MongoDB 添加认证

提示

• 添加认证会创建两个用户，分别为 admin 库的 root 用户 及 所有业务库的 hap 用户

• 下列步骤以 root 密码为 hTkfDMYJ7ZLs，hap 密码为 tC9S86SFWxga 示例，实际配置中务必对 root 与 hap 密码修改

  • 为确保兼容性，自定义密码时避免使用 "$"、"&"、"!" 或 "@" 等特殊字符，这些字符可能会干扰正则表达式解析，请改用连字符 "-" 或下划线 "_"

• 操作前建议提前数据备份

• 微服务版本需要大于 v3.7.0 以上才可以进行此操作

• 如果启用了聚合表功能，请参考对应文档完成创建聚合表数据库与对应角色和用户，以及调整副本集相关参数

1. 微服务版本>=5.1.0

   先通过 docker ps 命令找到 hap-sc 容器

   然后通过 docker exec -it $(docker ps | grep hap-sc | awk '{print $1}') bash 命令进入 hap-sc 容器

   在 hap-sc 容器中，执行 mongo 命令登录到 mongo shll 中

   微服务版本<5.1.0

   进入 hap-community 容器，登陆 mongo

   docker exec -it $(docker ps | grep hap-community | awk '{print $1}') mongo

2. 在 mongo shell 中创建 admin 库的 root 用户 及 所有业务库的 hap 用户

   use admin
   db.createUser({user:"root",pwd:"hTkfDMYJ7ZLs",roles:[{role:"root",db:"admin"}]})
   use MDLicense
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"MDLicense"}]})
   use ClientLicense
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"ClientLicense"}]})
   use commonbase
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"commonbase"}]})
   use MDAlert
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"MDAlert"}]})
   use mdactionlog
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdactionlog"}]})
   use mdapproles
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdapproles"}]})
   use mdapprove
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdapprove"}]})
   use mdapps
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdapps"}]})
   use mdattachment
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdattachment"}]})
   use mdcalendar
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdcalendar"}]})
   use mdcategory
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdcategory"}]})
   use MDChatTop
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"MDChatTop"}]})
   use mdcheck
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdcheck"}]})
   use mddossier
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mddossier"}]})
   use mdemail
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdemail"}]})
   use mdform
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdform"}]})
   use MDGroup
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"MDGroup"}]})
   use mdgroups
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdgroups"}]})
   use MDHistory
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"MDHistory"}]})
   use mdIdentification
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdIdentification"}]})
   use mdinbox
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdinbox"}]})
   use mdkc
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdkc"}]})
   use mdmap
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdmap"}]})
   use mdmobileaddress
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdmobileaddress"}]})
   use MDNotification
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"MDNotification"}]})
   use mdpost
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdpost"}]})
   use mdreportdata
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdreportdata"}]})
   use mdroles
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdroles"}]})
   use mdsearch
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdsearch"}]})
   use mdservicedata
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdservicedata"}]})
   use mdsms
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdsms"}]})
   use MDSso
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"MDSso"}]})
   use mdtag
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdtag"}]})
   use mdtransfer
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdtransfer"}]})
   use MDUser
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"MDUser"}]})
   use mdworkflow
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdworkflow"}]})
   use mdworksheet
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdworksheet"}]})
   use mdworkweixin
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdworkweixin"}]})
   use mdwsrows
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"mdwsrows"}]})
   use pushlog
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"pushlog"}]})
   use taskcenter
   db.createUser({user:"hap",pwd:"tC9S86SFWxga",roles:[{role:"readWrite",db:"taskcenter"}]})
   use mdintegration
   db.createUser({user: "hap",pwd: "tC9S86SFWxga",roles: [{role: "readWrite",db: "mdintegration"}]})
   use mdworksheetlog
   db.createUser({user: "hap",pwd: "tC9S86SFWxga",roles: [{role: "readWrite",db: "mdworksheetlog"}]})
   use mdworksheetsearch
   db.createUser({user: "hap",pwd: "tC9S86SFWxga",roles: [{role: "readWrite",db: "mdworksheetsearch"}]})
   use mddatapipeline
   db.createUser({user: "hap",pwd: "tC9S86SFWxga",roles: [{role: "readWrite",db: "mddatapipeline"}]})
   use mdwfplugin 
   db.createUser({user: "hap",pwd: "tC9S86SFWxga",roles: [{role: "readWrite",db: "mdwfplugin"}]})

3. 修改 docker-compose.yaml 文件，添加环境变量与端口映射

   docker-compose.yaml 文件默认路径：/data/hap/script/docker-compose.yaml

   微服务版本>=5.1.0

   在 app 服务下新增环境变量 ENV_MONGODB_DAEMON_ARGS 与 ENV_MONGODB_URI

   ENV_MONGODB_DAEMON_ARGS: "--auth"
   ENV_MONGODB_URI: "mongodb://hap:tC9S86SFWxga@sc:27017"

   在 sc 服务下新增端口映射，将容器内的 27017 端口映射出 (如果外部不需要访问 mongodb 则无需添加此端口映射)

   - 27017:27017

   docker-compose.yaml 配置文件修改示例

   version: '3'
   
   services:
     app:
       image: nocoly/hap-community:6.0.2
       environment:
         ENV_ADDRESS_MAIN: "https://hap.domain.com"
         ENV_APP_VERSION: "6.0.2"
         ENV_API_TOKEN: "******"
         ENV_MONGODB_DAEMON_ARGS: "--auth"    # 新增变量
         ENV_MONGODB_URI: "mongodb://hap:tC9S86SFWxga@sc:27017"  # 新增变量，注意修改为实际的 hap 用户密码。
       ports:
         - 8880:8880 
       volumes:
         - ./volume/data/:/data/
         - ../data:/data/hap/data
   
     sc:
       image: nocoly/hap-sc:3.0.0
       environment:
         <<: *app-environment
       ports:
         - 27017:27017 # 新增 mongodb 端口映射，如果外部不需要访问 mongodb，则无需添加此端口映射
       volumes:
         - ./volume/data/:/data/

   微服务版本<5.1.0

   在 app 服务下新增环境变量 ENV_MONGODB_DAEMON_ARGS 与 ENV_MONGODB_URI

   ENV_MONGODB_DAEMON_ARGS: "--auth"
   ENV_MONGODB_URI: "mongodb://hap:tC9S86SFWxga@127.0.0.1:27017"

   在 app 服务下新增端口映射，将容器内的 27017 端口映射出 (如果外部不需要访问 mongodb 则无需添加此端口映射)

   - 27017:27017

   docker-compose.yaml 配置文件修改示例

   version: '3'
   
   services:
     app:
       image: nocoly/hap-community:6.0.2
       environment:
         ENV_ADDRESS_MAIN: "https://hap.domain.com"
         ENV_APP_VERSION: "6.0.2"
         ENV_API_TOKEN: "******"
         ENV_MONGODB_DAEMON_ARGS: "--auth"    # 新增变量
         ENV_MONGODB_URI: "mongodb://hap:tC9S86SFWxga@127.0.0.1:27017"  # 新增变量，注意修改为实际的 hap 用户密码。
       ports:
         - 8880:8880
         - 27017:27017 # 新增 mongodb 端口映射，如果外部不需要访问 mongodb，则无需添加此端口映射 
       volumes:
         - ./volume/data/:/data/
         - ../data:/data/hap/data

4. 在安装管理器所在目录下重启微服务生效配置

   bash service.sh restartall