MongoDB 3.2.7 基于keyFile的认证在副本集+集群分片中的使用

    基于副本集的分片集群打建好后,mongodb数据库并没有提供用户安全认证,需要用户手工配置,才能使得数据库只接受特定用户特定方式的连接,增加数据库的安全性与稳定性。本文提供
MongoDB 3.2.7 基于keyFile的认证在副本集+集群分片中的使用方法。
    首先,参照博文MongoDB 3.2.7 for rhel6.4 副本集-分片集群部署(http://blog.itpub.net/29357786/viewspace-2128515/)部署MongoDB 3.2.7集群环境。
    思路:为2个集群分片,firstset、secondset分别创建超级用户(用来分别管理Mongo集群的分片),再为集群创建一个管理用户,控制外部链接对集群进程Mongos的访问。
    1、为firstset创建分片管理超级用户
[mongo@mongo2 conf]$ mongo admin  --port 10001 
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:10001/admin
firstset:PRIMARY> rs.status()
{
"set" : "firstset",
"date" : ISODate("2016-12-14T04:26:56.026Z"),
"myState" : 1,
"term" : NumberLong(15),
"heartbeatIntervalMillis" : NumberLong(2000),
"members" : [
{
"_id" : 0,
"name" : "192.168.144.120:10001",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 45,
"optime" : {
"ts" : Timestamp(1481689582, 1),
"t" : NumberLong(15)
},
"optimeDate" : ISODate("2016-12-14T04:26:22Z"),
"lastHeartbeat" : ISODate("2016-12-14T04:26:55.533Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T04:26:55.093Z"),
"pingMs" : NumberLong(0),
"syncingTo" : "192.168.144.130:10001",
"configVersion" : 1
},
{
"_id" : 1,
"name" : "192.168.144.130:10001",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 46,
"optime" : {
"ts" : Timestamp(1481689582, 1),
"t" : NumberLong(15)
},
"optimeDate" : ISODate("2016-12-14T04:26:22Z"),
"infoMessage" : "could not find member to sync from",
"electionTime" : Timestamp(1481689581, 1),
"electionDate" : ISODate("2016-12-14T04:26:21Z"),
"configVersion" : 1,
"self" : true
},
{
"_id" : 2,
"name" : "192.168.144.111:10001",
"health" : 1,
"state" : 7,
"stateStr" : "ARBITER",
"uptime" : 45,
"lastHeartbeat" : ISODate("2016-12-14T04:26:55.533Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T04:26:55.589Z"),
"pingMs" : NumberLong(1),
"configVersion" : 1
}
],
"ok" : 1
}

