Mongodb 集群加keyFile认证
?
介紹
自從遠古計繩結(jié)開始,數(shù)據(jù)庫的存儲就注定了今天的地位和多樣性,Nosql的出現(xiàn)更是解決了現(xiàn)有的關(guān)系型數(shù)據(jù)庫無法解決的一些難題,對高性能,靈活度,擴展性,海量數(shù)據(jù)的問題。隨之而出現(xiàn)的高速內(nèi)存索引數(shù)據(jù)庫、列式存儲、圖像存儲等等,這篇文章主要講的是mongodb文檔型數(shù)據(jù)庫,mongodb目前也在各種大中小型創(chuàng)業(yè)型公司大受歡迎,占據(jù)了一定的地位。文章講解的是如何搭建一個安全認(rèn)證的mongodb集群(安全認(rèn)證還是很重要,各大數(shù)據(jù)庫被淪陷后,怎么有效預(yù)防被勒索比特幣….)
mongodb集群有三種模式,主從模式,副本集模式、sharding分片模式。主從模式官網(wǎng)也不再推薦上生產(chǎn)環(huán)境,主要是安全性太低。副本集和sharding模式目前是用的最廣的方案,通常這2種方案的選擇通過數(shù)據(jù)量和并發(fā)數(shù)來權(quán)衡。在GB級別的基本上副本集方案可滿足,TB級別或以上采用sharding模式,解決單機容量和單機并發(fā)能力。這兩種既有自己的優(yōu)勢也有自己的缺點,比如sharding模式分片越多,性能自然下降越多。
進入正題,講解副本集的搭建以及配置安全認(rèn)證。副本集有兩種方案,一種是有仲裁節(jié)點(Arbiter
),如圖1,一種是不含仲裁節(jié)點,如圖2所示。
???
圖1 一主一從一仲裁??????????
??????????????????????? ??? ??????
???圖2 多節(jié)點副本
?
當(dāng)數(shù)據(jù)節(jié)點為偶數(shù)時候需要增加仲裁節(jié)點,故障時候仲裁新的主,當(dāng)數(shù)據(jù)節(jié)點為奇數(shù)時候無需仲裁節(jié)點,根據(jù)id優(yōu)先級選舉新的主。仲裁節(jié)點本身不存儲數(shù)據(jù),如果配置仲裁節(jié)點使用虛擬機即可。本文為了節(jié)約機器提高數(shù)據(jù)的安全度使用的是不帶仲裁節(jié)點的方案:
一、?????環(huán)境:
系統(tǒng):Ubuntu 16.04.02 LTS
mongodb版本:https://www.mongodb.org/dr/fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.4.2.tgz
服務(wù)器:
| Mongodb 主機 | 服務(wù)器端口地址 | 默認(rèn)角色 |
| mongodb主機 1 | 10.10.1.163:30010 | primary |
| mongodb主機 2 | 10.10.1.109: 30010 | secondary |
| mongodb主機 3 | 10.10.1.110: 30010 | secondary |
?
