ANNOUNCEMENT: Voyage AI joins MongoDB to power more accurate and trustworthy AI applications on Atlas.
Learn more
Docs Menu
Docs Home
/
MongoDBマニュアル
/
自己管理型配置
/
セキュリティ
/
認証
/
内部

自己管理型シャーディングされたクラスターをキーファイル認証に更新(ダウンタイムなし)

項目一覧

Overview

重要

The following procedure applies to sharded clusters using MongoDB 3.4 or later.

Earlier versions of MongoDB do not support no-downtime upgrade. For sharded clusters using earlier versions of MongoDB, see 自己管理型シャーディングされたクラスターをキーファイル認証に更新.

A MongoDB sharded cluster can enforce user authentication as well as internal authentication of its components to secure against unauthorized access.

The following tutorial describes a procedure using security.transitionToAuth to transition an existing sharded cluster to enforce authentication without incurring downtime.

Before you attempt this tutorial, please familiarize yourself with the contents of this document.

Considerations

Cloud Manager と MongoDB Ops Manager

If you are using Cloud Manager or Ops Manager to manage your deployment, refer to Configure Access Control for MongoDB Deployments in the Cloud Manager manual or Ops Manager manual to enforce authentication.

IP バインディング

MongoDB バイナリ(mongodmongos)は、デフォルトで localhost にバインドされます。

Internal and Client Authentication Mechanisms

This tutorial configures authentication using SCRAM for client authentication and a keyfile for internal authentication.

Refer to the 自己管理型配置での認証 documentation for a complete list of available client and internal authentication mechanisms.

アーキテクチャ

This tutorial assumes that each shard replica set, as well as the config server replica set, can elect a new プライマリ after stepping down its existing primary.

A replica set can elect a primary only if both of the following conditions are true:

Minimum number of mongos instances

Ensure your sharded cluster has at least two mongos instances available. This tutorial requires restarting each mongos in the cluster. If your sharded cluster has only one mongos instance, this results in downtime during the period that the mongos is offline.

始める前に

MongoDB 8.0以降では、 directShardOperationsロールを使用して、シャードに対してコマンドを直接実行する必要があるメンテナンス操作を実行できます。

警告

directShardOperationsロールを使用して コマンドを実行すると、クラスターが正しく動作しなくなり、データが破損する可能性があります。 directShardOperationsロールは、メンテナンス目的で、または MongoDB サポートのガイダンスに必ず従う必要があります。 メンテナンス操作を実行したら、 directShardOperationsロールの使用を停止します。

Enforce Keyfile Access Control on an Existing Sharded Cluster

Create and Distribute the Keyfile

キーファイル 認証では、シャーディングされたクラスター内の各mongodまたはmongosインスタンスは、配置内の他のノードを認証するための共有パスワードとしてキーファイルの内容を使用します。 正しいキーファイルを持つmongodまたはmongosインスタンスのみがシャーディングされたクラスターに参加できます。

注意

内部メンバーシップ認証用のキーファイルでは、キーファイル内に複数のキーを含めるために YAML 形式が使用されます。YAML 形式は次のいずれかを受け入れます。

  • 1 つのキー文字列(以前のバージョンと同じ)

  • キー文字列のシーケンス

YAML 形式は、テキストファイル形式を使用する既存の単一のキー キーファイルと互換性があります。

キーの長さは 6 文字から 1024 文字の間で、base64 セット内の文字のみを含めることができます。 シャーディングされたクラスターのすべてのノードは、少なくとも 1 つの共通キーを共有する必要があります。

注意

UNIX システムでは、キーファイルにグループ権限またはワールド権限があってはなりません。Windows システムでは、キーファイルの権限はチェックされません。

キーファイルは、選択した任意の方法で生成できます。たとえば、次の操作では、openssl を使用して、共有パスワードとして使用する疑似ランダムの複雑な 1024 文字の文字列を生成します。次に、chmod を使用してファイル権限を変更し、ファイル所有者のみに読み取り権限を付与します。

openssl rand -base64 755 > <path-to-keyfile>
chmod 400 <path-to-keyfile>

シャーディングされたクラスターをホストしている各サーバーにキー ファイルをコピーします。 mongodまたはmongosインスタンスを実行中のユーザーがファイルの所有者であり、キーファイルにアクセスできるようにしてください。