firstset:PRIMARY> db.createUser(  
... {  
...     user:"firstset",   
...     pwd:"firstset",  
...     roles:[{role:"root",db:"admin"}]  
... }  
... );  
Successfully added user: {
"user" : "firstset",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
firstset:PRIMARY> db.auth("firstset","firstset")
1
firstset:PRIMARY> 
 1、为secondset创建分片管理超级用户
[root@mongo1 ~]# mongo --port 30001
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:30001/test
Server has startup warnings: 
2016-12-13T21:45:13.366-0800 I CONTROL  [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T21:45:13.366-0800 I CONTROL  [main] **          enabling http interface
2016-12-13T21:45:13.444-0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2016-12-13T21:45:13.444-0800 I CONTROL  [initandlisten] 
2016-12-13T21:45:13.444-0800 I CONTROL  [initandlisten] 
2016-12-13T21:45:13.444-0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2016-12-13T21:45:13.444-0800 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2016-12-13T21:45:13.444-0800 I CONTROL  [initandlisten] 
2016-12-13T21:45:13.444-0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2016-12-13T21:45:13.444-0800 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2016-12-13T21:45:13.444-0800 I CONTROL  [initandlisten] 
secondset:PRIMARY> rs.status()
{
"set" : "secondset",
"date" : ISODate("2016-12-14T05:46:03.841Z"),
"myState" : 1,
"term" : NumberLong(10),
"heartbeatIntervalMillis" : NumberLong(2000),
"members" : [
{
"_id" : 0,
"name" : "192.168.144.120:30001",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 50,
"optime" : {
"ts" : Timestamp(1481694325, 1),
"t" : NumberLong(10)
},
"optimeDate" : ISODate("2016-12-14T05:45:25Z"),
"electionTime" : Timestamp(1481694324, 1),
"electionDate" : ISODate("2016-12-14T05:45:24Z"),
"configVersion" : 1,
"self" : true
},
{
"_id" : 1,
"name" : "192.168.144.130:30001",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 29,
"optime" : {
"ts" : Timestamp(1481694325, 1),
"t" : NumberLong(10)
},
"optimeDate" : ISODate("2016-12-14T05:45:25Z"),
"lastHeartbeat" : ISODate("2016-12-14T05:46:02.779Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T05:46:03.584Z"),
"pingMs" : NumberLong(0),
"syncingTo" : "192.168.144.120:30001",
"configVersion" : 1
},
{
"_id" : 2,
"name" : "192.168.144.111:30001",
"health" : 1,
"state" : 7,
"stateStr" : "ARBITER",
"uptime" : 50,
"lastHeartbeat" : ISODate("2016-12-14T05:46:02.773Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T05:45:59.910Z"),
"pingMs" : NumberLong(0),
"configVersion" : 1
}
],
"ok" : 1
}
secondset:PRIMARY> show dbs
dns_testdb  0.002GB
local       0.003GB
secondset:PRIMARY> use admin
switched to db admin
secondset:PRIMARY> db.createUser(  
... {  
...     user:"secondset",   
...     pwd:"secondset",  
...     roles:[{role:"root",db:"admin"}]  
... }  
... ); 
Successfully added user: {
"user" : "secondset",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
secondset:PRIMARY> show users
{
"_id" : "admin.secondset",
"user" : "secondset",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
secondset:PRIMARY> db.auth("secondset","secondset") 
1
secondset:PRIMARY> 
    3、为基于副本集的分片集群创建超级管理用户
[mongo@mongo1 data]$ mongo --port 27017
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:27017/test
mongos> use admin
switched to db admin
mongos> show users
{
"_id" : "admin.zhul",
"user" : "zhul",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
mongos> db.system.users.remove({user:"zhul"});
WriteResult({ "nRemoved" : 1 })
mongos> db.createUser(  
... {  
...     user:"zhul",   
...     pwd:"zhul",  
