MongoDB uses keyfile access control to deploy replica sets (instance tutorial), mongodbkeyfile

MongoDB uses keyfile access control to deploy replica sets (instance tutorial), mongodbkeyfile
Introduction

Configure the replica set's mandatory access control:

The internal authentication mechanism is used to ensure the security of replica set members. role-based access control is used to ensure the security of the connected client and replica set.

In this tutorial, each member of the replica set uses the same internal authentication mechanism and settings.

Forced internal authentication enforces user access control. To connect to the replica set, a client like mongo shell needs to use a user account.

Note: Keyfile Security

Keyfiles is the minimum secure format and is ideal for testing and development environments. X.509 certificates is recommended for production environments.

Access Control

This document describes how to create the minimum number of administrative users only in the admin database. For user authentication, This article uses the default SCRAM-SHA-1 authentication mechanism. SCRAM-SHA-1 security mechanisms are the most suitable for testing and development environments. We recommend that you use x.509 certificates, LDAP Proxy Authentication, or Kerberos Authentication in the production environment.

Deploy a new replica set using Keyfile Access Control 1. Create keyfile

Keyfile authentication is used, and each mongod instance in the replica set uses the keyfile content as the shared password to authenticate other members. Only mongod instances with the correct keyfile can be added to the replica set.

The keyfile content must be 6 to 1024 characters in length, and the content of all members of the replica set must be the same.

** Note:

In UNIX systems, keyfile must have no group or full permissions. In Windows, the keyfile permission is not checked. **

You can use any method to generate a keyfile. For example, use openssl to generate a complex random 1024 string. Then, use chmod to modify the File Permission and only grant the read permission to the file owner.

2. Copy the keyfile to each replica integrator.

Copy the keyfile to the server host of the replica integrator. Ensure that the user running the mongod instance is the owner of the keyfile and can access the file.

It is easy to lose the connection from the host running the mongod instance, such as a USB drive or network storage device.

3. Enable access control for each member of the replica set

Run mongod using the keyFile parameter, and enforce internal authentication and role-based access control.

For each mongod instance in the replica set, start mongod using the configuration file or command line.

** Note:

After initialization, the replica set name cannot be modified. Select a proper name for this step. **

Configuration File

If the configuration file is used, use the security. keyFile option to set the keyfile path, and use replication. replSetName to set the replica set name.

security:  keyFile: 
 
  replication:  replSetName: 
  
 

Use the configuration file to start mongod:

mongod --config 
 

Command Line

If you use the command line, use the -- keyFile and -- replSet parameters to start mongod.

mongod --keyFile 
 
   --replSet 
  
 

4. Connect to the replica integrator through the localhost Interface

Use mongo shell to connect to the mongod instance through the localhost interface. Mongo shell must be run on the same physical machine as the mongod instance.

The localhost interface is available only when no user is created. Once the localhost interface is created, it is disabled.

5. initialize the replica set

The rs. initiate () method initializes the replica set and can have optional replica set configuration documents.

Replica set configuration documents include:

_ Id. _ Id must match the -- replSet parameter passed to mongod. Members. Members is an array. Each member of the replica set must have a document.

The following is an example of a replica set containing three members:

rs.initiate(  {    _id : 
 
  ,    members: [      { _id : 0, host : "mongo1.example.net:27017" },      { _id : 1, host : "mongo2.example.net:27017" },      { _id : 2, host : "mongo3.example.net:27017" }    ]  })
 

Rs. initiate () triggers the election and selects a member as the primary.

Connect to primary before proceeding to the next step. Use rs. status () to view the primary member.

6. Create an administrator user

** Important:

After a user is created, the localhost exception is unavailable.

The first user must have the permission to create other users, such as the user of the userAdminAnyDatabase role. This ensures that you can create other users in the future.

If no user has the permission to create a user, once localhost is shut down abnormally, you cannot create or modify the user or perform necessary operations. **

Use db. createUser () to add a user. The admin database user must have at least the userAdminAnyDatabase role.

You must connect to primary to create a user.

In the following example, a user fred with the userAdminAnyDatabase role is created in the admin database.

** Important:

The password should be random, long enough and complex to ensure system security and avoid malicious access. **

admin = db.getSiblingDB("admin")admin.createUser(  {    user: "fred",    pwd: "changeme1",    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]  })

7. Use administrator user authentication

In the admin database authentication.

In mongo shell, use db. auth () authentication. For example, the following authenticated administrator user fred:

db.getSiblingDB("admin").auth("fred", "changeme1")

In addition, use-u through mongo shell ,-P And the -- authenticationDatabase parameter are connected to the master database of the replica set.

mongo -u "fred" -p "changeme1" --authenticationDatabase "admin"

8. Create a Group Administrator

The clusterAdmin role grants the replica set operation access permission, for example, configuring the replica set.

Create a group administrator user and assign the clusterAdmin role.

db.getSiblingDB("admin").createUser(  {    "user" : "ravi",    "pwd" : "changeme2",    roles: [ { "role" : "clusterAdmin", "db" : "admin" } ]  })

9. create other users (optional)

Create a user to allow the client to connect and interact with the replica set.