In this article , we will see how we can configure keyfile based internode authentication to existing Mongodb replica sets without downtime using Mongodb 5.0 Enterprise server on CentOS 7 .
OS Platform : REDHAT/CENTOS 7 Linux
Software : Mongodb 5.0 Enterprise Server
NOTE:
- This article is continuation of previous article How to deploy Mongodb replica set on Linux ?. If you have not deployed replica set. Kindly deploy it.
- As part of this demo, we are assuming that you have already installed Mongodb 5.0 Enterprise server, if not kindly check How to install Mongodb on Redhat\Centos Linux using Tarball .tgz? to get it installed.
- Be aware configuring keyfile based authentication is a bare minimum form of security which can be used for testing and development environments. It's not intended to use it in Production environment.
- In kind of production deployments, MongoDB recommends to use x.509 certificates for internal member authentication.
Prerequisites:
To complete this demo, we need 3 centos servers as we are going to configure 3 member replica sets 1 will be primary and other 2 servers will act as a secondary servers which was deployed already in the article How to deploy Mongodb replica set on Linux ?.
Server name | IP Address | Role |
mongodb1 | 192.168.1.200 | Primary |
mongodb2 | 192.168.1.201 | Secondary |
mongodb3 | 192.168.1.202 | Secondary |
Step 1: Connect to the primary node and create User Administrator
admin = db.getSiblingDB("admin") admin.createUser( { user: "userdba", pwd: passwordPrompt(), roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )
Step 2: Connect to the primary node and Cluster Adminstrator
db.getSiblingDB("admin").createUser( { "user" : "mongoctladmin", "pwd" : passwordPrompt(), roles: [ { "role" : "clusterAdmin", "db" : "admin" } ] } )
.png)
Step 3: Update Client Applications
mongosh -u mongoctladmin -password -authenticationDatabase admin --host myreplica/mongodb1:27017,mongodb2:27017,mongodb3:27017
Step 4: Generate Key File
- With Key file based authentication, each member mongod instances use the contents of key file as a shared password and authenticates with other members which are part of the replica sets.
- Only members which have the same keyfile can authenticate and be part of the replica sets.
- We are going to generate a keyfile from mongodb1 server using openssl utility.
openssl rand -base64 756 > mongod.key chmod 400 mongod.key
Step 5: Copy keyfile to each member of the replica sets
scp mongod.key mongod@mongodb2:/home/mongod scp mongod.key mongod@mongodb3:/home/mongod
Step 6 : Restart each secondary member with transitionToAuth tag enabled
Node 3 :: Secondary member mongodb3
use admin db.shutdownServer()
- Update the config file of secondary node mongodb3 with transitionToAuth tag enabled and keyfile location.
systemLog: destination: file path: "/var/log/mongodb/mongod.log" logAppend: true storage: journal: enabled: true storage: dbPath: /var/lib/mongo processManagement: fork: true net: bindIp: 127.0.0.1,mongodb3 port: 27017 security: authorization: enabled #enable authentication keyFile: /home/mongod/mongod.key #key file location transitionToAuth: true replication: replSetName: "myreplica"
- Restart the mongod with config changes in place
[mongod@mongodb3 ~]$ mongod -f /etc/mongod.conf
Node 2 :: Secondary member mongodb2
use admin db.shutdownServer()
- Update the config file of secondary node mongodb2 with transitionToAuth tag enabled and keyfile location.
vi /etc/mongod.conf
systemLog: destination: file path: "/var/log/mongodb/mongod.log" logAppend: true storage: journal: enabled: true storage: dbPath: /var/lib/mongo processManagement: fork: true net: bindIp: 127.0.0.1,mongodb2 port: 27017 security: authorization: enabled #enable authentication keyFile: /home/mongod/mongod.key #key file location transitionToAuth: true replication: replSetName: "myreplica"
- Restart the mongod with config changes in place
[mongod@mongodb2 ~]$ mongod -f /etc/mongod.conf
- Connect to the primary member of the replica set which is mongodb1 and issue stepdown command. This will make the current primary to be stepped down from primary to secondary and new primary node will be elected bu the quorum automatically.
rs.stepDown()
- If we check the status of node. The newly elected primary will be displayed
rs.isMaster().primary
- As per checking the newly elected primary is node 2 i.e mongodb2. So we are fine now for shutting down the old primary for tag changing and application read/write won't be interrupted.
- Now connect to the old primary node i.e mongodb1 and shutdown the instance and restart with transitionToAuth tag enabled.
Node 1 :: Old Primary node mongodb1
use admin db.shutdownServer()
- Update the config file of old primary node mongodb1 with transitionToAuth tag enabled and keyfile location.
vi /etc/mongod.conf
systemLog: destination: file path: "/var/log/mongodb/mongod.log" logAppend: true storage: journal: enabled: true storage: dbPath: /var/lib/mongo processManagement: fork: true net: bindIp: 127.0.0.1,mongodb1 port: 27017 security: authorization: enabled #enable authentication keyFile: /home/mongod/mongod.key #key file location transitionToAuth: true replication: replSetName: "myreplica"
- Restart the mongod with config changes in place
[mongod@mongodb1 ~]$ mongod -f /etc/mongod.conf
- So far we have updated the changes in all replica set members to use keyfile without downtime. Now we need to revert back the setting of transitionToAuth. From here onwards the client application must be authorized and use credentials to connect.
Step 8 : Restart the secondary members with transitionToAuth disabled
- Now again connect to secondary nodes and restart it with transitionToAuth tag set to false .
use admin db.shutdownServer()
vi /etc/mongod.conf
#here we are just setting the transitionToAuth tag false remaining parameters are set to same
security: authorization: enabled keyFile: /home/mongod/mongod.key #key file location transitionToAuth: false replication: replSetName: "myreplica"
[mongod@mongodb1 ~]$mongod -f /etc/mongod.conf [mongod@mongodb3 ~]$mongod -f /etc/mongod.conf
Step 9 : Step down the new primary member and restart with transitionToAuth tag set to false
use admin rs.stepDown() # to stepdown from primary to seconadry db.isMaster().primary # to check which is primary node after stepdown db.shutdownServer()
vi /etc/mongod.conf
#here we are just setting the transitionToAuth tag false remaining parameters are set to same
security: authorization: enabled keyFile: /home/mongod/mongod.key #key file location transitionToAuth: false replication: replSetName: "myreplica"
[mongod@mongodb2 ~]$mongod -f /etc/mongod.conf
Step 10 : Validate the connectivity from the client application
- Now we will first test our application connection without credentials.It will through error if we are using without authentication.
$ mongosh --host myreplica/mongodb1:27017,mongodb2:27017,mongodb3:27017
- Let us validate with correct authentication mechanism in place and see the results.
$ mongosh -u mongoctladmin -password -authenticationDatabase admin --host myreplica/mongodb1:27017,mongodb2:27017,mongodb3:27017
Wrapping Up:
- Thus we have reached the end of this article.We have configured keyfile based authentication to existing Mongodb Replica sets without downtime.
- Please be noted configuring keyfile based authentication is a bare minimum form of security.
- In kind of production deployments, MongoDB recommends to use x.509 certificates for internal member authentication. In our coming series of article we will see how we can achieve the mongodb keyfile based internode authentication and x.509 based authentication.
Hope you liked the content 😄
Please provide your collaborative ideas, suggestions and valuable feedback’s.
Keep Learning ! Keep Sharing!
No comments:
Post a Comment