MongoDB from entry to actual combat: security authentication (fragment cluster)

Posted by adige72 on Fri, 04 Mar 2022 09:24:10 +0100

The security authentication in the fragmented cluster environment is basically the same as that in the replica set environment. However, the server environment and architecture of the partitioned cluster are relatively complex. It is recommended to directly add security authentication and authentication between servers when building the partitioned cluster. If there is data before, the previous data can be backed up and then restored.

1: Shut down the cluster server

2.1 quick closing method (fast, simple, data may be wrong)

Kill mongos routing, configure replica set service and fragment replica set service in turn, starting from the secondary node. Until all members are offline. Vice-
In this episode, it is recommended to kill the arbiter first, then the replica node, and finally the master node to avoid potential rollback. Check one after killing
Next, avoid not killing some.

ps -ef | grep mongod

#Close node by process number 
kill -2 54410

If the data is damaged, the following operations are required:

rm -f ./data/db/*.lock 

/bin/mongod --repair -- dbpath=./data/db

2.2 standard closing method (data is not error prone, but troublesome)

Turn off the services in the replica set of the partition server. It is recommended to turn off the arbitration node, replica node and master node in turn. The main operation steps refer to
Below:

//If you need to log in to the local host service, you need to log in to the local host service first. 
mongo --port 27018 
//Tell the replica set that the machine is going offline 
rs.stepDown() 
//#Switch to admin Library 
use admin 
//Shut down service 
db.shutdownServer()

Turn off the service of configuring the server replica set. It is recommended to turn off the replica node and the master node in turn. The main operation steps are as follows:

//For the client login service, please note that you can log in through localhost. If you need to log in remotely, you must log in and authenticate first. 
mongo --port 27019
//Tell the replica set that the machine is going offline 
rs.stepDown() 
//#Switch to admin Library 
use admin 
//Shut down service 
db.shutdownServer()

Turn off the service of the routing server. It is recommended to turn off two routing nodes in turn. The main operation steps are as follows:

//For the client login service, please note that you can log in through localhost. If you need to log in remotely, you must log in and authenticate first. 
mongo --port 27017
//Tell the replica set that the machine is going offline 
rs.stepDown() 
//#Switch to admin Library 
use admin 
//Shut down service 
db.shutdownServer()

2: Create a key file for replica set authentication

Step 1: generate a key file into the current folder. You can use any method to generate a key file. For example, the following operation uses openssl to generate a password file, and then uses chmod to change the file permissions, providing only read permissions for the file owner. All replica set nodes must use the same keyfile, which is generally generated on one machine and then copied to other machines, and must have read permission, otherwise an error will be reported in the future: permissions on Mongo keyfile are too open.

Be sure to ensure that the key file is consistent and the file location is arbitrary. However, in order to facilitate the search, it is recommended that each machine be placed in a fixed position,
Put them in the directory with the configuration file.

> openssl rand -base64 90 -out ./mongo.keyfile

> chmod 400 ./mongo.keyfile
> ll mongo.keyfile 
-r--------. 1 root root 122 8 June 14:23 mongo.keyfile

Put Mongo The keyfile is copied to each mongodb server, where it is copied to the config directory.

// Each demo server should be copied to the actual server only once
cp mongo.keyfile ./config/

Modify the mongod of each master node Conf file, add security authentication.

security: 
	#KeyFile authentication file 
	keyFile: xxx/mongo.keyfile 
	#Enable authentication mode operation 
	authorization: enabled

Modify the mongos of the client Add authentication files to the conf file (modify mongodb-mongos-27017 and mongodb-mongos-27117 servers here). Note that authentication does not need to be turned on.

security: 
	#KeyFile authentication file 
	keyFile: xxx/mongo.keyfile 

mongos has less authorization:enabled configuration than mongod. The reason is that the security authentication of replica set plus fragmentation needs to be configured in two aspects. Internal authentication is used between nodes of replica set for the communication of internal mongo instances. Only the same keyfile can access each other. Therefore, you should open keyfile: XXX / mongo keyfile . However, for all mongod, it is the fragment that really saves data. mongos only does routing and does not save data. So all mongods are authorized to access data. authorization:enabled. In this way, users can access data only if their account and password are correct.

3: Restart node

The configuration node, partition node and routing node must be started in turn.

4: Create account and authentication

The client mongo logs in to any mongos route through localhost,

./bin/mongo --port 27017
mongos> use admin

mongos> db.createUser({user:"myroot",pwd:"123456",roles:["root"]})
mongos> db.auth("myroot","123456")

// Create a normal account
mongos> use test
mongos> db.createUser({user: "test", pwd: "123456", roles: [{ role: "readWrite", db: "test" }]})
mongos> db.auth("test","123456")

mongos> sh.status()

The account information added through mongos will only be saved to the service of the configuration node. The specific data node does not save the account information because
In this case, the account information in the partition does not involve synchronization.

Log out and log in again with an ordinary account. Use an ordinary account to access data. If it can be said that the construction is successful.

./bin/mongo --port 27017
mongos> use test
mongos> db.auth("test","123456")
mongos> show collections

5: SpringDataMongoDB connection authentication

spring: 
#Data source configuration 
	data: 
		mongodb: # In the case of fragment cluster with authentication, string connection 
			uri: mongodb://test:123456@127.0.0.1:27017,127.0.0.1:27117/test

Topics: MongoDB