DOCS-8616: no-downtime security sharded cluster #2834
Conversation
| post: | | ||
|
|
||
| At the end of this section, the config server replica set should be up and | ||
| running fully enforcing authentication. |
There was a problem hiding this comment.
Not sure how to parse this. Is this:
.. should be up and running, fully enforcing authentication (which describes a state)
- or -
running fully enforcing authentication (where authentication is the direct object of running).
There was a problem hiding this comment.
The former, I think. Done.
|
|
||
| db.getSiblingDB("admin").shutdownServer() | ||
|
|
||
| You can then start the :program:`mongos` specifying the updated |
There was a problem hiding this comment.
sentence seems to have gotten garbled.
| configuration file, specifying the path to the config file using | ||
| :option:`--config`.. This configuration file no longer contains the | ||
| :setting:`security.transitionToAuth` setting, but retains the | ||
| :setting:`security.keyFile` setting. |
There was a problem hiding this comment.
This sentence strikes me as odd since in step one, you made me remove it. and then in step two, you mention the state of the file.
There was a problem hiding this comment.
I wasn't sure if users might get confused as to the state of the file. I've no problem removing it, and addressing if users do get confused.
| .. note:: | ||
|
|
||
| MongoDB deployments running on :abbr:`Windows (Microsoft Windows)` use | ||
| the ``.cfg`` file extension instead of ``.conf``. |
There was a problem hiding this comment.
If we're going all Windows, why not also state that mongos is mongos.exe
| pre: | | ||
|
|
||
| Copy the existing {{program}} configuration file and name the copy to | ||
| distinguish it, for example, by adding ``-secure`` to the filename. You will |
There was a problem hiding this comment.
This sentence could be tightened.
| - Path to the keyfile. | ||
|
|
||
| If using a different internal authentication mechanism, specify that | ||
| mechanism instead of :setting:`security.keyFile`. |
There was a problem hiding this comment.
Should it be specify the settings appropriate for the mechanism ?
There was a problem hiding this comment.
That does sound better. Done.
|
|
||
| .. example:: | ||
|
|
||
| The following operation creates the user ``joe`` on the ``analytics`` |
There was a problem hiding this comment.
This operation doesn't do that at all.
There was a problem hiding this comment.
Ah, yes I modified the example but missed the description. Thanks
| @@ -0,0 +1,297 @@ | |||
| ========================================================================== | |||
| Enable mandatory user authentication in a sharded cluster without downtime | |||
| ========================================================================== | |||
There was a problem hiding this comment.
We tend to use title capitalization for pages.
Also, How is mandatory user authentication different from just user authentication
There was a problem hiding this comment.
This was a suggestion from Andy - I'm guessing that 'mandatory' is a stronger implication. I don't object in removing it, but I don't think it takes away from anything either.
| authentication <inter-process-auth>` among the sharded cluster | ||
| :program:`mongod` and :program:`mongos` components. | ||
|
|
||
| This tutorial describes a correct procedure for using |
|
|
||
| Perform these steps for each :program:`mongod` in the config server replica | ||
| set, one member at a time. Work on the :term:`secondary` or | ||
| :term:`arbiter` members *first*, and the :term:`primary` *last*. |
There was a problem hiding this comment.
config server rs cannot have arbiters.
|
|
||
| Perform these steps on one shard replica set at a time, and one member in the | ||
| shard replica set at a time. Work on the :term:`secondary` or :term:`arbiter` | ||
| members *first*, and the :term:`primary` *last*. |
There was a problem hiding this comment.
Unless explicitly requested to mention the arbiters, I might remove the arbiter members.
It sounds like you can have multiple arbiters.
|
@kay-kim back to you! |
| :option:`--config`.. This configuration file no longer contains the | ||
| :setting:`security.transitionToAuth` setting, but retains the | ||
| :setting:`security.keyFile` setting. | ||
| You can then restart the :program:`mongos specifying the path to the updated |
There was a problem hiding this comment.
missing a backtick after the mongos
| Copy the keyfile to each server hosting the {{deployment}} members. For | ||
| simplicity in configuration and maintenance, save the keyfile to a | ||
| consistent location for each server, such as the file path specified in | ||
| the {{programs}} :setting:`storage.dbPath` setting. |
There was a problem hiding this comment.
