step 1:
=========
1. we used centos5.8
2. mongo version == 3.2.10 installed via (yum)
step 2:
==========
1. let's create admin user in mongo database
use admin
var user = {
"user" : "root",
"pwd" : "toor",
roles : [
{
"role" : "root",
"db" : "admin"
}
]
}
db.createUser(user);
2. let's create readonly user to read any database
use admin
var user = {
"user" : "reporting",
"pwd" : "abc123",
roles : [
{
"role" : "readAnyDatabase",
"db" : "admin"
}
]
}
db.createUser(user);
exit
3. let's create application user, we need to go the perticular database
use admin
var user = {
"user" : "appuser",
"pwd" : "app123",
roles : [
{
"role" : "readWrite",
"db" : "hermes"
}
]
}
db.createUser(user);
4. let's verify user with roles.
db.getUsers()
[
{
"_id" : "hermes.appuser",
"user" : "appuser",
"db" : "hermes",
"roles" : [
{
"role" : "readWrite",
"db" : "hermes"
}
]
}
]
step 3:
========
let's time to enable mongo authication
/etc/mongo.conf:
security:
authorization: enabled
after changing config file, please restart mongod
Here after we can use user name and pass for access database.
If you enter with out user and pass, you will see these kind erros,
> show databases;
2016-06-05T08:05:22.960+0530 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
>
$mongo admin -u root -p
MongoDB shell version: 3.2.10
Enter password:
connecting to: admin
>
step 4:
=========
let's time to enable mongo master/slave setup
1. If you want start mongo master use this init.d file
https://gist.githubusercontent.com/bugcy013/0a6ed175c34a89e3d1d37bc84383f351/raw/2eea4a6365b5b7160d50ac267a29cd6657041af5/init.d_mongod_master
2. If you want start mongo slave use this init.d file
https://gist.githubusercontent.com/bugcy013/0a6ed175c34a89e3d1d37bc84383f351/raw/2eea4a6365b5b7160d50ac267a29cd6657041af5/init.d_mongod_slave
NOTE::
In mongo master init.d file, have added DAEMON_OPTS=" --master" This is very important. otherwise mongo traet as normal mongo instance. --master option, the mongod will create a local.oplog.$main collection, which the “operation log” that queues operations that the slaves will apply to replicate operations from the master.
3. How to add master info Slave node
use local
db.sources.find()
db.sources.insert( { host: "172.16.60.79:27017" } );
or
we can add startup commnad init.d/mongod
DAEMON_OPTS=" --slave --auth --source 172.16.60.79:27017"
4. Connecting a Slave to a Master running in auth mode. (keyfile-access-control)
cd /var/lib/mongo
openssl rand -base64 755 > dv_mongo.key
chmod 400 dv_mongo.key
chown mongod: dv_mongo.key
security:
authorization: enabled
keyFile: /var/lib/mongo/dv_mongo.key
NOTE :: dv_mongo.key file copy to all slave machine.
step 5:
=========
let's time to verify master slave sync.
How to check replication status (Master Side)
----------------------------------------------
> db.printReplicationInfo()
configured oplog size: 1965.9365234375MB
log length start to end: 13447secs (3.74hrs)
oplog first event time: Fri Oct 21 2016 11:05:30 GMT-0400 (EDT)
oplog last event time: Fri Oct 21 2016 14:49:37 GMT-0400 (EDT)
now: Fri Oct 21 2016 14:49:46 GMT-0400 (EDT)
>
How to check replication status (Slave Side)
------------------------------------------------
> db.printReplicationInfo()
this is a slave, printing slave replication info.
source: 172.16.60.79
syncedTo: Fri Oct 21 2016 14:49:07 GMT-0400 (EDT)
7 secs (0 hrs) behind the freshest member (no primary available at the moment)
>
How to re-sync to Slave, if sync not happen properly.
