我们需要一个具有最小权限的用户,只能使用db.fsyncLock()和db.unlock()来锁定mongo实例,以确保我们可以获取磁盘映像的一致快照。我目前创建了以下角色:
{
"role" : "local_lock",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"logRotate",
"resync",
"unlock"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"logRotate",
"resync",
"unlock"
]
}
]
}
但是当我使用此用户尝试锁定时,我会收到以下内容:
> db.fsyncLock()
{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { fsync: 1.0, lock: true }",
"code" : 13,
"codeName" : "Unauthorized"
}
>
还需要哪些其他权限? Mongo版本如下:
MongoDB shell version v3.4.7
MongoDB server version: 3.4.7
答案 0 :(得分:1)
我相信我正在向用户分配角色,以下确实有效:
[
{
"role" : "local_lock",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"fsync",
"unlock"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"fsync",
"unlock"
]
}
]
}
]
答案 1 :(得分:0)
答案 2 :(得分:0)
这就是我对分片群集(mongodb v3.6)进行的操作。 我想从每个分片副本集中的单独副本进行备份。为此,我登录到副本,连接到本地mongod,锁定数据库写入并开始进行文件复制。之后,我取消阻止数据库。 所以:
shard_01_r2:PRIMARY> db.createRole(
{
"role": "local_backup_with_locks",
"roles": [
"backup"
],
"privileges": [
{
"resource": {
"cluster": true
},
"actions": [
"fsync",
"unlock",
"enableProfiler",
"replSetGetStatus"
]
}
],
"authenticationRestrictions": [
{
"clientSource": [
"127.0.0.1",
"::1"
]
}
]
}
)
shard_01_r2:PRIMARY> db.createUser(
{
user: "dtci_backup",
pwd: "XXX",
roles: [ { role: "local_backup_with_locks", db: "admin" } ]
}
)
mongos
“全局”为备份配置服务器创建此用户。由于无需在此处添加fsynclock / unlock,因此我们只能分配 backup 角色:mongos> db.createUser(
{
user: "dtci_backup",
pwd: "XXX",
roles: [ { role: "backup", db: "admin" } ]
}
)
就是这样!现在,您可以在本地连接每个分片中的任何副本,并从中进行备份,而不会影响其他副本/集群。