MongoDB证书所有者和文件权限

如果你按官方文档 Configure mongod and mongos for TLS/SSL 配置MongoDB证书，可能会遇到如下问题：

{"t":{"$date":"2020-11-30T08:02:19.406+00:00"},"s":"E",  "c":"NETWORK",  "id":23248,   "ctx":"main","msg":"Cannot read certificate file","attr":{"keyFile":"/etc/ssl/testserver1.pem","error":"error:0200100D:system library:fopen:Permission denied"}}
{"t":{"$date":"2020-11-30T08:02:19.406+00:00"},"s":"F",  "c":"CONTROL",  "id":20574,   "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":140,"codeName":"InvalidSSLConfiguration","errmsg":"Can not set up PEM key file."}}}

or

{"t":{"$date":"2020-11-30T08:01:14.545+00:00"},"s":"I",  "c":"ACCESS",   "id":20254,   "ctx":"main","msg":"Read security file failed","attr":{"error":{"code":30,"codeName":"InvalidPath","errmsg":"permissions on / are too open"}}}

真难伺候，一会儿没权限读证书，一会儿权限太开放了，到底证书要什么权限？官方文档没加个tips解释这些细节，可能假设用户对PKI和证书这套东西非常熟悉。

运行mongod的用户是mongodb，所以看起来证书权限需要是：能让用户mongodb读此证书但不能修改。

方案1

• chown mongodb:mongodb [xxx.pem]
• chmod 400 [xxx.pem]

如果证书文件不能被用户mongodb读 (比如文件所有者是 root，权限是600)，出错 Permission denied.

如果文件属于mongodb 但有超过400的权限, 出错permissions on / are too open.

修改之后的证书文件长这样：

-r-------- 1 mongodb mongodb 4.4K Nov 30 18:11 test-ca.pem
-r-------- 1 mongodb mongodb 5.4K Nov 30 17:19 test-server1.pem

方案2

• chmod 644 [xxx.pem]