mongo shell with the -u <username>, -p <password>, and the --authenticationDatabase <database> command line options:
mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"
To authenticate after connecting
Connect the mongo shell to the mongod:
mongo --port 27017
Switch to the authentication database (in this case, admin), and use db.auth(<username>,<pwd>) method to authenticate:
use admin
db.auth("myUserAdmin", "abc123" )
https://docs.mongodb.com/manual/tutorial/deploy-replica-set/
wget wget https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.4.10.tgz;
tar xf mongodb* -C /usr/local/;
ln -sf /usr/local/mongodb-linux-x86_64-3.4.10 /usr/local/mongodb;
cd /usr/local/mongodb/bin; ll -a;
mkdir -p /data/db1;
now=$(date +"%H_%I_%S_%m_%d_%Y");
echo $now;
echo 123 > $now.now;
./mongod --port 27017 --dbpath /data/db1 --logpath /data/db1.$now.log--logappend;
ps -aux | grep mongo;
./mongo --port 27017;
use admin
db.createUser(
{
user: "admin",
pwd: "admin123",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ,"clusterAdmin"]
}
)
db.shutdownServer()
exit
ps -aux | grep mongo;
echo 'mykeyfksdfjjsjf>2<1024' > mykeyf;
chmod 600;
scp mykeyf hadoop2:/usr/local/mongodb/bin;
scp mykeyf bigdata-server-02:/usr/local/mongodb/bin;scp mykeyf bigdata-server-03:/usr/local/mongodb/bin;
[
Use rs.initiate() on one and only one member of the replica set
https://docs.mongodb.com/manual/tutorial/deploy-replica-set/
https://docs.mongodb.com/manual/core/security-internal-authentication/
https://docs.mongodb.com/manual/reference/configuration-options/#security.clusterAuthMode
]
./mongod --auth --port 27017 --keyFile /usr/local/mongodb/bin/mykeyf --replSet myreplSet --dbpath /data/db1 --logpath /data/db1.$now.log;
./mongo --port 27017;
use admin;
db.auth("admin","admin123");
##
rs.status();
rs.add("hadoop2:27017");
> rs.initiate();
{
"info2" : "no configuration specified. Using a default configuration for the set",
"me" : "hadoop1:27017",
"ok" : 1
}
myreplSet:SECONDARY> rs.add("hadoop2:27017");
{ "ok" : 1 }
myreplSet:PRIMARY> rs.status()
{
"set" : "myreplSet",
"date" : ISODate("2017-11-22T08:59:42.246Z"),
"myState" : 1,
"term" : NumberLong(1),
"heartbeatIntervalMillis" : NumberLong(2000),
"optimes" : {
"lastCommittedOpTime" : {
"ts" : Timestamp(1511341175, 2),
"t" : NumberLong(1)
},
"appliedOpTime" : {
"ts" : Timestamp(1511341175, 2),
"t" : NumberLong(1)
},
"durableOpTime" : {
"ts" : Timestamp(1511341175, 2),
"t" : NumberLong(1)
}
},
"members" : [
{
"_id" : 0,
"name" : "hadoop1:27017",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 118,
"optime" : {
"ts" : Timestamp(1511341175, 2),
"t" : NumberLong(1)
},
"optimeDate" : ISODate("2017-11-22T08:59:35Z"),
"infoMessage" : "could not find member to sync from",
"electionTime" : Timestamp(1511341163, 2),
"electionDate" : ISODate("2017-11-22T08:59:23Z"),
"configVersion" : 2,
"self" : true
},
{
"_id" : 1,
"name" : "hadoop2:27017",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 6,
"optime" : {
"ts" : Timestamp(1511341175, 2),
"t" : NumberLong(1)
},
"optimeDurable" : {
"ts" : Timestamp(1511341175, 2),
"t" : NumberLong(1)
},
"optimeDate" : ISODate("2017-11-22T08:59:35Z"),
"optimeDurableDate" : ISODate("2017-11-22T08:59:35Z"),
"lastHeartbeat" : ISODate("2017-11-22T08:59:41.891Z"),
"lastHeartbeatRecv" : ISODate("2017-11-22T08:59:37.663Z"),
"pingMs" : NumberLong(0),
"configVersion" : 2
}
],
"ok" : 1
}
myreplSet:PRIMARY>
myreplSet:SECONDARY> rs.status()
{
"set" : "myreplSet",
"date" : ISODate("2017-11-22T02:20:43.349Z"),
"myState" : 2,
"term" : NumberLong(3),
"heartbeatIntervalMillis" : NumberLong(2000),
"optimes" : {
"lastCommittedOpTime" : {
"ts" : Timestamp(1511345737, 1),
"t" : NumberLong(3)
},
"appliedOpTime" : {
"ts" : Timestamp(1511345737, 1),
"t" : NumberLong(3)
},
"durableOpTime" : {
"ts" : Timestamp(1511345737, 1),
"t" : NumberLong(3)
}
},
"members" : [
{
"_id" : 0,
"name" : "hadoop1:27017",
"health" : 0,
"state" : 8,
"stateStr" : "(not reachable/healthy)",
"uptime" : 0,
"optime" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"optimeDurable" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"optimeDate" : ISODate("1970-01-01T00:00:00Z"),
