MongoDB 分片叢集的使用者和許可權一般操作步驟
阿新 • • 發佈:2020-11-12
關閉已開啟的叢集服務(可選)
分片叢集環境下的安全認證和副本集環境下基本上一樣。
但分片叢集的伺服器環境和架構較為複雜,建議在搭建分片叢集的時候,直接加入安全認證和伺服器間的鑑權,如果之前有資料,可先將之前的資料備份出來,再還原回去。
本文使用之前搭建好的叢集服務,因此,先停止之前的叢集服務
停止服務的方式有兩種:快速關閉和標準關閉,下面依次說明:
(1)快速關閉方法(快速,簡單,資料可能會出錯)
目標:通過系統的kill命令直接殺死程序:
#通過程序編號關閉節點
kill -2 54410
實際操作命令:
ps -ef|grep "mongod -f "|grep -v grep|cut -c 9-15|xargs kill -9 ps -ef|grep "mongos -f "|grep -v grep|cut -c 9-15|xargs kill -9
依次殺死 mongos路由、配置副本集服務,分片副本集服務,從次節點開始。直到所有成員都離線。
副本集殺的時候,建議先殺仲裁者,再殺副本節點,最後是主節點,以避免潛在的回滾。
殺完要檢查一下,避免有的沒有殺掉。
【補充】
如果一旦是因為資料損壞,則需要進行如下操作(瞭解):
1)刪除lock檔案:
rm -f /home/mongodb/sharded_cluster/myshardrs01_27018/data/db/*.lock \ /home/mongodb/sharded_cluster/myshardrs01_27118/data/db/*.lock \ /home/mongodb/sharded_cluster/myshardrs01_27218/data/db/mongod.lock \ /home/mongodb/sharded_cluster/myshardrs02_27318/data/db/mongod.lock \ /home/mongodb/sharded_cluster/myshardrs02_27418/data/db/mongod.lock \ /home/mongodb/sharded_cluster/myshardrs02_27518/data/db/mongod.lock \ /home/mongodb/sharded_cluster/myconfigrs_27019/data/db/mongod.lock \ /home/mongodb/sharded_cluster/myconfigrs_27119/data/db/mongod.lock \ /home/mongodb/sharded_cluster/myconfigrs_27219/data/db/mongod.lock
2 )依次修復資料:
/usr/bin/mongod --repair --dbpath=/home/mongodb/sharded_cluster/myshardrs01_27018/data/db /usr/bin/mongod --repair --dbpath=/home/mongodb/sharded_cluster/myshardrs01_27118/data/db /usr/bin/mongod --repair --dbpath=/home/mongodb/sharded_cluster/myshardrs01_27218/data/db /usr/bin/mongod --repair --dbpath=/home/mongodb/sharded_cluster/myshardrs02_27318/data/db /usr/bin/mongod --repair --dbpath=/home/mongodb/sharded_cluster/myshardrs02_27418/data/db /usr/bin/mongod --repair --dbpath=/home/mongodb/sharded_cluster/myshardrs02_27518/data/db /usr/bin/mongod --repair --dbpath=/home/mongodb/sharded_cluster/myconfigrs_27019/data/db /usr/bin/mongod --repair --dbpath=/home/mongodb/sharded_cluster/myconfigrs_27119/data/db /usr/bin/mongod --repair --dbpath=/home/mongodb/sharded_cluster/myconfigrs_27219/data/db /usr/bin/mongod --repair --dbpath=/home/mongodb/sharded_cluster/mymongos_27017/data/db /usr/bin/mongod --repair --dbpath=/home/mongodb/sharded_cluster/mymongos_27117/data/db
(2)標準的關閉方法(資料不容易出錯,但麻煩):
目標:通過mongo客戶端中的shutdownServer命令來依次關閉各個服務
關閉分片伺服器副本集中的服務,建議依次關閉仲裁節點、副本節點、主節點。主要的操作步驟參考如下:
//客戶端登入服務,注意,這裡通過localhost登入,如果需要遠端登入,必須先登入認證才行。
mongo --port 27018
//告知副本集說本機要下線
rs.stepDown()
//#切換到admin庫
use admin
//關閉服務
db.shutdownServer()
關閉配置伺服器副本集的服務,建議依次關閉副本節點、主節點。主要的操作步驟參考如下:
//客戶端登入服務,注意,這裡通過localhost登入,如果需要遠端登入,必須先登入認證才行。
mongo --port 27019
//告知副本集說本機要下線
rs.stepDown()
//#切換到admin庫
use admin
//關閉服務
db.shutdownServer()
關閉路由伺服器的服務,建議依次關閉兩個路由節點。主要的操作步驟參考如下:
//客戶端登入服務,注意,這裡通過localhost登入,如果需要遠端登入,必須先登入認證才行。
