Deploy Sharded Cluster with Keyfile Access Control
This Outline
is based on MongoDB documentation.
Create the Keyfile
- With keyfile authentication, each mongod or mongos instances in the sharded cluster uses the contents of the keyfile as the shared password for authenticating other members in the deployment.
- Only mongod or mongos instances with the correct keyfile can join the sharded cluster.
# openssl
rand -base64 756 > <path-to-keyfile>
# chmod 400 <path-to-keyfile>
Distribute the Keyfile
- Copy the keyfile to each server hosting the sharded cluster members.
- Ensure that the user running the mongod or mongos instances is the owner of the file and can access the keyfile.
1. Create the Config Server Replica Set
Start each
member of the config server replica set, include key file setting as well.
Configuration File
security:
keyFile: <path-to-keyfile>
sharding:
clusterRole: configsvr
replication:
replSetName: <setname>
# mongod -f
<path-to-config-file>
Connect to one of the config servers
# mongo
--host <hostname> --port <port>
Initiate and add members to the replica set
rs.initiate(
{
_id: "<replSetName>",
configsvr: true,
members: [
{ _id : 0, host :
"cfg1.example.net:27017" },
{ _id : 1, host :
"cfg2.example.net:27017" },
{ _id : 2, host :
"cfg3.example.net:27017" }
]
}
)
Once the
config server replica set (CSRS) is initiated and up, proceed to creating the
shard replica sets.
2. Create the Shard Replica Sets
Start each
member of the shard replica set.
Configuration File
security:
keyFile: <path-to-keyfile>
sharding:
clusterRole: shardsvr
replication:
replSetName: <replSetName>
storage:
dbPath: <path>
# mongod -f
<path-to-config-file>
Connect to a member of the shard replica
set.
# mongo
--host <hostname> --port <port>
Initiate and add members to the replica set
rs.initiate(
{
_id : <replicaSetName>,
members: [
{ _id : 0, host :
"s1-mongo1.example.net:27017" },
{ _id : 1, host :
"s1-mongo2.example.net:27017" },
{ _id : 2, host :
"s1-mongo3.example.net:27017" }
]
}
)
3. Create the shard-local user administrator (optional)
- Add a user using the db.createUser() method.
- The user should have at minimum the userAdminAnyDatabase role on the admin database.
- You must be connected to the primary to create users.
admin =
db.getSiblingDB("admin")
admin.createUser(
{
user: "fred",
pwd: "changeme1",
roles: [ { role:
"userAdminAnyDatabase", db: "admin" } ]
}
)
4. Authenticate as the shard-local user administrator (optional).
Authenticate
to the admin database.
# db.getSiblingDB("admin").auth("fred",
"changeme1" )
# mongo -u
"fred" -p "changeme1" --authenticationDatabase
"admin"
5. Create the shard-local cluster administrator (optional).
- The shard-local cluster administrator user has the clusterAdmin role, which provides privileges that allow access to replication operations.
- Create a cluster administrator user and assign the clusterAdmin role in the admin database:
db.getSiblingDB("admin").createUser(
{
"user" : "ravi",
"pwd" : "changeme2",
roles: [ { "role" :
"clusterAdmin", "db" : "admin" } ]
}
)
6. Connect a mongos to the Sharded Cluster
Connect a
mongos to the cluster
Configuration File
security:
keyFile: <path-to-keyfile>
sharding:
configDB:
<configReplSetName>/cfg1.example.net:27017,cfg2.example.net:27017,...
# mongos -f
<path-to-config>
Connect to the mongos.
# mongo
--host <hostname> --port <port>
Create the user administrator.
- Add a user using the db.createUser() method.
- The user should have at minimum the userAdminAnyDatabase role on the admin database.
admin =
db.getSiblingDB("admin")
admin.createUser(
{
user: "fred",
pwd: "changeme1",
roles: [ { role:
"userAdminAnyDatabase", db: "admin" } ]
}
)
Create Administrative User for Cluster Management
- The cluster administrator user has the clusterAdmin role, which grants access to replication and sharding operations.
- Create a clusterAdmin user in the admin database.
db.getSiblingDB("admin").createUser(
{
"user" : "ravi",
"pwd" : "changeme2",
roles: [ { "role" :
"clusterAdmin", "db" : "admin" } ]
}
)
Create additional users (Optional).
Create users
to allow clients to connect and access the sharded cluster, if required.
7. Add Shards to the Cluster
- Use the sh.addShard() method to add each shard to the cluster
- If the shard is a replica set, specify the name of the replica set and specify a member of the set.
#
sh.addShard( "<replSetName>/s1-mongo1.example.net:27017")
To check the status
sh.status()
DoneJ
No comments:
Post a Comment