...     roles:[{role:"root",db:"admin"}]  
... }  
... );  
Successfully added user: {
"user" : "zhul",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
mongos> db.auth("zhul","zhul") 
1
mongos> quit
    4、关闭集群进程
    5、创建keyFile文件
[mongo@arbiter keyfile]$ pwd
/opt/mongo/keyfile
[mongo@arbiter keyfile]$openssl rand -base64 1024 >keyfile
7kKsmJvLUgm/aiZfZGHbT5NCUN0ikWBod7yF4k+luVwOnBHKEYWgTECQsyB0B8Nq
UyFbcKrW6ymUm+i30ZM9LfRnLueQf8kdzK4RAWpOD+sJDxHDHkMVPfmUvNo4gkLO
cLbPLga2+C7T399t7KOziH9ZkbAd2pUUm8znk1jMUdPe+ZUaJb6Ov3Z+VxxH7WSD
nlx+A4+KwJ6BADwaFOklJkGAwTcijWB6+N31JQPhpiZuhLIfgQvnID/AhY4umNpQ
yRtnnvTtji3rnMHIH5cDZeRaL3rXe80LMIqES5DV/IVG+v2xTo/dCHCJSvWYyq5F
p4vZ8IuXTDmcp989AU7m8V7b4M1LZTBcsQZz07jdVlb6ZfdZuqJEf/KRnKuAFsW6
ruFaAICllrhFM0X9fuUPDFYDNVBEvatl7BcuPrBiK3z6nL0LHNfFW2iWerg7ifaG
fjvOBXe6fFnYPgbvpTswssAeVcIk6cxDbYw0yEDv3YUajAFHfYE7ErCuhBSXbiiN
cUcsbOPFwg90mcDAI3qqaB9KOswYnDkSLmHZkmr8ObMx66jN6zd+Ua1XiK2dfeLX
NeyizP5j+dZaRSIydH9u7tNbouYw4nXRnwQmS/wFFFz6Y9iGAQEWnJFcFi8lBZCx
5GsFlWB8Iv4ZbtGqs12m3nILgwNYzpXEs71jIgjgBlnu0m4oegj1obP4QRNYfpDF
TRCourikJ0IaynNtQ3L1iyb8mxBqxiFp2+LX4mi+0W4Te2nhDQQ/beJI6ZN+IkMq
cLW3g1rtSQ0a4ecWUWSGNK7AltacJ4NVjzbfRUbVHuWIH/UzWmw5v7Dutt0NcoAy
fHCGEJ+Ov2CLjHnM2RGCOw8Ixx6ESZTqcP30DjlYs6qQ7PrYJ6rg9Z7TqQrmwXgZ
QLoSGnNGQ56PVRG4WM4PhhFNi2ue5Y7dgQ0jdHPd68UoaCxJnF6cz0BDVOmmYoNA
V1eOtSRSxnEpXmCGZDYoaa05MgLg0wZuIatjtZ8YnZ+Xuink
[mongo@arbiter keyfile]$
[mongo@arbiter keyfile]# chmod 600 keyfile 
[mongo@arbiter keyfile]# ls -l
total 4
-rw-------. 1 mongo mongo 1024 Dec 12 00:36 keyfile
    6、在mongo1、mongo2上使用mongo用户创建文件目录/opt/mongo/keyfile,然后将arbiter上的keyfile文件scp到mongo1、mongo2对应的/opt/mongo/keyfile下
[mongo@mongo1 ~]$ cd /opt/mongo/keyfile/
[mongo@mongo1 keyfile]$ ls -l
total 4
-rw-------. 1 mongo mongo 1024 Dec 12 00:00 keyfile
[mongo@mongo1 keyfile]$ 
[mongo@mongo2 dns_repset2]$ cd /opt/mongo/keyfile/
[mongo@mongo2 keyfile]$ ls -l
total 4
-rw-------. 1 mongo mongo 1024 Dec 12 00:19 keyfile
[mongo@mongo2 keyfile]$ 
    7、使用keyFile参数指定keyfile启动分片firstset
[mongo@arbiter ~]$ mongod --dbpath /opt/mongo/data/dns_arbiter1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/dns_aribter1/aribter1.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:16:31.896-0800 I CONTROL  [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:16:31.897-0800 I CONTROL  [main] **          enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 2522
child process started successfully, parent exiting
[mongo@arbiter ~]$ 
[mongo@mongo1 conf]$ mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:16:34.296-0800 I CONTROL  [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:16:34.296-0800 I CONTROL  [main] **          enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 50009
child process started successfully, parent exiting
[mongo@mongo1 conf]$ 
[mongo@mongo2 ~]$ mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:17:02.179-0800 I CONTROL  [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:17:02.181-0800 I CONTROL  [main] **          enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 2542
child process started successfully, parent exiting
[mongo@mongo2 ~]$
    8、firstset服务器端基于keyfile的用户口令认证测试
[mongo@mongo1 conf]$ mongo admin --port 10001 -u firstset -p firstset
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:10001/admin
Server has startup warnings: 
2016-12-13T22:25:08.203-0800 I CONTROL  [initandlisten] 
2016-12-13T22:25:08.203-0800 I CONTROL  [initandlisten] ** WARNING: The server is started with the web server interface and access control.
2016-12-13T22:25:08.203-0800 I CONTROL  [initandlisten] **          The web interfaces (rest, httpinterface and/or jsonp) are insecure 