キーファイルを、 mongodまたはmongosインスタンスをホストしているハードウェアから簡単に切断できるストレージメディア(Windows ドライブやネットワーク接続ストレージデバイスなど)にキーファイルを保存しないでください。

For more information on using keyfiles for internal authentication, refer to キーファイル.

Configure Sharded Cluster Admin User and Client Users

You must connect to a mongos to complete the steps in this section. The users created in these steps are cluster-level users and cannot be used for accessing individual shard replica sets.

1

Create the adminstrator user.

Use the db.createUser() method to create an administrator user and assign it the following roles:

Clients performing maintenance operations or user administrative operations on the sharded cluster must authenticate as this user at the completion of this tutorial. Create this user now to ensure that you have access to the cluster after enforcing authentication.

admin = db.getSiblingDB("admin");
admin.createUser(
  {
    user: "admin",
    pwd: "<password>",
    roles: [
      { role: "clusterAdmin", db: "admin" },
      { role: "userAdmin", db: "admin" }
    ]
  }
);

重要

Passwords should be random, long, and complex to prevent or hinder malicious access.

2

Optional: Create additional users for client applications.

In addition to the administrator user, you can create additional users before enforcing authentication.. This ensures access to the sharded cluster once you fully enforce authentication.

The following operation creates the user joe on the marketing database, assigning to this user the readWrite role on the marketing database`.

db.getSiblingDB("marketing").createUser(
  {
    "user": "joe",
    "pwd": "<password>",
    "roles": [ { "role" : "readWrite", "db" : "marketing" } ]
  }
)

Clients authenticating as "joe" can perform read and write operations on the marketing database.

See データベースユーザー ロール for roles provided by MongoDB.

ユーザーを追加する方法の詳細については、「ユーザーを追加する 」チュートリアルを参照してください。 新しいユーザーを追加するときは、セキュリティに関するベストプラクティスを考慮してください。

3

Optional: Update client applications to specify authentication credentials.

While the sharded cluster does not currently enforce authentication, you can still update client applications to specify authentication credentials when connecting to the sharded cluster. This may prevent loss of connectivity at the completion of this tutorial.

The following operation connects to the sharded cluster using mongosh, authenticating as the user joe on the marketing database.

mongosh  --username "joe" --password "<password>" \
  --authenticationDatabase "marketing" --host mongos1.example.net:27017

If your application uses a MongoDB driver, see the associated ドライバー documentation for instructions on creating an authenticated connection.

Transition Each mongos Instance to Enforce Authentication

1

Create a new mongos configuration file.

For each mongos:

  1. Copy the existing mongos configuration file, giving it a distinct name such as <filename>-secure.conf (or .cfg if using Windows). You will use this new configuration file to transition the mongos to enforce authentication in the sharded cluster. Retain the original configuration file for backup purposes.

  2. To the new configuration file, add the following settings:

    security:
       transitionToAuth: true
       keyFile: <path-to-keyfile>

    The new configuration file should contain all of the configuration settings previously used by the mongos as well as the new security settings.

2

One at a time, restart the mongos with the new configuration file.

注意

If your cluster has only one mongos, this step results in downtime while the mongos is offline.

Follow the procedure to restart the mongos instance, one mongos at a time:

  1. Connect to the mongos to shutdown.

  2. Use the db.shutdownServer() method against the admin database to safely shut down the mongos.

    db.getSiblingDB("admin").shutdownServer()

  3. 再起動 mongos with the new configuration file, specifying the path to the config file using --config. For example, if the new configuration file were named mongos-secure.conf:

    mongos --config <path>/mongos-secure.conf

    where <path> represents the system path to the folder containing the new configuration file.

