I have been using percona-xtradb cluster in prod env since last 5 years and it has been really a great experience.
Going ahead I have deployed percona-mongodb in my prod recently, I started of with 3 node master-slave replication cluster set-up.
Now I need to add the password authentication to the cluster, i did not setup that at the time of deployment since I am very new to nosql/mongo but now i need to do add password across all my nodes.
What is the safest way to do that without the downtime ?
Yes, you can add authentication to the Replicaset without or with very minimal downtime. Before doing any changes, make sure you create a user having “root” (administrator) or “userAdminAnyDatabase” (maintain users only) privileges. See here for how to create a user. You will also need to create users to connect from the application and for other operations like backup, monitoring tool etc eventually. When you enable authentication, you will need to enable internal authentication between members of the replicaSet as well. You can refer to this URL for the process - https://docs.mongodb.com/manual/tutorial/enforce-keyfile-access-control-in-existing-replica-set-without-downtime/
Final configuration to enable authentication along with the internal authentication in a replicaSet are as follows:
security: authorization: enabled keyFile: <path-to-keyfile> replication: replSetName: <replicaSetName>
Here you enable the variable
transitionToAuth: true for a period (steps are mentioned in the doc given above for enforce keyfile) which allows the mongod to accept/create the authenticated or non-authenticated connections from MongoDB 3.4. Simply, the user access control is not forced till this is enabled. You can turn this off once the
keyFile + users are in place properly and ready to force user access control. To disable it, refer the steps mentioned in the same doc.
I did all these .
Able to start the cluster and all nodes.
But the thing is after enabling authentication too, still I can login without password too.
Able to login with password also but without password is not getting restricted.
Hi, the idea is after you validate that authenticated connections work fine, you remove transitionToAuth: true and restart (you can do it in a rolling fashion, check the link provided above). This will disable the password-less logins.