MongoDB tip: Apply authentication option to a replica set, issue encountered and fix
Assuming we have a replicate set started as such, please refer to article 1 or article 2 to see how to configure a replica set if you haven't already done so and still have issues.
Output of ps -ef | grep mongod
root 20706 1 0 15:09 ? 00:00:01 mongod --port 31111 --replSet biDemo --dbpath /data/mongodb/demo1 --logpath /data/mongodb/demolog/1.log --fork
root 20943 1 0 15:10 ? 00:00:01 mongod --port 31112 --replSet biDemo --dbpath /data/mongodb/demo2 --logpath /data/mongodb/demolog/2.log --fork
root 21101 1 0 15:11 ? 00:00:01 mongod --port 31113 --replSet biDemo --dbpath /data/mongodb/demo3 --logpath /data/mongodb/demolog/3.log --fork
Log into primary and add user, you will need at least one admin user to start and administer mongod with authentication enabled
MongoDB Enterprise biDemo:PRIMARY> db.createUser({user:"admin", pwd:"gasdhahfhagrsdfasdfaf", roles:[{role:"root", db:"admin"}]})
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
The user information should populate to secondaries with mill seconds, to quickly check if all nodes are synced up, note our optime date are in sync.
MongoDB Enterprise biDemo:PRIMARY> rs.status()
{
"set" : "biDemo",
"date" : ISODate("2017-08-21T19:41:00.359Z"),
"myState" : 1,
"term" : NumberLong(5),
"heartbeatIntervalMillis" : NumberLong(2000),
"optimes" : {
"lastCommittedOpTime" : {
"ts" : Timestamp(1503344455, 1),
"t" : NumberLong(5)
},
"appliedOpTime" : {
"ts" : Timestamp(1503344455, 1),
"t" : NumberLong(5)
},
"durableOpTime" : {
"ts" : Timestamp(1503344455, 1),
"t" : NumberLong(5)
}
},
"members" : [
{
"_id" : 0,
"name" : "10.155.228.75:31111",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 826,
"optime" : {
"ts" : Timestamp(1503344455, 1),
"t" : NumberLong(5)
},
"optimeDurable" : {
"ts" : Timestamp(1503344455, 1),
"t" : NumberLong(5)
},
"optimeDate" : ISODate("2017-08-21T19:40:55Z"),
"optimeDurableDate" : ISODate("2017-08-21T19:40:55Z"),
"lastHeartbeat" : ISODate("2017-08-21T19:40:58.487Z"),
"lastHeartbeatRecv" : ISODate("2017-08-21T19:40:59.723Z"),
"pingMs" : NumberLong(0),
"syncingTo" : "10.155.228.75:31113",
"configVersion" : 6
},
{
"_id" : 1,
"name" : "10.155.228.75:31112",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 827,
"optime" : {
"ts" : Timestamp(1503344455, 1),
"t" : NumberLong(5)
},
"optimeDate" : ISODate("2017-08-21T19:40:55Z"),
"electionTime" : Timestamp(1503343644, 1),
"electionDate" : ISODate("2017-08-21T19:27:24Z"),
"configVersion" : 6,
"self" : true
},
{
"_id" : 2,
"name" : "10.155.228.75:31113",
"health" : 1,
"state" : 2,
"stateStr" : "SECONDARY",
"uptime" : 816,
"optime" : {
"ts" : Timestamp(1503344455, 1),
"t" : NumberLong(5)
},
"optimeDurable" : {
"ts" : Timestamp(1503344455, 1),
"t" : NumberLong(5)
},
"optimeDate" : ISODate("2017-08-21T19:40:55Z"),
"optimeDurableDate" : ISODate("2017-08-21T19:40:55Z"),
"lastHeartbeat" : ISODate("2017-08-21T19:40:58.487Z"),
"lastHeartbeatRecv" : ISODate("2017-08-21T19:40:59.839Z"),
"pingMs" : NumberLong(0),
"syncingTo" : "10.155.228.75:31112",
"configVersion" : 6
}
],
"ok" : 1
}
Now let's create keyFile using openssl
Kill and restart the mongod process with --keyFile option[root@msdlva-dsnopm02 apps]# openssl rand -base64 258 > demoKey
First verify the pid's of mongod, then simply pkill -f mongod
[root@msdlvd-dsnavl02 ~]# pgrep -lfa mongod
22948 mongod --port 31111 --replSet biDemo --dbpath /data/mongodb/demo1 --logpath /data/mongodb/demolog/1.log --fork --keyFile /data/mongodb/demo1/demoKey
23582 mongod --port 31112 --replSet biDemo --dbpath /data/mongodb/demo2 --logpath /data/mongodb/demolog/2.log --fork --keyFile /data/mongodb/demo2/demoKey
23660 mongod --port 31113 --replSet biDemo --dbpath /data/mongodb/demo3 --logpath /data/mongodb/demolog/3.log --fork --keyFile /data/mongodb/demo3/demoKey
[root@msdlvd-dsnavl02 ~]# pkill -f mongod
Let's start the mongod's
[root@msdlvd-dsnavl02 ~]# mongod --port 31111 --replSet biDemo --dbpath /data/mongodb/demo1 --logpath /data/mongodb/demolog/1.log --fork --keyFile /data/mongodb/demo1/demoKey
about to fork child process, waiting until server is ready for connections.
forked process: 22720
ERROR: child process failed, exited with error number 1
[root@msdlvd-dsnavl02 ~]# tail -f /data/mongodb/demolog/1.log
2017-08-21T15:21:50.752-0400 I ACCESS [main] permissions on /data/mongodb/demo1/demoKey are too open
We have to limit the access right to the key file, and retry
[root@msdlvd-dsnavl02 ~]# chown -R mongod.mongod /data/mongodb/
[root@msdlvd-dsnavl02 ~]# chmod -R 700 /data/mongodb/
[root@msdlvd-dsnavl02 ~]# mongod --port 31111 --replSet biDemo --dbpath /data/mongodb/demo1 --logpath /data/mongodb/demolog/1.log --fork --keyFile /data/mongodb/demo1/demoKey
about to fork child process, waiting until server is ready for connections.