Double checking that this recommendation of storage.dbPath has been vetted by someone.
There was a problem hiding this comment.
Ah, I can't say that for certain.
I'll check with spencer
There was a problem hiding this comment.
@spencerjackson Can you chime in?
There was a problem hiding this comment.
remove ", such as the file path ... "
| to the sharded cluster. If your cluster has only one :program:`mongos`, this | ||
| step results in downtime while the :program:`mongos` is offline. | ||
|
|
||
| Connect to the :program:`mongos` and use the :method:`db.shutdownServer()` |
There was a problem hiding this comment.
lines 58-60 repeat lines 50-52
| You can then start the :program:`mongos` with the new configuration | ||
| file, specifying the path to the config file using :option:`--config`. | ||
| Restart :program:`mongos` with the new configuration file, specifying the | ||
| path to the config file using :option:`--config`. |
There was a problem hiding this comment.
Why is the following code block in an example block whereas the shutdown isn't?
There was a problem hiding this comment.
My logic was to use example blocks for when I want to set up a scenario or context for a code example, as opposed to the code block here which needs no context (IMHO).
There was a problem hiding this comment.
I agree that's a nice distinction, but unfortunately, I don't think we're doing that consistently. Take a look at https://docs-mongodbcom-staging.corp.mongodb.com/rkumar/DOCS-8616/tutorial/enforce-keyfile-access-control-in-existing-sharded-cluster-no-downtime.html#create-the-adminstrator-user vs https://docs-mongodbcom-staging.corp.mongodb.com/rkumar/DOCS-8616/tutorial/enforce-keyfile-access-control-in-existing-sharded-cluster-no-downtime.html#optional-create-users-for-client-applications-to-authenticate-with
Other than naming the user in the example sentences, how is the user "admin" that much different than user "joe"?
Even in here, how is it in context if we're specifying the conf file name but not the path? It's a bit general and specific all jumbled up.
| @@ -59,15 +60,15 @@ pre: | | |||
| down the primary and trigger an election. You can use the | |||
| :method:`rs.status()` method to ensure the replica set elected a new primary. | |||
|
|
|||
| Once you step down the primary, you can then shut it down using the | |||
| Once you step down the primary, you shut it down using the | |||
There was a problem hiding this comment.
Because of the way they're organized, lines 58 - 61 seems to go with the code-block at line 54 while this paragraph would be post stepDown.
Instead, you might want to forestall someone accidentally shutting down the primary at lines 58-61 by prefacing with something like:
If upgrading the secondary, ...
If upgrading the primary,
| @@ -269,7 +269,7 @@ sharded cluster without the :setting:`security.transitionToAuth` setting. | |||
| Repeat these steps for each shard replica set in the sharded cluster. | |||
|
|
|||
| Perform these steps on one shard replica set at a time, and one member in the | |||
| shard replica set at a time. Work on the :term:`secondary` or :term:`arbiter` | |||
| shard replica set at a time. Work on the :term:`secondary` | |||
| @@ -244,8 +244,8 @@ sharded cluster, you must restart each :program:`mongod` instance without | |||
| the :setting:`security.transitionToAuth` setting. | |||
|
|
|||
| Perform these steps for each :program:`mongod` in the config server replica | |||
| set, one member at a time. Work on the :term:`secondary` or | |||
| :term:`arbiter` members *first*, and the :term:`primary` *last*. | |||
| set, one member at a time. Work on the :term:`secondary` or members *first*, | |||
There was a problem hiding this comment.
Work on -> Start with
remove 'or members' to I think just the 'members'.
|
@kay-kim back to you! |
|
|
||
| .. important:: | ||
|
|
||
| MongoDB 3.2 and earlier do not support a no-downtime upgrade to enforce |
There was a problem hiding this comment.