-----------------------------------------------------
> use admin
switched to db admin
> db.runCommand({resync: 1})
{ "info" : "triggered resync for all sources", "ok" : 1 }
let's insert some data on master side:
--------------------------------------------
use myNewDatabase
db.myCollection.insert( { x: 503 } )
verification on slave side:
---------------------------------------------
use myNewDatabase
db.myCollection.find().sort({_id:-1}).limit(10)
step 6: (very important) How to disable master/slave setup
===========================================================
1. modify /etc/init.d/mongod file comment the DAEMON_OPTS variable in line number = 16
2. then restart mongod
step 7: (very important) How to disable authentication setup
=============================================================
1. modify the /etc/mongod.conf
comment-out the 'security' section.
security:
authorization: enabled
keyFile: /var/lib/mongo/dv_mongo.key
2. then restart mongod
Users & Roles
================
There are a number of predefined roles:
root - All powerful. Use with caution
userAdminAnyDatabase - Can create users and assign roles on any database. Use with caution
userAdmin - Can only create users and assign roles in a specific database
read - Read collections in a specific database.
readWrite - Read and Write to a specific database
> db.getUsers()
or
> db.system.users.find()
STEP - 1
========
Add Users Before Enabling Access Control
Create Admin User :: -
The first thing is to create an admin user, go to the mongo shell
connect to the `admin' database
The first user should be an admin user that can manage the database.
create a user and assign him the role userAdminAnyDatabase
use admin
var user = {
"user" : "root",
"pwd" : "toor",
roles : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
db.createUser(user);
How to check user created or not ?
-----------------------------------
db.getUsers()
[
{
"_id" : "admin.root",
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
]
STEP - 2
========
Enabling Access Control ::
in /etc/mongod.conf
security:
authorization: enabled
after updating config file we need to restart the mongo instance.
STEP - 3
========
Here after we can use user name and pass for access database.
If you enter with out user and pass, you will see these kind erros,
> show databases;
2016-06-05T08:05:22.960+0530 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:760:19
shellHelper@src/mongo/shell/utils.js:650:15
@(shellhelp2):1:1
>
$mongo admin -u root -p
MongoDB shell version: 3.2.5
Enter password:
connecting to: admin
>
STEP - 4
========
let's create application User for read/Write
Before we need to create application user, we need to go the perticular database
> use hermes;
var user = {
"user" : "appuser",
"pwd" : "app123",
roles : [
{
"role" : "readWrite",
"db" : "hermes"
}
]
}
db.createUser(user);
let's verify
> db.getUsers()
[
{
"_id" : "hermes.appuser",
"user" : "appuser",
"db" : "hermes",
"roles" : [
{
"role" : "readWrite",
"db" : "hermes"
}
]
}
]
>
STEP - 5
========
let's create readonly user to read any database
$mongo admin -u admin -p
var user = {
"user" : "reporting",
"pwd" : "abc123",
roles : [
{
"role" : "readAnyDatabase",
"db" : "admin"
}
]
}
db.createUser(user);
exit
> db.products.insert({ "title" : "MongoDB in Action" });
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on hermes to execute command { insert: \"products\", documents: [ { _id: ObjectId('5753d9af680d6e283c83138f'), title: \"MongoDB in Action\" } ], ordered: true }"
}
})
>
If you try to insert/update/delete document you will receive an exception.
How to update the user role:
=============================
use admin
db.updateUser( "admin",
{
roles : [
{ role : "root", db : "admin" }
]
}
)
Enforce-keyfile-access-control done on (master machine)
=======================================================
cd /var/lib/mongo
openssl rand -base64 755 > dv_mongo.key
chmod 400 dv_mongo.key
chown mongod: dv_mongo.key
security:
authorization: enabled
keyFile: /var/lib/mongo/dv_mongo.key
NOTE :: dv_mongo.key file copy to all slave machine.
Superuser Roles required monitor the replications status both slave and master
=========================================================================
use admin
db.createUser(
{
user: "admin",
pwd: "password",
roles: [ { role: "root", db: "admin" } ]
}
);
exit;
Initial Deployment
=====================
To configure a master-slave deployment, start two mongod instances: one in master mode, and the other in slave mode.
To start a mongod instance in master mode, invoke mongod as follows:
mongod --master
or slave side
mongod --slave
How to add master info Slave node
==========================================
> use local
switched to db local
> db.sources.find()
>
db.sources.insert( { host: "172.16.60.79:27017" } );
or
we can add startup commnad init.d/mongod
DAEMON_OPTS=" --slave --auth --source 172.16.60.79:27017"
How to check replication status (Master Side)
===============================================
> db.printReplicationInfo()
configured oplog size: 1965.9365234375MB
log length start to end: 13447secs (3.74hrs)
oplog first event time: Fri Oct 21 2016 11:05:30 GMT-0400 (EDT)
oplog last event time: Fri Oct 21 2016 14:49:37 GMT-0400 (EDT)
now: Fri Oct 21 2016 14:49:46 GMT-0400 (EDT)
>
How to check replication status (Slave Side)
===============================================
> db.printReplicationInfo()
this is a slave, printing slave replication info.