二、?????安裝mogodb
2.1 創(chuàng)建mongo用戶
?? 略(如果root啟動,可忽略本步驟,啟動用戶是mongo就必須集群目錄授權(quán)mongo用戶)
2.2 集群目錄
創(chuàng)建mongo集群目錄,最好三臺配置都一樣,方便維護(以下操作三臺服務(wù)器均一樣);
解壓二進制壓縮包并復(fù)制到/usr/local目錄下
| tar xzf mongodb-linux-x86_64-3.4.2.tgz mv mongodb-linux-x86_64-3.4.2 mongodb-3.4.2 ln –s mongodb-3.4.2 mongodb |
創(chuàng)建集群目錄:
| mkdir –p data/mongo_set/$集群名字/30010 |
配置集群的配置文件:
| # usercenter replset master bind_ip=10.10.1.163 #指定服務(wù)器監(jiān)聽的端口,默認(rèn)是27017 port=30010 ? #集群名字 replSet=test_set #以守護進程的方式運行MongoDB fork=true ? #一個數(shù)據(jù)庫一個文件夾 directoryperdb=true ? ##啟用日志選項,MongoDB的數(shù)據(jù)操作將會寫入到j(luò)ournal文件夾的文件里 journal = true ? # 在收到客戶數(shù)據(jù),檢查的有效性 objcheck=true ? #操作日志大小限制2G oplogSize=2000 ? #pidfile pidfilepath=/data/mongo_set/test_set/30010/mongo_m30010.pid ? #指定數(shù)據(jù)目錄,默認(rèn)是/data/db/。每個mongod進程都需要獨立的目錄, #啟動mongod時就會在數(shù)據(jù)目錄中創(chuàng)建mongod.lock文件,防止其他mongod進程使用該數(shù)據(jù)目錄。 dbpath=/data/mongo_set/test_set/30010 ? #指定日志輸出路徑,如果不指定則會在終端輸出。每次啟動都會覆蓋原來的日志,如果不想覆蓋就要用--logappend選項 logpath=/data/mongo_set/test_set/30010/mongo30010.log ? logappend=true #auth=true ? #0:關(guān)閉,不收集任何數(shù)據(jù)。1:收集慢查詢數(shù)據(jù),默認(rèn)是100毫秒。2:收集所有數(shù)據(jù) profile=2 slowms=100 #.禁止HTTP狀態(tài)接口 nohttpinterface=true #.禁止REST接口-在生產(chǎn)環(huán)境下建議不要啟用MongoDB的REST接口 rest=false |
?
2.3 三臺主機分別啟動mongodb
| Primary啟動: /usr/local/mongodb/bin/mongod –f ?/data/mongo_set/test_set/30010/mongodb_m30010.conf Secondary1:?? /usr/local/mongodb/bin/mongod –f? /data/mongo_set/test_set/30010/mongodb_s30010.conf Secondary2:?? /usr/local/mongodb/bin/mongod –f? /data/mongo_set/test_set/30010/mongodb_s30010.conf |
三、?????配置副本集
3.1 配置主primary
此時我們并沒有配置任何認(rèn)證賬戶,我們登錄主庫:
| root@xxxx:~#mongo 10.10.1.163:30010 MongoDB server version: 3.4.2 Server has startup warnings: 2017-03-10T20:08:31.847+0800 I STORAGE? [initandlisten] 2017-03-10T20:08:31.847+0800 I STORAGE? [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine 2017-03-10T20:08:31.847+0800 I STORAGE? [initandlisten] **????????? See http://dochub.mongodb.org/core/prodnotes-filesystem 2017-03-10T20:08:32.115+0800 I CONTROL? [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended. 2017-03-10T20:08:32.115+0800 I CONTROL? [initandlisten] 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] ** WARNING: You are running on a NUMA machine. 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] **????????? We suggest launching mongod like this to avoid performance problems: 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] **????????????? numactl --interleave=all mongod [other options] 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'. 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] **??????? We suggest setting it to 'never' 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'. 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] **??????? We suggest setting it to 'never' 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] ** WARNING: soft rlimits too low. rlimits set to 65535 processes, 655350 files. Number of processes should be at least 327675 : 0.5 times number of files. 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] test_set:PRIMARY> test_set:PRIMARY> use admin switched to db admin |
3.2 配置副本幾點及權(quán)重
| test_set:PRIMARY> config_test={_id : 'usercenter',members : [{_id : 0, host : '10.10.1.1.163:30010'},{_id : 1, host : '10.10.1.109:30010'},{_id : 2, host : '10.10.1.110:30010'}]} #初始化副本集 test_set:PRIMARY> rs.initiate(config_ test); { "ok" : 1 } |
?