Repeat the restart process for the next mongos instance until all mongos instances in the sharded cluster have been restarted.

At the end of this section, all mongos instances in the sharded cluster are running with security.transitionToAuth and security.keyFile internal authentication.

Transition Config Server Replica Set Members to Enforce Authentication

1

Create a new mongod configuration file.

For each mongod in the config server replica set,

  1. Copy the existing mongod configuration file, giving it a distinct name such as <filename>-secure.conf (or .cfg if using Windows). You will use this new configuration file to transition the mongod to enforce authentication in the sharded cluster. Retain the original configuration file for backup purposes.

  2. To the new configuration file, add the following settings:

    security:
       transitionToAuth: true
       keyFile: <path-to-keyfile>
2

One at a time, restart the mongod with the new configuration file.

Restart the replica set, one member at a time, starting with the セカンダリ members.

  1. To restart the セカンダリ members one at a time,

    1. Connect to the mongod and use the db.shutdownServer() method against the admin database to safely shut down the mongod.

      db.getSiblingDB("admin").shutdownServer()

    2. Restart the mongod with the new configuration file, specifying the path to the config file using --config. For example, if the new configuration file were named mongod-secure.conf:

      mongod --config <path>/mongod-secure.conf

      where <path> represents the system path to the folder containing the new configuration file.

    Once this member is up, repeat for the next セカンダリ member.

  2. Once all the secondary members have restarted and are up, restart the primary:

    1. Connect to the mongod.

    2. Use the rs.stepDown() method to step down the primary and trigger an election.

      rs.stepDown()

      You can use the rs.status() method to ensure the replica set has elected a new primary.

    3. Once you step down the primary and a new primary has been elected, shut down the old primary using the db.shutdownServer() method against the admin database.

      db.getSiblingDB("admin").shutdownServer()

    4. Restart the mongod with the new configuration file, specifying the path to the config file using --config. For example, if the new configuration file were named mongod-secure.conf:

      mongod --config <path>/mongod-secure.conf

      where <path> represents the system path to the folder containing the new configuration file.

At the end of this section, all mongod instances in the config server replica set is running with security.transitionToAuth and security.keyFile internal authentication.

Transition Each Shard Replica Set Members to Enforce Authentication

Create the shard-local administrator

In a sharded cluster that enforces authentication, each shard replica set should have its own shard-local administrator. You cannot use a shard-local administrator for one shard to access another shard or the sharded cluster.

Connect to the プライマリ member of each shard replica set and create a user with the db.createUser() method, assigning it the following roles:

Tip

passwordPrompt() メソッドを様々なユーザー認証管理メソッドやコマンドと組み合わせて使用すると、メソッドやコマンドの呼び出しでパスワードを直接指定する代わりに、パスワードの入力を求めるプロンプトが表示されます。ただし、以前のバージョンの mongo シェルと同様に、パスワードを直接指定することもできます。

admin = db.getSiblingDB("admin")
admin.createUser(
  {
    user: "admin",
    pwd: passwordPrompt(),  // or cleartext password
    roles: [
      { role: "clusterAdmin", db: "admin" },
      { role: "userAdmin", db: "admin" }
    ]
  }
)

At the completion of this tutorial, if you want to connect to the shard to perform maintenance operation that require direct connection to a shard, you must authenticate as the shard-local administrator.

注意

Direct connections to a shard should only be for shard-specific maintenance and configuration. In general, clients should connect to the sharded cluster through the mongos.

手順

Transitioning one shard replica set at a time, repeat these steps for each shard replica set in the sharded cluster.

1
Create a new mongod configuration file.

For each mongod in the shard replica set,

  1. Copy the existing mongod configuration file, giving it a distinct name such as <filename>-secure.conf (or .cfg if using Windows). You will use this new configuration file to transition the mongod to enforce authentication in the sharded cluster. Retain the original configuration file for backup purposes.