source: 172.16.60.79
syncedTo: Fri Oct 21 2016 14:49:07 GMT-0400 (EDT)
7 secs (0 hrs) behind the freshest member (no primary available at the moment)
>
How to re-sync ro Slave side forcefully
============================================
> use admin
switched to db admin
> db.runCommand({resync: 1})
{ "info" : "triggered resync for all sources", "ok" : 1 }
Insert some data on master side:
================================
use myNewDatabase
db.myCollection.insert( { x: 503 } )
verification on slave side:
=============================
use myNewDatabase
db.myCollection.find().sort({_id:-1}).limit(10)
#!/bin/bash
# mongod - Startup script for mongod
# chkconfig: 35 85 15
# description: Mongo is a scalable, document-oriented database.
# processname: mongod
# config: /etc/mongod.conf
. /etc/rc.d/init.d/functions
# NOTE: if you change any OPTIONS here, you get what you pay for:
# this script assumes all options are in the config file.
CONFIGFILE="/etc/mongod.conf"
OPTIONS=" -f $CONFIGFILE"
DAEMON_OPTS=" --slave"
mongod=${MONGOD-/usr/bin/mongod}
MONGO_USER=mongod
MONGO_GROUP=mongod
# All variables set before this point can be overridden by users, by
# setting them directly in the SYSCONFIG file. Use this to explicitly
# override these values, at your own risk.
SYSCONFIG="/etc/sysconfig/mongod"
if [ -f "$SYSCONFIG" ]; then
. "$SYSCONFIG"
fi
# Handle NUMA access to CPUs (SERVER-3574)
# This verifies the existence of numactl as well as testing that the command works
NUMACTL_ARGS="--interleave=all"
if which numactl >/dev/null 2>/dev/null && numactl $NUMACTL_ARGS ls / >/dev/null 2>/dev/null
then
NUMACTL="numactl $NUMACTL_ARGS"
else
NUMACTL=""
fi
# things from mongod.conf get there by mongod reading it
PIDFILEPATH=`awk -F'[:=]' -v IGNORECASE=1 '/^[[:blank:]]*(processManagement\.)?pidfilepath[[:blank:]]*[:=][[:blank:]]*/{print $2}' "$CONFIGFILE" | tr -d "[:blank:]\"'" | awk -F'#' '{print $1}'`
PIDDIR=`dirname $PIDFILEPATH`
start()
{
# Make sure the default pidfile directory exists
if [ ! -d $PIDDIR ]; then
install -d -m 0755 -o $MONGO_USER -g $MONGO_GROUP $PIDDIR
fi
# Make sure the pidfile does not exist
if [ -f $PIDFILEPATH ]; then
echo "Error starting mongod. $PIDFILEPATH exists."
RETVAL=1
return
fi
# Recommended ulimit values for mongod or mongos
# See http://docs.mongodb.org/manual/reference/ulimit/#recommended-settings
#
ulimit -f unlimited
ulimit -t unlimited
ulimit -v unlimited
ulimit -n 64000
ulimit -m unlimited
ulimit -u 64000
echo -n $"Starting mongod: "
daemon --user "$MONGO_USER" --check $mongod "$NUMACTL $mongod $DAEMON_OPTS $OPTIONS >/dev/null 2>&1"
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/mongod
}
stop()
{
echo -n $"Stopping mongod: "
mongo_killproc "$PIDFILEPATH" $mongod
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/mongod
}
restart () {
stop
start
}
# Send TERM signal to process and wait up to 300 seconds for process to go away.
# If process is still alive after 300 seconds, send KILL signal.
# Built-in killproc() (found in /etc/init.d/functions) is on certain versions of Linux
# where it sleeps for the full $delay seconds if process does not respond fast enough to
# the initial TERM signal.
mongo_killproc()
{
local pid_file=$1
local procname=$2
local -i delay=300
local -i duration=10
local pid=`pidofproc -p "${pid_file}" ${procname}`
kill -TERM $pid >/dev/null 2>&1
usleep 100000
local -i x=0
while [ $x -le $delay ] && checkpid $pid; do
sleep $duration
x=$(( $x + $duration))
done
kill -KILL $pid >/dev/null 2>&1
usleep 100000
checkpid $pid # returns 0 only if the process exists
local RC=$?