3.3查看副本集群狀態(tài)
| test_set:PRIMARY> rs.status() { ? "set" : "test_set", ? "date" : ISODate("2017-03-11T08:25:02.832Z"), ? "myState" : 1, ? "term" : NumberLong(5), ? "heartbeatIntervalMillis" : NumberLong(2000), ? "optimes" : { ??????????? "lastCommittedOpTime" : { ?????????????????????? "ts" : Timestamp(1489220694, 1), ?????????????????????? "t" : NumberLong(5) ??????????? }, ??????????? "appliedOpTime" : { ?????????????????????? "ts" : Timestamp(1489220694, 1), ?????????????????????? "t" : NumberLong(5) ??????????? }, ??????????? "durableOpTime" : { ?????????????????????? "ts" : Timestamp(1489220694, 1), ?????????????????????? "t" : NumberLong(5) ??????????? } ? }, ? "members" : [ ??????????? { ?????????????????????? "_id" : 0, ?????????????????????? "name" : "10.10.1.163:30010", ?????????????????????? "health" : 1, ?????????????????????? "state" : 1, ?????????????????????? "stateStr" : "PRIMARY", ?????????????????????? "uptime" : 72991, ?????????????????????? "optime" : { ???????????????????????????????? "ts" : Timestamp(1489220694, 1), ???????????????????????????????? "t" : NumberLong(5) ?????????????????????? }, ?????????????????????? "optimeDate" : ISODate("2017-03-11T08:24:54Z"), ?????????????????????? "electionTime" : Timestamp(1489147722, 1), ?????????????????????? "electionDate" : ISODate("2017-03-10T12:08:42Z"), ?????????????????????? "configVersion" : 1, ?????????????????????? "self" : true ??????????? }, ??????????? { ?????????????????????? "_id" : 1, ?????????????????????? "name" : "10.10.1.109:30010", ?????????????????????? "health" : 1, ?????????????????????? "state" : 2, ?????????????????????? "stateStr" : "SECONDARY", ?????????????????????? "uptime" : 72980, ?????????????????????? "optime" : { ???????????????????????????????? "ts" : Timestamp(1489220694, 1), ???????????????????????????????? "t" : NumberLong(5) ?????????????????????? }, ?????????????????????? "optimeDurable" : { ???????????????????????????????? "ts" : Timestamp(1489220694, 1), ???????????????????????????????? "t" : NumberLong(5) ?????????????????????? }, ?????????????????????? "optimeDate" : ISODate("2017-03-11T08:24:54Z"), ?????????????????????? "optimeDurableDate" : ISODate("2017-03-11T08:24:54Z"), ?????????????????????? "lastHeartbeat" : ISODate("2017-03-11T08:25:02.583Z"), ?????????????????????? "lastHeartbeatRecv" : ISODate("2017-03-11T08:25:01.359Z"), ?????????????????????? "pingMs" : NumberLong(0), ?????????????????????? "syncingTo" : "10.10.1.163:30010", ?????????????????????? "configVersion" : 1 ??????????? }, ??????????? { ?????????????????????? "_id" : 2, ?????????????????????? "name" : "10.10.1.110:30010", ?????????????????????? "health" : 1, ?????????????????????? "state" : 2, ?????????????????????? "stateStr" : "SECONDARY", ?????????????????????? "uptime" : 72971, ?????????????????????? "optime" : { ???????????????????????????????? "ts" : Timestamp(1489220694, 1), ???????????????????????????????? "t" : NumberLong(5) ?????????????????????? }, ?????????????????????? "optimeDurable" : { ???????????????????????????????? "ts" : Timestamp(1489220694, 1), ???????????????????????????????? "t" : NumberLong(5) ?????????????????????? }, ?????????????????????? "optimeDate" : ISODate("2017-03-11T08:24:54Z"), ?????????????????????? "optimeDurableDate" : ISODate("2017-03-11T08:24:54Z"), ?????????????????????? "lastHeartbeat" : ISODate("2017-03-11T08:25:02.442Z"), ?????????????????????? "lastHeartbeatRecv" : ISODate("2017-03-11T08:25:01.007Z"), ?????????????????????? "pingMs" : NumberLong(0), ?????????????????????? "syncingTo" : "10.10.1.163:30010", ?????????????????????? "configVersion" : 1 ??????????? } ? ], ? "ok" : 1 } test_set:PRIMARY> |
?