  2. To the new configuration file, add the following settings:

    security:
       transitionToAuth: true
       keyFile: <path-to-keyfile>
2
One at a time, restart the mongod with the new configuration file.

Restart the replica set, one member at a time, starting with the セカンダリ members.

  1. To restart the セカンダリ members one at a time,

    1. Connect to the mongod and use the db.shutdownServer() method against the admin database to safely shut down the mongod.

      db.getSiblingDB("admin").shutdownServer()

    2. Restart the mongod with the new configuration file, specifying the path to the config file using --config. For example, if the new configuration file were named mongod-secure.conf:

      mongod --config <path>/mongod-secure.conf

      where <path> represents the system path to the folder containing the new configuration file.

    Once this member is up, repeat for the next セカンダリ member of the replica set until all secondaries have been updated.

  2. Once all the secondary members have restarted and are up, restart the primary:

    1. Connect to the mongod.

    2. Use the rs.stepDown() method to step down the primary and trigger an election.

      rs.stepDown()

      You can use the rs.status() method to ensure the replica set has elected a new primary.

    3. Once you step down the primary and a new primary has been elected, shut down the old primary using the db.shutdownServer() method against the admin database.

      db.getSiblingDB("admin").shutdownServer()

    4. Restart the mongod with the new configuration file, specifying the path to the config file using --config. For example, if the new configuration file were named mongod-secure.conf:

      mongod --config <path>/mongod-secure.conf

      where <path> represents the system path to the folder containing the new configuration file.

At this point in the tutorial, every component of the sharded cluster is running with --transitionToAuth and security.keyFile internal authentication. The sharded cluster has at least one administrative user, and each shard replica set has a shard-local administrative user.

The remaining sections involve taking the sharded cluster out of the transition state to fully enforce authentication.

Restart Each mongos Instance without transitionToAuth

重要

At the end of this section, clients must specify authentication credentials to connect to the sharded cluster. Update clients to specify authentication credentials before completing this section to avoid loss of connectivity.

To complete the transition to fully enforcing authentication in the sharded cluster, you must restart each mongos instance without the security.transitionToAuth setting.

1

削除 transitionToAuth from the mongos configuration files.

Remove the security.transitionToAuth key and its value from the mongos configuration files created during this tutorial. Leave the security.keyFile setting added in the tutorial.

security:
   keyFile: <path-to-keyfile>
2

Restart the mongos with the updated configuration file.

注意

If your cluster has only one mongos, this step results in downtime while the mongos is offline.

Follow the procedure to restart mongos instance, one mongos at a time:

  1. Connect to the mongos to shutdown.

  2. Use the db.shutdownServer() method against the admin database to safely shut down the mongos.

    db.getSiblingDB("admin").shutdownServer()

  3. 再起動 mongos with the updated configuration file, specifying the path to the config file using --config. For example, if the updated configuration file were named mongos-secure.conf:

    mongos --config <path>/mongos-secure.conf

At the end of this section, all mongos instances enforce client authentication and security.keyFile internal authentication.

Restart Each Config Server Replica Set Member without transitionToAuth

重要

At the end of this step, clients must specify authentication credentials to connect to the config server replica set. Update clients to specify authentication credentials before completing this section to avoid loss of connectivity.

To complete the transition to fully enforcing authentication in the sharded cluster, you must restart each mongod instance without the security.transitionToAuth setting.

1

削除 transitionToAuth from the mongod configuration files.

Remove the security.transitionToAuth key and its value from the config server configuration files created during this tutorial. Leave the security.keyFile setting added in the tutorial.

security:
   keyFile: <path-to-keyfile>
2

One at a time, restart the mongod with the updated configuration file.

Restart the replica set, one member at a time, starting with the セカンダリ members.

  1. To restart the セカンダリ members one at a time,

    1. Connect to the mongod and use the db.shutdownServer() method against the admin database to safely shut down the mongod.

      db.getSiblingDB("admin").shutdownServer()

    2. Restart the mongod with the updated configuration file, specifying the path to the config file using --config. For example, if the new configuration file were named mongod-secure.conf:

      mongod --config <path>/mongod-secure.conf

      where <path> represents the system path to the folder containing the updated configuration file.