2016-12-13T22:25:08.203-0800 I CONTROL  [initandlisten] **          and should be disabled unless required for backward compatibility.
2016-12-13T22:25:08.203-0800 I CONTROL  [initandlisten] 
2016-12-13T22:25:08.203-0800 I CONTROL  [initandlisten] 
2016-12-13T22:25:08.203-0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2016-12-13T22:25:08.203-0800 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2016-12-13T22:25:08.203-0800 I CONTROL  [initandlisten] 
2016-12-13T22:25:08.203-0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2016-12-13T22:25:08.203-0800 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2016-12-13T22:25:08.203-0800 I CONTROL  [initandlisten] 
firstset:PRIMARY> rs.status()
{
"set" : "firstset",
"date" : ISODate("2016-12-14T06:25:51.423Z"),
"myState" : 1,
"term" : NumberLong(19),
"heartbeatIntervalMillis" : NumberLong(2000),
"members" : [
{
"_id" : 0,
"name" : "192.168.144.120:10001",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 43,
"optime" : {
"ts" : Timestamp(1481696719, 1),
"t" : NumberLong(19)
},
"optimeDate" : ISODate("2016-12-14T06:25:19Z"),
"electionTime" : Timestamp(1481696718, 1),
"electionDate" : ISODate("2016-12-14T06:25:18Z"),
"configVersion" : 1,
"self" : true
},
{
"_id" : 1,
"name" : "192.168.144.130:10001",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 33,
"optime" : {
"ts" : Timestamp(1481696719, 1),
"t" : NumberLong(19)
},
"optimeDate" : ISODate("2016-12-14T06:25:19Z"),
"lastHeartbeat" : ISODate("2016-12-14T06:25:50.660Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T06:25:49.677Z"),
"pingMs" : NumberLong(0),
"syncingTo" : "192.168.144.120:10001",
"configVersion" : 1
},
{
"_id" : 2,
"name" : "192.168.144.111:10001",
"health" : 1,
"state" : 7,
"stateStr" : "ARBITER",
"uptime" : 43,
"lastHeartbeat" : ISODate("2016-12-14T06:25:50.705Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T06:25:47.164Z"),
"pingMs" : NumberLong(0),
"configVersion" : 1
}
],
"ok" : 1
}
firstset:PRIMARY> show dbs
admin       0.000GB
dns_testdb  0.004GB
local       0.008GB
firstset:PRIMARY> use admin
switched to db admin
firstset:PRIMARY> show collections
system.users
system.version
firstset:PRIMARY> exit
bye
[mongo@mongo1 conf]$ mongo admin --port 10001 
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:10001/admin
firstset:PRIMARY> show dbs
2016-12-13T22:26:34.889-0800 E QUERY    [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
firstset:PRIMARY> exit
bye
[mongo@mongo1 conf]$ 
    9、使用keyFile参数指定keyfile启动分片secondset
[mongo@arbiter ~]$ mongod --dbpath /opt/mongo/data/dns_arbiter2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/dns_aribter2/aribter2.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:17:34.638-0800 I CONTROL  [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:17:34.638-0800 I CONTROL  [main] **          enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 2556
child process started successfully, parent exiting
[mongo@arbiter ~]$
[mongo@mongo1 dns_repset2]$ mongod --dbpath /opt/mongo/data/dns_repset2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/secondset/secondset.log --logappend --nojournal --directoryperdb --repair
2016-12-13T23:32:57.940-0800 I CONTROL  [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:32:57.940-0800 I CONTROL  [main] **          enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 3294
child process started successfully, parent exiting
[mongo@mongo1 dns_repset2]$ 
[mongo@mongo2 ~]$ mongod --dbpath /opt/mongo/data/dns_repset2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/secondset/secondset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