3.4 查看副本同步狀態(tài)
| test_set:PRIMARY>? db.printSlaveReplicationInfo(); source: 10.10.1.109:30010 ? syncedTo: Sat Mar 11 2017 16:25:24 GMT+0800 (CST) ? 0 secs (0 hrs) behind the primary source: 10.10.1.110:30010 ? syncedTo: Sat Mar 11 2017 16:25:24 GMT+0800 (CST) ?????????? 0 secs (0 hrs) behind the primary |
一切ok,該副本集搭建完成。目前副本集架構(gòu)如下所示:
?
?
四、?????增加安全認(rèn)證機制KeyFile
4.1 集群之間的安全認(rèn)證
集群之間的復(fù)制增加keyFile認(rèn)證
| #生成key openssl rand -base64 745 > /data/mongo_set/usercenter/30010/mongodb-keyfile chmod 600 /data/mongo_set/usercenter/30010/mon-keyfile #?該key的權(quán)限必須是600 |
將該key放到集群中機器的每一臺上,記住必須保持一致,權(quán)限設(shè)置成600;
4.2 修改配置
在mongodb.conf啟動配置文件中增加配置項
| #安全認(rèn)證機制 keyFile=/data/mongo_set/test_set/30010/mon-keyfile |
?
4.3 主庫配置用戶
也可后面配置,開啟keyfile認(rèn)證就默認(rèn)開啟了auth認(rèn)證了,為了保證后面可以登錄,我提前創(chuàng)建了用戶:
| 先創(chuàng)建管理員賬戶 db.createUser(? {? ??? user:"admin",?? ??? pwd:"xxxxxx",? ??? roles:[{role:"userAdminAnyDatabase",db:"admin"}]? }? );? db.createUser( { ?user: "root", ?pwd: "xxxxxxx", ?roles: [ { role: "root", db: "admin" } ] ?}); #認(rèn)證用戶 db.auth("admin","xxxxxxx") db.auth("root","xxxxxxx") |
?
4.4 重啟進入
重新啟動mongodb,記住重新啟動時候,keyfile的指定如果沒有在配置文件中配置,就必須啟動時候使用參數(shù)keyfile指定,關(guān)閉順序注意下,mongodb集群有自動切換主庫功能,如果先關(guān)主庫,主庫就切換到其它上面去了,這里預(yù)防主庫變更,從庫關(guān)閉后再關(guān)閉主庫。
| mongo 10.10.1.163:30010/admin -u root –p 2017-03-10T20:08:32.116+0800 I CONTROL? [initandlisten] test_set:PRIMARY> use admin switched to db admin |
重新查看從庫和集群狀態(tài)都是正常。
五、?????創(chuàng)建用戶和用戶數(shù)據(jù)庫
5.1 啟動認(rèn)證
開啟了安全認(rèn)證就可以開始對每個數(shù)據(jù)庫進行安全認(rèn)證了,首先給用戶創(chuàng)建一個數(shù)據(jù)庫:
| test_set:PRIMARY> use user_test switched to db user_test mongodb創(chuàng)建數(shù)據(jù)庫直接use即可,此時show dbs是看不到該庫的,需要插入一條數(shù)據(jù)才會現(xiàn)實出來,這里不演示; |
創(chuàng)建用戶數(shù)據(jù)庫的用戶:
| db.createUser( ? { ??? user: “test_user", ??? pwd: "xxxxxx", ??? roles: [ { role: "readWrite", db: "user_test" } ] ? } ); |
創(chuàng)建完成會顯示成功,可以用db.system.users.find()查看所有用戶驗證用戶是否存在;
5.2 驗證用戶登錄
| #client操作 mongo 10.10.1.163:30010/user_test –u user_test –p MongoDB shell version v3.4.2 Enter password: connecting to: mongodb://192.168.1.163:30010/user_center MongoDB server version: 3.4.2 user_test:PRIMARY> |
?
轉(zhuǎn)載于:https://www.cnblogs.com/pejsidney/p/9109963.html
總結(jié)
以上是生活随笔為你收集整理的Mongodb 集群加keyFile认证的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Spring boot集成spring-
- 下一篇: 022-红黑树(三)