我们有一个MongoDB(v 3.2.8)replicaSet,其配置如下:
replication:
replSetName: replica
security:
keyFile: mongo.key
我们的replicaSet状态rs.status()
目前如下所示:
{
"set" : "replica",
"date" : ISODate("2016-11-11T15:43:29.164Z"),
"myState" : 1,
...
"members" : [
{
"_id" : 4,
"name" : "mongo_1:27017",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 155,
...
"self" : true
}
{
"_id" : 5,
"name" : "mongo_2:27017",
"health" : 1,
"state" : 1,
"stateStr" : "SECONDARY",
"uptime" : 145,
...
"self" : false
},
{
"_id" : 6,
"name" : "mongo_3:27017",
"health" : 1,
"state" : 1,
"stateStr" : "SECONDARY",
"uptime" : 150,
...
"self" : false
}
],
"ok" : 1
}
对于身份验证,我们在db.getUsers()
数据库中有以下用户(admin
):
[
{
"_id" : "admin.user",
"user" : "user",
"db" : "admin",
"roles" : [
{
"role" : "clusterManager",
"db" : "admin"
},
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "clusterAdmin",
"db" : "admin"
},
{
"role" : "backup",
"db" : "admin"
},
{
"role" : "dbOwner",
"db" : "db_users"
},
{
"role" : "clusterMonitor",
"db" : "admin"
},
{
"role" : "restore",
"db" : "admin"
}
]
}
]
当我们尝试从Rails应用程序进行连接时,我们会在次要成员的日志文件中收到身份验证错误:
I ACCESS [conn221] authenticate db: admin
{ authenticate: 1, user: "user", nonce: "xxx", key: "xxx" }
I ACCESS [conn221] Failed to authenticate user@admin with mechanism
MONGODB-CR: AuthenticationFailed: MONGODB-CR credentials missing in
the user document
I ACCESS [conn221] Unauthorized: not authorized on db_users
to execute command { aggregate: "mongo_users", pipeline: [...],
cursor: {}, allowDiskUse: true }
在从副本集中删除辅助成员时,每个读/写查询在主mongoDB服务器上都能正常工作。另请注意,命令mongo db_users -u user --password password --authenticationDatabase admin
在所有三个成员上都可以在本地正常工作。我们的rails应用程序使用'mongoid' v(5.1.1)
gem作为MongoDB客户端,mongoid.yml
中包含以下设置。
production:
clients:
default:
database: db_users
hosts:
- mongo_1:27017
- mongo_2:27017
- mongo_2:27017
options:
user: 'user'
password: 'password'
auth_source: admin
safe: true
wait_queue_timeout: 300
read:
mode: :secondary_preferred
在尝试使用我们的Flask后端上的mongo_engine
进行连接时,我们也遇到类似的身份验证问题,不同之处在于,在security
中启用了mongoid.conf
选项后,它无法进行身份验证}。想知道我们是否在管理数据库中正确设置用户角色,或者是否有人在设置replicaSet配置时遇到类似问题,以及我们问题的可能解决方案。