I am needing to shard a database fairly soon, and am unclear on what the best practice is for enabling authentication on the mongos
and config
servers.
I would like to have everything be secured with passwords.
- Should each config server have
auth
enabled? - If so, then setup the same user across each? Just for the admin db? Or is there a need to create one for the config database?
- I am guessing you don't need to create any users while on the mongos, since it should inherit from the config and the shards themselves, is this correct?
- When adding a new shard, is it needed to go and setup the same users for each sharded database on the new shard?
Thanks!
Best Answer
I'll take these one at a time:
Yes, basically every instance of mongod you run should have auth enabled (and keyfile, which implies auth).
The admin database in a sharded environment will actually live on the config servers. Hence you will have a copy of the admin database on all three (they will be identical to each other). You should always be connecting to the config database through the
mongos
and you will not be creating other databases there, so no need to add specific users.The first shard you add, if it has existing databases, will be the primary shard for those databases (forever). That primary shard will contain the authentication records for those databases, even if you subsequently shard the collections across multiple shards. Any subsequent databases that are created after you shard may live on another shard, and their credentials will be stored there. Basic rule of thumb is: use
mongos
to manage your users in a sharded environment.Note: The above is true in MongoDB 2.4 and below. The planned changes in 2.6 will centralize all credentials to the config database in a sharded environment and remove some of the complexity. However, the rule of thumb is still applicable, use
mongos
As the answer to the previous question implies, no this is not necessary as long as you always connect via
mongos
(recommended - it knows what the primary shard is for each database and will route your auth request appropriately). There are some edge cases where you might need to have the users on all shards, in which case you would have to add (and maintain) them on each shard, but for general use it is not required.