2016-12-13T23:17:55.822-0800 I CONTROL  [main] ** WARNING: --rest is specified without --httpinterface,
2016-12-13T23:17:55.823-0800 I CONTROL  [main] **          enabling http interface
about to fork child process, waiting until server is ready for connections.
forked process: 2625
child process started successfully, parent exiting
[mongo@mongo2 ~]$ 
  10、secondset服务器端基于keyfile的用户口令认证测试
[mongo@mongo2 conf]$ mongo --port 30001
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:30001/test
secondset:PRIMARY> show dbs
2016-12-13T22:28:01.851-0800 E QUERY    [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
secondset:PRIMARY> exit
bye
[mongo@mongo2 conf]$ mongo admin --port 30001 -u secondset -p secondset
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:30001/admin
Server has startup warnings: 
2016-12-13T22:27:48.244-0800 I CONTROL  [initandlisten] 
2016-12-13T22:27:48.244-0800 I CONTROL  [initandlisten] ** WARNING: The server is started with the web server interface and access control.
2016-12-13T22:27:48.244-0800 I CONTROL  [initandlisten] **          The web interfaces (rest, httpinterface and/or jsonp) are insecure 
2016-12-13T22:27:48.244-0800 I CONTROL  [initandlisten] **          and should be disabled unless required for backward compatibility.
2016-12-13T22:27:48.244-0800 I CONTROL  [initandlisten] 
2016-12-13T22:27:48.244-0800 I CONTROL  [initandlisten] 
2016-12-13T22:27:48.244-0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2016-12-13T22:27:48.244-0800 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2016-12-13T22:27:48.244-0800 I CONTROL  [initandlisten] 
2016-12-13T22:27:48.244-0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2016-12-13T22:27:48.244-0800 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2016-12-13T22:27:48.244-0800 I CONTROL  [initandlisten] 
secondset:PRIMARY> rs.status()
{
"set" : "secondset",
"date" : ISODate("2016-12-14T06:28:24.817Z"),
"myState" : 1,
"term" : NumberLong(12),
"heartbeatIntervalMillis" : NumberLong(2000),
"members" : [
{
"_id" : 0,
"name" : "192.168.144.120:30001",
"health" : 0,
"state" : 8,
"stateStr" : "(not reachable/healthy)",
"uptime" : 0,
"optime" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"optimeDate" : ISODate("1970-01-01T00:00:00Z"),
"lastHeartbeat" : ISODate("2016-12-14T06:28:24.511Z"),
"lastHeartbeatRecv" : ISODate("1970-01-01T00:00:00Z"),
"pingMs" : NumberLong(0),
"lastHeartbeatMessage" : "Connection refused",
"configVersion" : -1
},
{
"_id" : 1,
"name" : "192.168.144.130:30001",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 36,
"optime" : {
"ts" : Timestamp(1481696879, 1),
"t" : NumberLong(12)
},
"optimeDate" : ISODate("2016-12-14T06:27:59Z"),
"electionTime" : Timestamp(1481696878, 1),
"electionDate" : ISODate("2016-12-14T06:27:58Z"),
"configVersion" : 1,
"self" : true
},
{
"_id" : 2,
"name" : "192.168.144.111:30001",
"health" : 1,
"state" : 7,
"stateStr" : "ARBITER",
"uptime" : 36,
"lastHeartbeat" : ISODate("2016-12-14T06:28:24.479Z"),
"lastHeartbeatRecv" : ISODate("2016-12-14T06:28:23.725Z"),
"pingMs" : NumberLong(0),
"configVersion" : 1
}
],
"ok" : 1
}
secondset:PRIMARY> show dbs
admin       0.000GB
dns_testdb  0.002GB
local       0.003GB
secondset:PRIMARY> exit
bye
[mongo@mongo2 conf]$ 
    11、三个节点启动分片集群的配置数据库服务进程
[mongo@arbiter ~]$ mongod --configsvr --dbpath /opt/mongo/data/dns_sdconfig1 --port 20001 --fork --logpath /opt/mongo/logs/dns_config1/config1.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 2585
child process started successfully, parent exiting
[mongo@arbiter ~]$

