mongo 主從複製集羣(鑑權+TLS)
1. 先準備一個無鑑權的集羣
這部分很簡單,只需要跟着官網配置就可以
官網: https://docs.mongodb.com/manual/tutorial/deploy-replica-set/
2. 創建用戶
在主節點上創建用戶,這裏創建一個超級管理員
# 創建
mongo
# 進入admin庫
use admin;
# 創建用戶
db.createUser({
user: "admin",
pwd: "123456",
roles: [ "root" ]
});
3. 創建證書
需要創建一個CA證書,3個用於mongo各個節點通信的證書
創建證書這部分不是很懂,過程結合了docker創建tls的教程
還可以先了解一下openssl,x509,ca這些相關的概念
過程如下:
-
生成CA證書,這個證書需要發到每個節點,注意要記住CA密碼
openssl genrsa -aes256 -out ca-key.pem 4096 openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
會生成兩個文件,
ca-key.pem
和ca.pem
,需要發給各個節點的是ca.pem
,這個是公鑰,文件內容是以-----BEGIN CERTIFICATE-----
開頭的 -
生成節點的證書
# 私鑰 openssl genrsa -out server-key.pem 4096 # 生成公鑰的請求文件,類似一箇中間文件,之後可以刪除。這個過程需要用戶交互輸入一些文字,這些文字要保證生成各個節點的證書時是一樣的,所以這裏將這些文件的默認值寫到openssl.conf文件中,這樣方便一點,但注意common name 要寫節點的host或IP,這個是不一樣的 openssl req -config openssl.conf -sha256 -new -key server-key.pem -out server.csr # 公鑰,注意一下 -days ,按需調整證書過期時間 openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem #openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout $cn.key -subj "/CN=$cn\/emailAddress=admin@$cn/C=US/ST=Ohio/L=Columbus/O=Widgets Inc/OU=Some Unit" -out $cn.csr # 將公鑰和私鑰合併成一個文件,這個文件需要下發到一個節點,這個文件每個節點是不一樣的,所以這個過程也需要重複多次 cat server-cert.pem server-key.pem > server.pem
openssl.conf
[req] distinguished_name="mongo_node" [mongo_node] commonName="Fully Qualified Domain Name (FQDN)" countryName="Country Name (2 letter code)" countryName_default=CN stateOrProvinceName="State Name (full name)" stateOrProvinceName_default="SN" localityName="Locality Name (e.g., city)" localityName_default="LN" organizationName="Organization Name (e.g., company)" organizationName_default="ON" organizationalUnitName="Organizational Unit Name (e.g., section)" organizationalUnitName_default="OU"
-
將 ca.pem 和 各個節點的server.pem分發
注意證書需要 mongo用戶可讀
4. 配置mongodb
systemLog:
destination: file
path: "/opt/mongo/mongodb/log/mongo.log"
net:
bindIp: 0.0.0.0
ssl:
mode: preferSSL
PEMKeyFile: /opt/mongo/cert/server/server.pem
CAFile: /opt/mongo/cert/ca/ca.pem
storage:
dbPath: "/opt/mongo/mongodb/data"
processManagement:
fork: true
pidFilePath: "/opt/mongo/mongodb/log/mongo.pid"
replication:
replSetName: "rs0"
security:
clusterAuthMode: x509
authorization: enabled
5. 重啓各個節點
6. java 程序連接
ServerAddress seed1 = new ServerAddress("host1", 27017);
ServerAddress seed2 = new ServerAddress("host2", 27017);
ServerAddress seed3 = new ServerAddress("host3", 27017);
MongoClientSettings settings = MongoClientSettings.builder()
.applyToClusterSettings(builder ->
builder.hosts(Arrays.asList(seed1, seed2, seed3)))
.credential(MongoCredential.createCredential("admin", "admin","123456".toCharArray())
.build();
MongoClient mongoClient = MongoClients.create(settings);