mongo --port 27017
//告知副本集說本機要下線
rs.stepDown()
//#切換到admin庫
use admin
//關閉服務
db.shutdownServer()
建立副本集認證的key檔案
第一步:生成一個key檔案到當前資料夾中。
可以使用任何方法生成金鑰檔案。例如,以下操作使用openssl生成密碼檔案,然後使用chmod來更改檔案許可權,僅為檔案所有者提供讀取許可權
# cd /home/mongodb/sharded_cluster
# openssl rand -base64 90 -out ./mongo.keyfile
# chmod 400 ./mongo.keyfile
# ll mongo.keyfile
-r--------. 1 root root 122 8月 14 14:23 mongo.keyfile
提示:所有副本集節點都必須要用同一份keyfile,一般是在一臺機器上生成,然後拷貝到其他機器上,且必須有讀的許可權,否則將來會報錯: permissions on /home/mongodb/replica_sets/myrs_27017/mongo.keyfile are too open
一定要保證金鑰檔案一致,檔案位置隨便。但是為了方便查詢,建議每臺機器都放到一個固定的位置,都放到和配置檔案一起的目錄中。這裡將該檔案分別拷貝到多個目錄中:
echo '/home/mongodb/sharded_cluster/myshardrs01_27018/mongo.keyfile
/home/mongodb/sharded_cluster/myshardrs01_27118/mongo.keyfile
/home/mongodb/sharded_cluster/myshardrs01_27218/mongo.keyfile
/home/mongodb/sharded_cluster/myshardrs02_27318/mongo.keyfile
/home/mongodb/sharded_cluster/myshardrs02_27418/mongo.keyfile
/home/mongodb/sharded_cluster/myshardrs02_27518/mongo.keyfile
/home/mongodb/sharded_cluster/myconfigrs_27019/mongo.keyfile
/home/mongodb/sharded_cluster/myconfigrs_27119/mongo.keyfile
/home/mongodb/sharded_cluster/myconfigrs_27219/mongo.keyfile
/home/mongodb/sharded_cluster/mymongos_27017/mongo.keyfile
/home/mongodb/sharded_cluster/mymongos_27117/mongo.keyfile' | xargs -n 1 cp -v /home/mongodb/sharded_cluster/mongo.keyfile
修改配置檔案指定keyfile
分別編輯幾個服務的mongod.conf檔案,新增相關內容:
# vim /home/mongodb/sharded_cluster/myshardrs01_27018/mongod.conf
security:
#KeyFile鑑權檔案
keyFile: /home/mongodb/sharded_cluster/myshardrs01_27018/mongo.keyfile
#開啟認證方式執行
authorization: enabled
其他配置檔案參考上面的新增,注意mongo.keyfile檔案路徑別寫錯了
mongos使用的mongod.conf新增如下相關內容:
# /home/mongodb/sharded_cluster/mymongos_27117/mongos.conf
security:
#KeyFile鑑權檔案
keyFile: /home/mongodb/sharded_cluster/mymongos_27117/mongo.keyfile
mongos 比mongod少了authorization:enabled的配置。
原因是,副本集加分片的安全認證需要配置兩方面的,副本集各個節點之間使用內部身份驗證,用於內部各個mongo例項的通訊,只有相同keyfile才能相互訪問。所以都要開啟 keyFile:/mongodb/sharded_cluster/mymongos_27117/mongo.keyfile 。
然而對於所有的mongod,才是真正的儲存資料的分片。
mongos只做路由,不儲存資料。所以所有的mongod開啟訪問資料的授權authorization:enabled。這樣使用者只有賬號密碼正確才能訪問到資料。
重新啟動節點
必須依次啟動配置節點、分片節點、路由節點:
/home/mongodb/sharded_cluster # /usr/bin/mongod -f /home/mongodb/sharded_cluster/myconfigrs_27019/mongod.conf
about to fork child process, waiting until server is ready for connections.
forked process: 8753
child process started successfully, parent exiting
------------------------------------------------------------------------------------------------------------------------------------------------------------
/home/mongodb/sharded_cluster # /usr/bin/mongod -f /home/mongodb/sharded_cluster/myconfigrs_27119/mongod.conf
about to fork child process, waiting until server is ready for connections.