Can we tighten this important note and start with a positive? Something like (spitballing -- you can polish)
The following procedure applies to sharded clusters using MongoDB 3.4 or later.
Earlier versions of MongoDB do not support no-downtime upgrade. For sharded clusters using earlier versions of MongoDB, see :doc:/tutorial/enforce-keyfile-access-control-in-existing-sharded-cluster.
| tutorial for a procedure for enforcing access control in a sharded cluster | ||
| running MongoDB 3.2 or prior. | ||
|
|
||
| To secure against unauthorized access, enforce :ref:`authentication |
There was a problem hiding this comment.
Since this tutorial is already 20 pages long, let's be economical with some of these. Something like (feel free to play with)
To secure against unauthorized access, enforce authentication. A sharded cluster can enforce user authentication as well as internal authentication of its components. The following tutorial describes a procedure to transition an existing sharded cluster to enforce authentication.
| contents of this document. | ||
|
|
||
| Considerations | ||
| ~~~~~~~~~~~~~~ |
There was a problem hiding this comment.
This should use the ______ underscore instead of ~~~~~
| Minimum number of ``mongos`` instances | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| This tutorial requires restarting each :program:`mongos` in the cluster. If |
There was a problem hiding this comment.
Not sure, and feel free to ignore, but I wonder if we should start with the thing we want people to pay attention to:
Ensure your sharded cluster has at least two mongos instances available. This tutorial requires restarting each mongos in the cluster. If your cluster has only one mongos instance, this results in downtime ....
| The contents of the :ref:`keyfile <internal-auth-keyfile>` serves as | ||
| the shared password for the members of the {{deployment}}. The | ||
| content of the keyfile must be the same for all members of the | ||
| With :ref:`keyfile <internal-auth-keyfile>` authentication, the |
There was a problem hiding this comment.
With keyfile internal authentication, each ...
(only because people might not be familiar with keyfile authentication. each because your {{components}} is mongod or mongos.
|
|
||
| .. include:: /includes/steps/enable-authentication-in-shardcluster-nodowntime-uac.rst | ||
|
|
||
| Restart Each ``mongos`` Instance with ``transitionToAuth`` set to ``true`` |
There was a problem hiding this comment.
Transition mongos to use auth (clearly not those words) but something like it.
| cluster are running with :setting:`security.transitionToAuth` and | ||
| :setting:`security.keyFile` internal authentication. | ||
|
|
||
| Restart Each Config Server Replica Set Member with ``transitionToAuth`` set to ``true`` |
There was a problem hiding this comment.
Transition the config server replica set to auth (just with better words)
| server replica set is running with :setting:`security.transitionToAuth` and | ||
| :setting:`security.keyFile` internal authentication. | ||
|
|
||
| Restart Each Member of Each Shard Replica Set with ``transitionToAuth`` set to ``true`` |
There was a problem hiding this comment.
Trnasition Each shard replica set to auth (reword)
| performing queries or cluster-level maintenance operations. | ||
|
|
||
| Procedure | ||
| +++++++++ |
There was a problem hiding this comment.
If I see Procedure, I could skip over all the words above to just get to the procedure that has steps.
If we change this section title, then this subheading could be the
Restart shards with auth (or whatever)
| .. include:: /includes/steps/enable-authentication-in-shardcluster-nodowntime-transition-shards.rst | ||
|
|
||
| At this point in the tutorial, every component of the sharded cluster is | ||
| running with :option:`--transitionToAuth` and :setting:`security.keyFile` |
There was a problem hiding this comment.
well, they're all running with :setting:security.transitionToAuth since in all our steps we updated the config file.
Staged: https://docs-mongodbcom-staging.corp.mongodb.com/rkumar/DOCS-8616/tutorial/enforce-keyfile-access-control-in-existing-sharded-cluster-no-downtime.html
This change is