forked process: 22948
child process started successfully, parent exiting
We will start the other two nodes the same way
[root@msdlvd-dsnavl02 ~]# mongod --port 31112 --replSet biDemo --dbpath /data/mongodb/demo2 --logpath /data/mongodb/demolog/2.log --fork --keyFile /data/mongodb/demo2/demoKey
about to fork child process, waiting until server is ready for connections.
forked process: 23582
child process started successfully, parent exiting
[root@msdlvd-dsnavl02 ~]# mongod --port 31113 --replSet biDemo --dbpath /data/mongodb/demo3 --logpath /data/mongodb/demolog/3.log --fork --keyFile /data/mongodb/demo3/demoKey
about to fork child process, waiting until server is ready for connections.
forked process: 23660
child process started successfully, parent exiting
Now let's check it out our authenticated replica set, first we log in and run rs.status() without first authenticate ourselves, we get not authorized error.
Once that failed, we authenticate ourselves and we can now see the output of rs.status()
[root@msdlvd-dsnavl02 ~]# mongo --host biDemo/10.155.228.75:31111
MongoDB shell version v3.4.5
connecting to: mongodb://10.155.228.75:31111/?replicaSet=biDemo
2017-08-21T15:27:49.927-0400 I NETWORK [thread1] Starting new replica set monitor for biDemo/10.155.228.75:31111
2017-08-21T15:27:49.928-0400 I NETWORK [thread1] Successfully connected to 10.155.228.75:31111 (1 connections now open to 10.155.228.75:31111 with a 5 second timeout)
2017-08-21T15:27:49.928-0400 I NETWORK [thread1] Successfully connected to 10.155.228.75:31112 (1 connections now open to 10.155.228.75:31112 with a 5 second timeout)
2017-08-21T15:27:49.929-0400 I NETWORK [thread1] changing hosts to biDemo/10.155.228.75:31111,10.155.228.75:31112,10.155.228.75:31113 from biDemo/10.155.228.75:31111
2017-08-21T15:27:49.929-0400 I NETWORK [ReplicaSetMonitor-TaskExecutor-0] Successfully connected to 10.155.228.75:31113 (1 connections now open to 10.155.228.75:31113 with a 5 second timeout)
MongoDB server version: 3.4.5
MongoDB Enterprise biDemo:PRIMARY> rs.status()
{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { replSetGetStatus: 1.0 }",
"code" : 13,
"codeName" : "Unauthorized"
}
MongoDB Enterprise biDemo:PRIMARY> use adminswitched to db adminMongoDB Enterprise biDemo:PRIMARY> db.auth("admin","gasdhahfhagrsdfasdfaf")1MongoDB Enterprise biDemo:PRIMARY> rs.status(){"set" : "biDemo","date" : ISODate("2017-08-21T19:41:00.359Z"),"myState" : 1,"term" : NumberLong(5),"heartbeatIntervalMillis" : NumberLong(2000),"optimes" : {"lastCommittedOpTime" : {"ts" : Timestamp(1503344455, 1),"t" : NumberLong(5)},"appliedOpTime" : {"ts" : Timestamp(1503344455, 1),"t" : NumberLong(5)},"durableOpTime" : {"ts" : Timestamp(1503344455, 1),"t" : NumberLong(5)}},"members" : [{"_id" : 0,"name" : "10.155.228.75:31111","health" : 1,"state" : 2,"stateStr" : "SECONDARY","uptime" : 826,"optime" : {"ts" : Timestamp(1503344455, 1),"t" : NumberLong(5)},"optimeDurable" : {"ts" : Timestamp(1503344455, 1),"t" : NumberLong(5)},"optimeDate" : ISODate("2017-08-21T19:40:55Z"),"optimeDurableDate" : ISODate("2017-08-21T19:40:55Z"),"lastHeartbeat" : ISODate("2017-08-21T19:40:58.487Z"),"lastHeartbeatRecv" : ISODate("2017-08-21T19:40:59.723Z"),"pingMs" : NumberLong(0),"syncingTo" : "10.155.228.75:31113","configVersion" : 6},{"_id" : 1,"name" : "10.155.228.75:31112","health" : 1,"state" : 1,"stateStr" : "PRIMARY","uptime" : 827,"optime" : {"ts" : Timestamp(1503344455, 1),"t" : NumberLong(5)},"optimeDate" : ISODate("2017-08-21T19:40:55Z"),"electionTime" : Timestamp(1503343644, 1),"electionDate" : ISODate("2017-08-21T19:27:24Z"),"configVersion" : 6,"self" : true},{"_id" : 2,"name" : "10.155.228.75:31113","health" : 1,"state" : 2,"stateStr" : "SECONDARY","uptime" : 816,"optime" : {"ts" : Timestamp(1503344455, 1),"t" : NumberLong(5)},"optimeDurable" : {"ts" : Timestamp(1503344455, 1),"t" : NumberLong(5)},"optimeDate" : ISODate("2017-08-21T19:40:55Z"),"optimeDurableDate" : ISODate("2017-08-21T19:40:55Z"),"lastHeartbeat" : ISODate("2017-08-21T19:40:58.487Z"),"lastHeartbeatRecv" : ISODate("2017-08-21T19:40:59.839Z"),"pingMs" : NumberLong(0),"syncingTo" : "10.155.228.75:31112","configVersion" : 6}],"ok" : 1}
Comments
Post a Comment