- Security >
- Security Tutorials >
- Access Control Tutorials >
- Enable Authentication in a Sharded Cluster
Enable Authentication in a Sharded Cluster¶
On this page
New in version 2.0: Support for authentication with sharded clusters.
Overview¶
When authentication is enabled on a sharded cluster every client that accesses the cluster must provide credentials. This includes MongoDB instances that access each other within the cluster.
To enable authentication on a sharded cluster, you must enable
authentication individually on each component of the cluster. This means
enabling authentication on each mongos
and each
mongod
, including each config server, and all members
of a shard’s replica set.
Authentication requires an authentication mechanism and, in most cases, a
keyfile
. The content of the key file must be the
same on all cluster members.
Consideration¶
It is not possible to convert an existing sharded cluster that does not enforce access control to require authentication without taking all components of the cluster offline for a short period of time.
Procedure¶
Create a key file.¶
Create the key file your deployment will use to authenticate servers to each other.
To generate pseudo-random data to use for a
keyfile
, issue the following openssl
command:
You may generate a key file using any method you choose. Always
ensure that the password stored in the key file is both long and
contains a high amount of entropy. Using openssl
in this manner
helps generate such a key.
Enable authentication on each component in the cluster.¶
On each mongos
and mongod
in the cluster,
including all config servers and shards, specify the key file using
one of the following approaches:
Specify the key file in the configuration file.¶
In the configuration file, set the keyFile
option to the
key file’s path and then start the component, as in the following
example:
Specify the key file at runtime.¶
When starting the component, set the --keyFile
option, which is an option for both mongos
instances and mongod
instances. Set the --keyFile
to the key file’s path. The keyFile
setting implies the authorization
setting, which means in most cases you do not need to set authorization
explicitly.
Add users.¶
While connected to a mongos
, add the first
administrative user and then add subsequent users. See
Create a User Administrator.