forked from mongodb/docs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdeploy-replica-set-with-keyfile-access-control.txt
88 lines (61 loc) · 2.67 KB
/
deploy-replica-set-with-keyfile-access-control.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
.. _deploy-repl-set-with-keyfile:
.. _deploy-repl-set-with-auth:
==============================================
Deploy Replica Set With Keyfile Access Control
==============================================
.. default-domain:: mongodb
.. contents:: On this page
:local:
:backlinks: none
:depth: 1
:class: singlecol
Overview
--------
Enforcing access control on a :term:`replica set` requires configuring:
- Security between members of the replica set using
:doc:`Internal Authentication</core/security-internal-authentication>`, and
- Security between connecting clients and the replica set using
:doc:`/core/authorization`.
For this tutorial, each member of the replica set uses the same internal
authentication mechanism and settings.
Enforcing internal authentication also enforces user access control. To
connect to the replica set, clients like the :program:`mongo` shell need to
use a :doc:`user account</core/authorization>`. See
:ref:`security-repSetDeploy-access-control`.
Cloud Manager and Ops Manager
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you are currently using or are planning to use Cloud Manager or
Ops Manager, consider using the built-in features for
deploying a replica set with access control enforced.
See ``Deploy Replica Set`` in the
:mms-docs:`Cloud Manager manual</tutorial/deploy-replica-set>` or in the
:opsmgr:`Ops Manager manual</tutorial/deploy-replica-set>`.
See ``Access Control for MongoDB Deployments`` in the
:mms-docs:`Cloud Manager manual</nav/security-enable-authentication>` or in the
:opsmgr:`Ops manager manual</nav/security-enable-authentication>`.
Considerations
--------------
Operating System
~~~~~~~~~~~~~~~~
This tutorial primarily refers to the :program:`mongod` process.
Windows users should use the :program:`mongod.exe` program instead.
Keyfile Security
~~~~~~~~~~~~~~~~
Keyfiles are bare-minimum forms of security and are best suited for testing or
development environments. For production environments we recommend using
:doc:`x.509 certificates</core/security-x.509>`.
.. _security-repSetDeploy-access-control:
Access Control
~~~~~~~~~~~~~~
.. include:: /includes/internal-authentication-tutorials-access-control-consideration.rst
.. _security-replica-deploy-with-access-control:
Deploy New Replica Set with Keyfile Access Control
--------------------------------------------------
.. include:: /includes/steps/deploy-replica-set-with-auth.rst
x.509 Internal Authentication
-----------------------------
For details on using x.509 for internal authentication, see
:doc:`/tutorial/configure-x509-member-authentication`.
To upgrade from keyfile internal authentication to x.509 internal
authentication, see
:doc:`/tutorial/upgrade-keyfile-to-x509`.