[ "$RC" -eq 0 ] && failure "${procname} shutdown" || rm -f "${pid_file}"; success "${procname} shutdown"
RC=$((! $RC)) # invert return code so we return 0 when process is dead.
return $RC
}
RETVAL=0
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload|force-reload)
restart
;;
condrestart)
[ -f /var/lock/subsys/mongod ] && restart || :
;;
status)
status $mongod
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|status|restart|reload|force-reload|condrestart}"
RETVAL=1
esac
exit $RETVAL
#!/bin/bash
# mongod - Startup script for mongod
# chkconfig: 35 85 15
# description: Mongo is a scalable, document-oriented database.
# processname: mongod
# config: /etc/mongod.conf
. /etc/rc.d/init.d/functions
# NOTE: if you change any OPTIONS here, you get what you pay for:
# this script assumes all options are in the config file.
CONFIGFILE="/etc/mongod.conf"
OPTIONS=" -f $CONFIGFILE"
DAEMON_OPTS=" --master"
mongod=${MONGOD-/usr/bin/mongod}
MONGO_USER=mongod
MONGO_GROUP=mongod
# All variables set before this point can be overridden by users, by
# setting them directly in the SYSCONFIG file. Use this to explicitly
# override these values, at your own risk.
SYSCONFIG="/etc/sysconfig/mongod"
if [ -f "$SYSCONFIG" ]; then
. "$SYSCONFIG"
fi
# Handle NUMA access to CPUs (SERVER-3574)
# This verifies the existence of numactl as well as testing that the command works
NUMACTL_ARGS="--interleave=all"
if which numactl >/dev/null 2>/dev/null && numactl $NUMACTL_ARGS ls / >/dev/null 2>/dev/null
then
NUMACTL="numactl $NUMACTL_ARGS"
else
NUMACTL=""
fi
# things from mongod.conf get there by mongod reading it
PIDFILEPATH=`awk -F'[:=]' -v IGNORECASE=1 '/^[[:blank:]]*(processManagement\.)?pidfilepath[[:blank:]]*[:=][[:blank:]]*/{print $2}' "$CONFIGFILE" | tr -d "[:blank:]\"'" | awk -F'#' '{print $1}'`
PIDDIR=`dirname $PIDFILEPATH`
start()
{
# Make sure the default pidfile directory exists
if [ ! -d $PIDDIR ]; then
install -d -m 0755 -o $MONGO_USER -g $MONGO_GROUP $PIDDIR
fi
# Make sure the pidfile does not exist
if [ -f $PIDFILEPATH ]; then
echo "Error starting mongod. $PIDFILEPATH exists."
RETVAL=1
return
fi
# Recommended ulimit values for mongod or mongos
# See http://docs.mongodb.org/manual/reference/ulimit/#recommended-settings
#
ulimit -f unlimited
ulimit -t unlimited
ulimit -v unlimited
ulimit -n 64000
ulimit -m unlimited
ulimit -u 64000
echo -n $"Starting mongod: "
daemon --user "$MONGO_USER" --check $mongod "$NUMACTL $mongod $DAEMON_OPTS $OPTIONS >/dev/null 2>&1"
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/mongod
}
stop()
{
echo -n $"Stopping mongod: "
mongo_killproc "$PIDFILEPATH" $mongod
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/mongod
}
restart () {
stop
start
}
# Send TERM signal to process and wait up to 300 seconds for process to go away.
# If process is still alive after 300 seconds, send KILL signal.
# Built-in killproc() (found in /etc/init.d/functions) is on certain versions of Linux
# where it sleeps for the full $delay seconds if process does not respond fast enough to
# the initial TERM signal.
mongo_killproc()
{
local pid_file=$1
local procname=$2
local -i delay=300
local -i duration=10
local pid=`pidofproc -p "${pid_file}" ${procname}`
kill -TERM $pid >/dev/null 2>&1
usleep 100000
local -i x=0
while [ $x -le $delay ] && checkpid $pid; do
sleep $duration
x=$(( $x + $duration))
done
kill -KILL $pid >/dev/null 2>&1
usleep 100000
checkpid $pid # returns 0 only if the process exists
local RC=$?
[ "$RC" -eq 0 ] && failure "${procname} shutdown" || rm -f "${pid_file}"; success "${procname} shutdown"
RC=$((! $RC)) # invert return code so we return 0 when process is dead.
return $RC
}
RETVAL=0
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload|force-reload)
restart
;;
condrestart)
[ -f /var/lock/subsys/mongod ] && restart || :
;;
status)
status $mongod
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|status|restart|reload|force-reload|condrestart}"
RETVAL=1
esac
exit $RETVAL