forked process: 8862
child process started successfully, parent exiting
------------------------------------------------------------------------------------------------------------------------------------------------------------
/home/mongodb/sharded_cluster # /usr/bin/mongod -f /home/mongodb/sharded_cluster/myconfigrs_27219/mongod.conf
about to fork child process, waiting until server is ready for connections.
forked process: 8974
child process started successfully, parent exiting
------------------------------------------------------------------------------------------------------------------------------------------------------------
/home/mongodb/sharded_cluster # /usr/bin/mongod -f /home/mongodb/sharded_cluster/myshardrs01_27018/mongod.conf
about to fork child process, waiting until server is ready for connections.
forked process: 9115
child process started successfully, parent exiting
------------------------------------------------------------------------------------------------------------------------------------------------------------
/home/mongodb/sharded_cluster # /usr/bin/mongod -f /home/mongodb/sharded_cluster/myshardrs01_27118/mongod.conf
about to fork child process, waiting until server is ready for connections.
forked process: 9243
child process started successfully, parent exiting
------------------------------------------------------------------------------------------------------------------------------------------------------------
/home/mongodb/sharded_cluster # /usr/bin/mongod -f /home/mongodb/sharded_cluster/myshardrs01_27218/mongod.conf
about to fork child process, waiting until server is ready for connections.
forked process: 9384
child process started successfully, parent exiting
------------------------------------------------------------------------------------------------------------------------------------------------------------
/home/mongodb/sharded_cluster # /usr/bin/mongod -f /home/mongodb/sharded_cluster/myshardrs02_27318/mongod.conf
about to fork child process, waiting until server is ready for connections.
forked process: 9493
child process started successfully, parent exiting
------------------------------------------------------------------------------------------------------------------------------------------------------------
/home/mongodb/sharded_cluster # /usr/bin/mongod -f /home/mongodb/sharded_cluster/myshardrs02_27418/mongod.conf
about to fork child process, waiting until server is ready for connections.
forked process: 9633
child process started successfully, parent exiting
------------------------------------------------------------------------------------------------------------------------------------------------------------
/home/mongodb/sharded_cluster # /usr/bin/mongod -f /home/mongodb/sharded_cluster/myshardrs02_27518/mongod.conf
about to fork child process, waiting until server is ready for connections.
forked process: 9804
child process started successfully, parent exiting
------------------------------------------------------------------------------------------------------------------------------------------------------------
/home/mongodb/sharded_cluster # /usr/bin/mongos -f /home/mongodb/sharded_cluster/mymongos_27017/mongos.conf
about to fork child process, waiting until server is ready for connections.
forked process: 9895
child process started successfully, parent exiting
------------------------------------------------------------------------------------------------------------------------------------------------------------
/home/mongodb/sharded_cluster # /usr/bin/mongos -f /home/mongodb/sharded_cluster/mymongos_27117/mongos.conf
about to fork child process, waiting until server is ready for connections.
forked process: 9963
注意:
這裡有個非常特別的情況,就是啟動順序。先啟動配置節點,再啟動分片節點,最後啟動路由節點。
如果先啟動分片節點,會卡住,提示:
about to fork child process, waiting until server is ready for connections
這也許是個 bug。原因未知。
建立帳號和認證
客戶端mongo,通過localhost登入任意一個mongos路由,
# mongo --port 27017
提示:相當於一個後門,只能在 admin下新增使用者。
建立一個管理員帳號:
mongos> use admin
switched to db admin
mongos> db.createUser({user:"myroot",pwd:"123456",roles:["root"]})
Successfully added user: { "user" : "myroot", "roles" : [ "root" ] }
提示:如果在開啟認證之前已經建立了管理員賬號,這裡可以忽略
建立一個普通許可權帳號:
mongos> use admin
switched to db admin
mongos> db.auth("myroot","123456")
1
mongos> use articledb
switched to db articledb
mongos> db.createUser({user: "bobo", pwd: "123456", roles: [{ role: "readWrite",db: "articledb" }]})
mongos> db.auth("bobo","123456")
1
提示:通過mongos新增的賬號資訊,只會儲存到配置節點的服務中,具體的資料節點不儲存賬號資訊,因此,分片中的賬號資訊不涉及到同步問題。
mongo客戶端登入mongos路由,用管理員帳號登入可檢視分片情況:
mongos> use admin
switched to db admin
mongos> db.auth("myroot","123456")
1
mongos> sh.status()
退出連線,重新連線服務,使用普通許可權帳號訪問資料:
# mongo --host=192.168.0.253 --port=27017
mongos> use articledb
switched to db articledb
mongos> db.auth("bobo","123456")
1
mongos> show collections
comment
comment2
mongos> db.comment.count()
10001