MongoDB副本集keyFile认证文件必须满足的条件有哪些?

KeyFile需要每个副本集服务启动时加载，在操作库时需要用户名和密码，而且KeyFile文件的内容必须一致。

KeyFile文件必须满足以下条件:
(1).至少6个字符，小于1024字节。
(2).认证的时候不考虑文件中的空白字符。
(3). 连接副本集成员的KeyFile和启动mongos进程的 KeyFile文件内容必须一致。
(4).必须是base64编码，但不能有等号。
(5).文件权限必须是 600(chmod 600),不能分配任何权限给group成员和其他成员。

image.png

openssl rand -base64 756 >  <path-to-keyfile>
chmod 400  <path-to-keyfile>

image.png

Generate a Key File

Overview

This section describes how to generate a key file to store authentication information. After generating a key file, specify the key file using the keyFile option when starting a mongod or mongos instance.

A key’s length must be between 6 and 1024 characters and may only contain characters in the base64 set. The key file must not have group or world permissions on UNIX systems. Key file permissions are not checked on Windows systems.

1、Create a key file.

Create the key file your deployment will use to authenticate servers to each other.

To generate pseudo-random data to use for a keyfile, issue the following openssl command:

openssl rand -base64 741 > mongodb-keyfile

chmod 600 mongodb-keyfile

chown mongod.mongod mongodb-keyfile

You may generate a key file using any method you choose. Always ensure that the password stored in the key file is both long and contains a high amount of entropy. Using openssl in this manner helps generate such a key.

2、Specify the key file when starting a MongoDB instance.

Specify the path to the key file with the keyFile option.

参考

mongodb Key File文件生成
https://www.fengnayun.com/news/content/45669.html

MongoDB副本集keyFile认证文件必须满足的条件有哪些
https://www.yisu.com/zixun/255740.html

Deploy Replica Set With Keyfile Authentication
https://www.mongodb.com/docs/manual/tutorial/deploy-replica-set-with-keyfile-access-control/

MongoDB 安全加固实战
https://zhuanlan.zhihu.com/p/618560183