MongoDB引數詳解之enableLocalhostAuthBypass
今天在安裝MongoDB3.4 副本集的時候遇到一個問題。在啟動三個MongoDB例項(程序)之後,需要初始化副本集,將三個獨立的例項聯絡起來組成副本集。
使用伺服器具體ip:埠的方式連線到mongodb的shell中執行初始化,報錯
"errmsg" : "not authorized on admin to execute command
mongo 10.238.162.33:27017> cfg={_id:'rs01',version:1,members:[{_id:0,host:'10.238.162.33:27017'},{_id:1,host:'10.238.162.33:27018'},{_id:2,host:'10.238.162.33:27019',arbiterOnly:true}]}; { "_id" : "rs01", "version" : 1, "members" : [ { "_id" : 0, "host" : "10.238.162.33:27017" }, { "_id" : 1, "host" : "10.238.162.33:27018" }, { "_id" : 2, "host" : "10.238.162.33:27019", "arbiterOnly" : true } ] } > rs.initiate(cfg); { "ok" : 0, "errmsg" : "not authorized on admin to execute command { replSetInitiate: { _id: \"rs01\", version: 1.0, members: [ { _id: 0.0, host: \"10.238.162.33:27017\" }, { _id: 1.0, host: \"10.238.162.33:27018\" }, { _id: 2.0, host: \"10.238.162.33:27019\", arbiterOnly: true } ] } }", "code" : 13, "codeName" : "Unauthorized" }
沒有許可權去執行命令。然後嘗試新增超級管理員賬號
> use admin;
switched to db admin
> db.createUser(
... {
... user: "admin",
... pwd: "admin",
... roles: [ { role: "root", db: "admin" } ]
... }
... );
2018-12-19T21:58:46.366+0800 E QUERY [thread1] Error: couldn't add user: not authorized on admin to execute command { createUser: "admin", pwd: "xxx", roles: [ { role: "root", db: "admin" } ], digestPassword: false, writeConcern: { w: "majority", wtimeout: 600000.0 } } :
因為MongoDB的配置檔案中採用了keyfile的認證方式,所以副本集預設開啟了安全認證,那現在如何解決這個問題呢?難道我要註釋掉引數#keyFile= 然後初始化副本集,建立使用者再把引數keyFile開啟嗎?這樣太麻煩了吧。
沒關係 enableLocalhostAuthBypass 可以幫你解決這個問題
檢視MongoDB配置檔案中有引數
setParameter=enableLocalhostAuthBypass=1
該引數是什麼意思呢?參看官網對該引數的解釋
https://docs.mongodb.com/v3.4/core/security-users/#localhost-exception
Localhost Exception
The localhost exception allows you to enable access control and then create the first user in the system. With the localhost exception, after you enable access control, connect to the localhost interface and create the first user in the admin database. The first user must have privileges to create other users, such as a user with the userAdmin or userAdminAnyDatabase role.
翻譯如下:
localhost exception(本地例外) 允許你在開啟安全認證的同時在系統中建立第一個使用者。在你開啟安全認證之後,你可以使用 localhost exception這個特性去連線到mongo shell,然後在admin資料庫下建立第一個賬號。該賬號必須有建立其他賬號的許可權,比如有userAdmin或者userAdminAnyDatabase角色的賬號
自己的理解:
localhost exception 可以理解為通過本地 連線到MongoDB中建立第一個使用者不會被安全認證所限制,本地可以理解為使用 mongo 127.0.0.1:27017 或者 mongo 連線shell中。
引數使用方法
enableLocalhostAuthBypass
Available for both mongod and mongos.
Specify 0 or false to disable localhost authentication bypass. Enabled by default.
enableLocalhostAuthBypass is not available using setParameter database command. Use the setParameter option in the configuration file or the --setParameter option on the command line.
翻譯如下
該引數對 mongod 和 mongos都有效
當設定值為0 或者 false的時關閉localhost不受許可權認證。預設是開啟的。
可以在配置檔案中進行配置,格式:setParameter=enableLocalhostAuthBypass=1
瞭解了該引數後,就可以利用這個特性初始化副本集了;通過mongo 127.0.0.1:27017連線到資料庫中,
# mongo 127.0.0.1:27017
MongoDB shell version v3.4.18
connecting to: mongodb://127.0.0.1:27017/test
MongoDB server version: 3.4.18
或者
# mongo
MongoDB shell version v3.4.18
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.18初始化副本集,初始化成功後看到命令列提示符由rs01:SECONDARY> 變為 rs01:PRIMARY>
[[email protected] mongodb27017]# mongo
MongoDB shell version v3.4.18
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.18
> cfg={_id:'rs01',version:1,members:[{_id:0,host:'10.238.162.33:27017'},{_id:1,host:'10.238.162.33:27018'},{_id:2,host:'10.238.162.33:27019',arbiterOnly:true}]};
{
"_id" : "rs01",
"version" : 1,
"members" : [
{
"_id" : 0,
"host" : "10.238.162.33:27017"
},
{
"_id" : 1,
"host" : "10.238.162.33:27018"
},
{
"_id" : 2,
"host" : "10.238.162.33:27019",
"arbiterOnly" : true
}
]
}
> rs.initiate(cfg);
{ "ok" : 1 }
建立使用者
rs01:PRIMARY> use admin;
switched to db admin
rs01:PRIMARY>
rs01:PRIMARY> db.createUser({user:"admin",pwd:"admin",roles: [{ role: "root", db: "admin" }]});
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}這樣就避免了在搭建MongoDB副本集時,如果想要開啟keyfile引數,需要在初始化後再修改引數檔案重啟mongo例項的麻煩了