"optimeDurableDate" : ISODate("1970-01-01T00:00:00Z"),
"lastHeartbeat" : ISODate("2017-11-22T02:20:42.871Z"),
"lastHeartbeatRecv" : ISODate("2017-11-22T02:20:26.990Z"),
"pingMs" : NumberLong(0),
"lastHeartbeatMessage" : "Connection refused",
"configVersion" : -1
},
{
"_id" : 1,
"name" : "hadoop2:27017",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 179,
"optime" : {
"ts" : Timestamp(1511345737, 1),
"t" : NumberLong(3)
},
"optimeDate" : ISODate("2017-11-22T10:15:37Z"),
"infoMessage" : "could not find member to sync from",
"configVersion" : 2,
"self" : true
}
],
"ok" : 1
}
[root@hadoop2 bin]# ./mongo --port 27017;
MongoDB shell version v3.4.7
connecting to: mongodb://127.0.0.1:27017/
MongoDB server version: 3.4.7
myreplSet:SECONDARY> use admin
switched to db admin
myreplSet:SECONDARY> db.auth("admin","admin123")
1
myreplSet:SECONDARY> rs.status()
{
"set" : "myreplSet",
"date" : ISODate("2017-11-22T02:41:45.652Z"),
"myState" : 2,
"term" : NumberLong(4),
"heartbeatIntervalMillis" : NumberLong(2000),
"optimes" : {
"lastCommittedOpTime" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"appliedOpTime" : {
"ts" : Timestamp(1511346776, 1),
"t" : NumberLong(4)
},
"durableOpTime" : {
"ts" : Timestamp(1511346776, 1),
"t" : NumberLong(4)
}
},
"members" : [
{
"_id" : 0,
"name" : "hadoop1:27017",
"health" : 0,
"state" : 8,
"stateStr" : "(not reachable/healthy)",
"uptime" : 0,
"optime" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"optimeDurable" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"optimeDate" : ISODate("1970-01-01T00:00:00Z"),
"optimeDurableDate" : ISODate("1970-01-01T00:00:00Z"),
"lastHeartbeat" : ISODate("2017-11-22T02:41:45.036Z"),
"lastHeartbeatRecv" : ISODate("1970-01-01T00:00:00Z"),
"pingMs" : NumberLong(0),
"lastHeartbeatMessage" : "Connection refused",
"configVersion" : -1
},
{
"_id" : 1,
"name" : "hadoop2:27017",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 186,
"optime" : {
"ts" : Timestamp(1511346776, 1),
"t" : NumberLong(4)
},
"optimeDate" : ISODate("2017-11-22T10:32:56Z"),
"configVersion" : 2,
"self" : true
}
],
"ok" : 1
}
myreplSet:SECONDARY> rs.status()
{
"set" : "myreplSet",
"date" : ISODate("2017-11-22T02:42:04.885Z"),
"myState" : 1,
"term" : NumberLong(5),
"heartbeatIntervalMillis" : NumberLong(2000),
"optimes" : {
"lastCommittedOpTime" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"appliedOpTime" : {
"ts" : Timestamp(1511346776, 3),
"t" : NumberLong(5)
},
"durableOpTime" : {
"ts" : Timestamp(1511346776, 3),
"t" : NumberLong(5)
}
},
"members" : [
{
"_id" : 0,
"name" : "hadoop1:27017",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 9,
"optime" : {
"ts" : Timestamp(1511346776, 1),
"t" : NumberLong(4)
},
"optimeDurable" : {
"ts" : Timestamp(1511346776, 1),
"t" : NumberLong(4)
},
"optimeDate" : ISODate("2017-11-22T10:32:56Z"),
"optimeDurableDate" : ISODate("2017-11-22T10:32:56Z"),
"lastHeartbeat" : ISODate("2017-11-22T02:42:04.303Z"),
"lastHeartbeatRecv" : ISODate("2017-11-22T02:42:00.050Z"),
"pingMs" : NumberLong(0),
"configVersion" : 2
},
{
"_id" : 1,
"name" : "hadoop2:27017",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 205,
"optime" : {
"ts" : Timestamp(1511346776, 3),
"t" : NumberLong(5)
},
"optimeDate" : ISODate("2017-11-22T10:32:56Z"),
"infoMessage" : "could not find member to sync from",
"electionTime" : Timestamp(1511346776, 2),
"electionDate" : ISODate("2017-11-22T10:32:56Z"),
"configVersion" : 2,
"self" : true
}
],
"ok" : 1
}
myreplSet:PRIMARY> db.getRoles()
[
{
"role" : "myClusterwideAdmin",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
}
]
myreplSet:PRIMARY> db.getUsers()
[
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
]
},
{
"_id" : "admin.myClusterwideAdmin_user",
"user" : "myClusterwideAdmin_user",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
},
{
"role" : "myClusterwideAdmin",
"db" : "admin"
}
]
}
]
myreplSet:PRIMARY>
2个节点,谁先启动,谁就是可以充当主节点;
Deploy a Replica Set — MongoDB Manual https://docs.mongodb.com/manual/tutorial/deploy-replica-set/