[mongo@mongo1 ~]$ mongod --configsvr --dbpath /opt/mongo/data/dns_shard1 --port 20001 --fork --logpath /opt/mongo/logs/dns_sd1/sd1_mymongo1.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 3437
child process started successfully, parent exiting
[mongo@mongo1 ~]$ 

[mongo@mongo2 ~]$ mongod --configsvr --dbpath /opt/mongo/data/dns_shard2 --port 20001 --fork --logpath /opt/mongo/logs/dns_sd2/sd1_mymongo2.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 2712
child process started successfully, parent exiting
[mongo@mongo2 ~]$ 
    12、在mongo1、mongo2启动mongos进程
[mongo@mongo1 ~]$ mongos --configdb 192.168.144.111:20001,192.168.144.120:20001,192.168.144.130:20001 --port 27017 --chunkSize 1 --fork --logpath /opt/mongo/logs/dns_sd.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 3512
child process started successfully, parent exiting
[mongo@mongo1 ~]$ 

[mongo@mongo2 ~]$ mongos --configdb 192.168.144.111:20001,192.168.144.120:20001,192.168.144.130:20001 --port 27017 --chunkSize 1 --fork --logpath /opt/mongo/logs/dns_sd.log --logappend --keyFile /opt/mongo/keyfile/keyfile
about to fork child process, waiting until server is ready for connections.
forked process: 2823
child process started successfully, parent exiting
[mongo@mongo2 ~]$
    13、测试分片集群基于keyfile的用户口令认证
[mongo@mongo1 ~]$ mongo admin --port 27017 -u zhul -p zhul
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:27017/admin
mongos> show dbs
admin       0.000GB
config      0.001GB
dns_testdb  0.006GB
mongos> use admin
switched to db admin
mongos> show collections
system.users
system.version
mongos> use dns_testdb
switched to db dns_testdb
mongos> show collections
test_collection
mongos> exit
bye
[mongo@mongo1 ~]$ mongo admin --port 27017 
MongoDB shell version: 3.2.7
connecting to: 127.0.0.1:27017/admin
mongos> show dbs
2016-12-13T23:41:11.803-0800 E QUERY    [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
mongos> exit
bye
[mongo@mongo1 ~]$ 
14、三个节点上的mongo相关进程
[mongo@arbiter ~]$ ps -ef|grep mongo
root      2497  2477  0 Dec13 pts/0    00:00:00 su - mongo
mongo     2498  2497  0 Dec13 pts/0    00:00:00 -bash
mongo     2522     1  0 Dec13 ?        00:00:32 mongod --dbpath /opt/mongo/data/dns_arbiter1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/dns_aribter1/aribter1.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo     2556     1  0 Dec13 ?        00:00:32 mongod --dbpath /opt/mongo/data/dns_arbiter2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/dns_aribter2/aribter2.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo     2585     1  0 Dec13 ?        00:00:38 mongod --configsvr --dbpath /opt/mongo/data/dns_sdconfig1 --port 20001 --fork --logpath /opt/mongo/logs/dns_config1/config1.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo     3072  2498  0 00:55 pts/0    00:00:00 ps -ef
mongo     3073  2498  0 00:55 pts/0    00:00:00 grep mongo
[mongo@arbiter ~]$ 