    Once this member is up, repeat for the next セカンダリ member.

  2. Once all the secondary members have restarted and are up, restart the primary:

    1. Connect to the mongod.

    2. Use the rs.stepDown() method to step down the primary and trigger an election.

      rs.stepDown()

      You can use the rs.status() method to ensure the replica set has elected a new primary.

    3. Once you step down the primary and a new primary has been elected, shut down the old primary using the db.shutdownServer() method against the admin database.

      db.getSiblingDB("admin").shutdownServer()

    4. Restart the mongod with the updated configuration file, specifying the path to the config file using --config. For example, if the new configuration file were named mongod-secure.conf:

      mongod --config <path>/mongod-secure.conf

      where <path> represents the system path to the folder containing the updated configuration file.

At the end of this section, all mongod instances in the config server replica set enforce client authentication and security.keyFile internal authentication.

Restart Each Member in Each Shard Replica Set without transitionToAuth

重要

At the end of this step, clients must specify authentication credentials to connect to the shard replica set. Update clients to specify authentication credentials before completing this section to avoid loss of connectivity.

To complete the transition to fully enforcing authentication in the sharded cluster, you must restart every member of every shard replica set in the sharded cluster without the security.transitionToAuth setting.

Transitioning one shard replica set at a time, repeat these steps for each shard replica set in the sharded cluster.

1

削除 transitionToAuth from the mongod configuration files.

Remove the security.transitionToAuth key and its value from the config server configuration files created during this tutorial. Leave the security.keyFile setting added in the tutorial.

security:
   keyFile: <path-to-keyfile>
2

One at a time, restart the mongod with the updated configuration file.

Restart the replica set, one member at a time, starting with the セカンダリ members.

  1. To restart the セカンダリ members one at a time,

    1. Connect to the mongod and use the db.shutdownServer() method against the admin database to safely shut down the mongod.

      db.getSiblingDB("admin").shutdownServer()

    2. Restart the mongod with the updated configuration file, specifying the path to the config file using --config. For example, if the new configuration file were named mongod-secure.conf:

      mongod --config <path>/mongod-secure.conf

      where <path> represents the system path to the folder containing the updated configuration file.

    Once this member is up, repeat for the next セカンダリ member.

  2. Once all the secondary members have restarted and are up, restart the primary:

    1. Connect to the mongod.

    2. Use the rs.stepDown() method to step down the primary and trigger an election.

      rs.stepDown()

      You can use the rs.status() method to ensure the replica set has elected a new primary.

    3. Once you step down the primary and a new primary has been elected, shut down the old primary using the db.shutdownServer() method against the admin database.

      db.getSiblingDB("admin").shutdownServer()

    4. Restart the mongod with the updated configuration file, specifying the path to the config file using --config. For example, if the new configuration file were named mongod-secure.conf:

      mongod --config <path>/mongod-secure.conf

      where <path> represents the system path to the folder containing the updated configuration file.

At the end of this section, all mongos and mongod instances in the sharded cluster enforce client authentication and security.keyFile internal authentication. Clients can only connect to the sharded cluster by using the configured client authentication mechanism. Additional components can only join the cluster by specifying the correct keyfile.

X.509 Certificate Internal Authentication

MongoDB supports X.509 certificate authentication for use with a secure TLS/SSL connection. Sharded cluster members and replica set members can use X.509 certificates to verify their membership to the cluster or the replica set instead of using キーファイル.

For details on using X.509 certificates for internal authentication, see 自己管理型MongoDBでのメンバーシップ認証に X.509 証明書を使用.

自己管理型MongoDB をキーファイル認証から X.509 認証にアップグレード describes how to upgrade a deployment's internal auth mechanism from keyfile-based authentication to X.509 certificate-based auth.

戻る

シャーディングされたクラスターの更新

次へ

レプリカセット キーのローテーション