mongoDB:禁用用户 - auth,但请保持群集auth
我是我想禁用用户auth的MongoDB(5.0)副本集,但保持cluster auth on。
我所做的是:
sudo systemctl stop mongod.service- 停止服务sudo vi /etc/systemd/systemd/system/mongod.service.service- 编辑该行:
execstart =/usr/bin/mongod -bind_ip localhost,<我的ip> - replset mongodb - auth - auth-clusterauthmode = keyfile -ekeyfile =/etc/mongodb/keyfile
to
execstart =/usr/usr/bin/bin/mongod - bind_ip localhost,< my ip> - replset mongodb -clusterauthmode = keyfile -ekeyfile =/etc/mongodb/keyfile
sudo systemctl daemon-reload- 重新加载服务sudo systemctl start mongod.service start mongod.service- 启动服务
,然后在单独的计算机上,我去验证了我的验证更改。
$ pip3 install pymongo==3.12.1
$ python3
from pymongo import MongoClient
PORT=27017
ADDR=<my ip>
connection = ADDR + ":" + str(PORT)
client = MongoClient(connection, replicaset="mongodb")
client.admin.command("replSetGetStatus")
在其中报告pymongo.errors.operationfailure:命令用户Ininfo需要身份验证。
有趣的是,当我重做步骤1-4时。但是更改2。execstart =/usr/bin/mongod -bind_ip localhost,&lt; my ip&gt; - replset mongodb。我能够无问题地重新运行上述实验。
因此,这是我的问题:
- 我认为标志
clusterauthmode = keyfile -keyfile =/etc/mongodb/keyfile仅适用于群集认证的coplicas。是真的吗? - 如果1。是正确的,那么为什么我不能使用这些字段从集群外部访问群集?
- 有没有更好的方法来验证AUTH?我在这里看到了其他一些使用Shell脚本但对我不起作用的帖子。
I am a pre-existing MongoDB (5.0) replica set that I would like to disable user auth for, but keep cluster auth on.
What I did was:
sudo systemctl stop mongod.service- stop the servicesudo vi /etc/systemd/system/mongod.service-
edit the line:
ExecStart=/usr/bin/mongod --bind_ip localhost,<my ip> --replSet mongodb --auth --clusterAuthMode=keyFile --keyFile=/etc/mongodb/keyFile
to
ExecStart=/usr/bin/mongod --bind_ip localhost,<my ip> --replSet mongodb --clusterAuthMode=keyFile --keyFile=/etc/mongodb/keyFile
sudo systemctl daemon-reload- reload servicesudo systemctl start mongod.service- start service
Then on a separate machine, I went to verify my auth changes.
$ pip3 install pymongo==3.12.1
$ python3
from pymongo import MongoClient
PORT=27017
ADDR=<my ip>
connection = ADDR + ":" + str(PORT)
client = MongoClient(connection, replicaset="mongodb")
client.admin.command("replSetGetStatus")
which reports pymongo.errors.OperationFailure: command usersInfo requires authentication.
Interestingly enough when I redo steps 1-4. but change 2. to ExecStart=/usr/bin/mongod --bind_ip localhost,<my ip> --replSet mongodb. I am able to re-run the above experiment without issue.
So here are my questions:
- I thought the flags
clusterAuthMode=keyFile --keyFile=/etc/mongodb/keyFilewere only for replicas in the cluster authenticating others. Is that true? - If 1. is correct then why can I not access my cluster from outside the cluster with these fields?
- Is there a better way to verify auth? I saw some other posts on here that used a shell script but did not work for me.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
正如@wernfried domscheit所说:
keyfile暗示security.authorization。或
As @Wernfried Domscheit commented:
keyFileimpliessecurity.authorization. or Internal/Membership Authentication: Enabling internal authentication also enables client authorizationSo essentially you cannot have cluster auth without user auth