[mongo@mongo1 ~]$ ps -ef|grep mongo
root      2965  2948  0 Dec13 pts/0    00:00:00 su - mongo
mongo     2966  2965  0 Dec13 pts/0    00:00:00 -bash
mongo     2993     1  1 Dec13 ?        00:01:07 mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo     3343     1  0 Dec13 ?        00:00:44 mongod --dbpath /opt/mongo/data/dns_repset2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/secondset/secondset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo     3437     1  0 Dec13 ?        00:00:24 mongod --configsvr --dbpath /opt/mongo/data/dns_shard1 --port 20001 --fork --logpath /opt/mongo/logs/dns_sd1/sd1_mymongo1.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo     3512     1  0 Dec13 ?        00:00:12 mongos --configdb 192.168.144.111:20001,192.168.144.120:20001,192.168.144.130:20001 --port 27017 --chunkSize 1 --fork --logpath /opt/mongo/logs/dns_sd.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo     4037  2966  0 00:56 pts/0    00:00:00 ps -ef
mongo     4038  2966  0 00:56 pts/0    00:00:00 grep mongo
[mongo@mongo1 ~]$

[mongo@mongo2 ~]$ ps -ef|grep mongo
root      2513  2497  0 Dec13 pts/0    00:00:00 su - mongo
mongo     2514  2513  0 Dec13 pts/0    00:00:00 -bash
mongo     2542     1  0 Dec13 ?        00:00:59 mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo     2625     1  1 Dec13 ?        00:01:04 mongod --dbpath /opt/mongo/data/dns_repset2 --port 30001 --replSet secondset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/secondset/secondset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile
mongo     2712     1  0 Dec13 ?        00:00:30 mongod --configsvr --dbpath /opt/mongo/data/dns_shard2 --port 20001 --fork --logpath /opt/mongo/logs/dns_sd2/sd1_mymongo2.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo     2823     1  0 Dec13 ?        00:00:12 mongos --configdb 192.168.144.111:20001,192.168.144.120:20001,192.168.144.130:20001 --port 27017 --chunkSize 1 --fork --logpath /opt/mongo/logs/dns_sd.log --logappend --keyFile /opt/mongo/keyfile/keyfile
mongo     3312  2514  0 00:58 pts/0    00:00:00 ps -ef
mongo     3313  2514  0 00:58 pts/0    00:00:00 grep mongo
[mongo@mongo2 ~]$ 
    15、mongChef客户端连接配置
    firstset连接配置


    secondset配置


    mongos连接配置


    16、完成配置后的登录

时间: 2024-11-27 13:40:49

MongoDB 3.2.7 基于keyFile的认证在副本集+集群分片中的使用的相关文章

Apache配置基于加密的认证https加密证书访问

 这里简单演示一下Apache下基于加密的认证访问----https加密方式访问. 1.DNS解析解析情况: [root@localhost html]# nslookup www.downcc.com Server:         192.168.2.115 Address:        192.168.2.115#53 Name:   www.downcc.com Address: 192.168.2.115 2.安装Apache SSL支持模块:# yum install -y mod

基于Hadoop SLA认证机制实现权限控制

Hadoop集群上存储数据,同时基于MapReduce计算框架可以实现计算任务,那么无论是从数据保护的角度,还是从提交计算任务占用资源的角度来看,都需要存在一种权限管理与分配机制,能够很好地限制哪些人可以在HDFS上存储数据,哪些人可以利用集群的资源来处理特定的计算任务.当然,如果能够非常完美地解决这些问题是最好的.当前Hadoop本身提供的权限管理功能还不能满足普遍的需要,或者我们从Hadoop已有的一些简单或复杂的认证机制选择适合自己所在组织机构需要的,或者我们在外围开发一些权限管理系统与H

RHCSA 系列(十四): 在 RHEL 7 中设置基于 LDAP 的认证

在这篇文章中,我们将首先罗列一些 LDAP 的基础知识(它是什么,它被用于何处以及为什么会被这样使用),然后向你展示如何使用 RHEL 7 系统来设置一个 LDAP 服务器以及配置一个客户端来使用它达到认证的目的. RHCSA 系列:设置 LDAP 服务器及客户端认证 – Part 14 正如你将看到的那样,关于认证,还存在其他可能的应用场景,但在这篇指南中,我们将只关注基于 LDAP 的认证.另外,请记住,由于这个话题的广泛性,在这里我们将只涵盖它的基础知识,但你可以参考位于总结部分中列出的文

基于corosync+pacemaker的nginx高可用集群安装配置

  一.corosync.pacemaker介绍 corosync是用于高可用环境中的提供通讯服务的,它位于高可用集群架构中的底层(Message Layer),扮演着为各节点(node)之间提供心跳信息传递这样的一个角色; pacemaker是一个开源的高可用资源管理器(CRM),位于HA集群架构中资源管理.资源代理(RA)这个层次,它不能提供底层心跳信息传递的功能,它要想与对方节点通信需要借助底层的心跳传递服务,将信息通告给对方.通常它与corosync的结合方式有两种: pacemaker

《T-SQL性能调优秘笈——基于SQL Server 2012 窗口函数》——1.3 窗口函数中的元素

1.3 窗口函数中的元素 T-SQL性能调优秘笈--基于SQL Server 2012 窗口函数 窗口函数的行为描述出现在函数的OVER子句中,并涉及多个元素.3个核心元素是分区.排序和框架.不是所有的窗口函数都支持这3个元素.本节在介绍每个元素时会指出支持它的函数. 1.3.1 分区 分区元素由PARTITION BY子句定义,并被所有的窗口函数支持.它对当前计算的窗口进行限制,仅仅那些在结果集的分区列中与当前行有相同值的行才能进入窗口.例如,如果函数使用PARTITION BY custid

《中国人工智能学会通讯》——11.34 基于近似动态规划的优化控制研究及 在电力系统中的应用

11.34 基于近似动态规划的优化控制研究及 在电力系统中的应用 上世纪 50 年代以来,在空间技术发展和数字计算机实用化的推动下,动态系统的优化理论得到了迅速的发展,形成了一个重要的学科分支--最优控制[1-2] .它在空间技术.系统工程.多级工艺设备的优化等领域都有越来越广泛的应用.因而更深入研究最优控制问题,无论在理论上,还是在实践上都具有重大的意义.最优控制理论的三大基石是经典变分理论.极小值原理及动态规划.经典变分理论只能解决控制无约束问题,即容许控制属于开集的一类最优控制问题,而工程

SDI单文档视图, 采用基于CFormView的视图, 如何在程序初始化和运行中手动设置mainFrame和View的大小?

问题描述 SDI单文档视图,采用基于CFormView的视图,如何在程序初始化和运行中手动设置mainFrame和View的大小?我在BOOLCMainFrame::PreCreateWindow(CREATESTRUCT&cs){if(!CFrameWnd::PreCreateWindow(cs))returnFALSE;//TODO:在此处通过修改//CREATESTRUCTcs来修改窗口类或样式cs.cx=1280;cs.cy=1024;returnTRUE;}不起作用,显示的大小和对话框

基于PFP-Growth算法的海量频繁项集挖掘

基于PFP-Growth算法的海量频繁项集挖掘 江雨燕, 李平 随着互联网技术的发展,网络数据变得越来越巨大,如何从中挖掘有效信息成为人们研究的重点.近年来频繁项集挖掘由于其在关联规则挖掘.相关挖掘等任务中的相关重要作用,越来越受到人们的重视.本文针对分布式计算环境下频繁项集挖掘算法的研究,对PFP-Growth算法进行了改进,通过MapReduce编程模型对改进的PFP-Growth算法进行了实现和应用,使用户可以从海量数据中高效地获得所有需要的频繁项集,实验结果表明算法在针对海量数据时具有较

基于Android实现保存图片到本地并可以在相册中显示出来

App应用越来越人性化,不仅界面优美而且服务也很多样化,操作也非常方便.比如我们在用app的时候,发现上面有比较的图片想保存到手机,只要点一点app上提供的保存按钮就可以了.那这个图片保存到本地怎么实现的呢? 保存图片很简单,方法如下: /** 首先默认个文件保存路径 */ private static final String SAVE_PIC_PATH=Environment.getExternalStorageState().equalsIgnoreCase(Environment.MED