From 33f70867e9b15cdb93ec4ab2f5bbc5fff9260d63 Mon Sep 17 00:00:00 2001 From: Bob Grabar Date: Mon, 20 Aug 2012 18:34:36 -0400 Subject: [PATCH 1/4] DOCS-393 added info about arbiters and encryption --- source/core/replication.txt | 10 ++++++++++ source/faq/replica-sets.txt | 16 ++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/source/core/replication.txt b/source/core/replication.txt index 0c918be3169..8ad1ac8ff18 100644 --- a/source/core/replication.txt +++ b/source/core/replication.txt @@ -164,6 +164,16 @@ participate in :term:`elections `. Do not run arbiter processes on a system that is an active :term:`primary` or :term:`secondary` of its replica set. +You must run arbiters only on secure networks. While arbiters do not +hold database content, they do hold replica-set configuration data, +which always should be protected. Arbiters use encryption only when +creating a connection with another replica-set member. All other +communications are unencrypted. + +.. warning:: + + Never run an arbiter on a non-secure network. + .. index:: replica set members; non-voting .. _replica-set-non-voting-members: diff --git a/source/faq/replica-sets.txt b/source/faq/replica-sets.txt index bd064843476..d2d518029e1 100644 --- a/source/faq/replica-sets.txt +++ b/source/faq/replica-sets.txt @@ -181,6 +181,22 @@ primary. .. seealso:: :doc:`/administration/replication-architectures` +Do arbiters use encrypted communication? +---------------------------------------- + +Arbiters use encryption only when creating a connection with another +replica-set member. All other communications are unencrypted. + +The following rules govern arbiter communications: + +- An arbiter is authenticated when a connection is created between it + and another member of the replica set. The arbiter is then trusted + until the connection ends. + +- Replica set configuration data and voting are unencrypted. + +You must always run arbiters on secure networks. + Which members of a replica set vote in elections? ------------------------------------------------- From 0a44904228c5c5dec8402f9471d8c49d8cba1905 Mon Sep 17 00:00:00 2001 From: Bob Grabar Date: Tue, 21 Aug 2012 18:03:48 -0400 Subject: [PATCH 2/4] small edit --- source/core/replication.txt | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/source/core/replication.txt b/source/core/replication.txt index 8ad1ac8ff18..21cfa1e7cde 100644 --- a/source/core/replication.txt +++ b/source/core/replication.txt @@ -170,9 +170,7 @@ which always should be protected. Arbiters use encryption only when creating a connection with another replica-set member. All other communications are unencrypted. -.. warning:: - - Never run an arbiter on a non-secure network. +You should always run arbiters on secure networks. .. index:: replica set members; non-voting .. _replica-set-non-voting-members: From b99ee21fd4f651a0a1707cc054d587bcd0d6c59a Mon Sep 17 00:00:00 2001 From: Bob Grabar Date: Thu, 23 Aug 2012 09:22:42 -0400 Subject: [PATCH 3/4] edits --- source/core/replication.txt | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/source/core/replication.txt b/source/core/replication.txt index 21cfa1e7cde..5ef3a22be88 100644 --- a/source/core/replication.txt +++ b/source/core/replication.txt @@ -164,11 +164,27 @@ participate in :term:`elections `. Do not run arbiter processes on a system that is an active :term:`primary` or :term:`secondary` of its replica set. -You must run arbiters only on secure networks. While arbiters do not -hold database content, they do hold replica-set configuration data, -which always should be protected. Arbiters use encryption only when -creating a connection with another replica-set member. All other -communications are unencrypted. +Arbiters make the following communications: + +- Exchange keyfiles with replica set. Arbiters + replica set servers exchange keyfiles, which are the equivalent of a + password for the __system "user". + +- The arbiter is authenticated when a connection is created between it + and another member of the replica set, and is then trusted until the + connection ends. + +- Only the authentication step is encrypted. Replica set configuration + data and voting are unencrypted. + +- Data other than the authentication step are not encrypted. + + + + + + + You should always run arbiters on secure networks. From 048778d4bd556fb3c36328ddc61e2666c9179697 Mon Sep 17 00:00:00 2001 From: Bob Grabar Date: Thu, 23 Aug 2012 18:29:40 -0400 Subject: [PATCH 4/4] DOCS-393 added info on arbiter communications --- source/core/replication.txt | 32 ++++++++++++-------------------- source/faq/replica-sets.txt | 24 +++++++++++++----------- 2 files changed, 25 insertions(+), 31 deletions(-) diff --git a/source/core/replication.txt b/source/core/replication.txt index 5ef3a22be88..cee2e304ff0 100644 --- a/source/core/replication.txt +++ b/source/core/replication.txt @@ -164,29 +164,20 @@ participate in :term:`elections `. Do not run arbiter processes on a system that is an active :term:`primary` or :term:`secondary` of its replica set. -Arbiters make the following communications: +Arbiters never receive the contents of any collection but do have the +following interactions with the ret of the replica set: -- Exchange keyfiles with replica set. Arbiters - replica set servers exchange keyfiles, which are the equivalent of a - password for the __system "user". - -- The arbiter is authenticated when a connection is created between it - and another member of the replica set, and is then trusted until the - connection ends. +- Credential exchanges, which are used to authenticate the arbiter with + the replica set. All MongoDB processes within a replica set use + keyfiles. These exchanges are encrypted. - Only the authentication step is encrypted. Replica set configuration - data and voting are unencrypted. - -- Data other than the authentication step are not encrypted. - - - - - - - + data and voting are not encrypted. -You should always run arbiters on secure networks. +If your MongoDB deployment uses SSL, then all communications between +arbiters and the other members of the replica set are secure. See the +documentation for :doc:`/administration/ssl` for more information. Run +all arbiters on secure networks, as with all MongoDB components. .. index:: replica set members; non-voting .. _replica-set-non-voting-members: @@ -332,7 +323,8 @@ apply or decide to ignore the rollback data. The best strategy for avoiding all rollbacks is to ensure :ref:`write propagation ` to all or some of the -nodes in the set. Using these kinds of policies prevents situations +nodes in the set. Using /bin/bash: Using: command not found +these kinds of policies prevents situations that might create rollbacks. .. warning:: diff --git a/source/faq/replica-sets.txt b/source/faq/replica-sets.txt index d2d518029e1..b9cbfe53cb2 100644 --- a/source/faq/replica-sets.txt +++ b/source/faq/replica-sets.txt @@ -181,21 +181,23 @@ primary. .. seealso:: :doc:`/administration/replication-architectures` -Do arbiters use encrypted communication? ----------------------------------------- - -Arbiters use encryption only when creating a connection with another -replica-set member. All other communications are unencrypted. +What information do arbiters exchange with replica sets? +-------------------------------------------------------- -The following rules govern arbiter communications: +Arbiters never receive the contents of a collection but do exchange the +following data with the rest of the replica set: -- An arbiter is authenticated when a connection is created between it - and another member of the replica set. The arbiter is then trusted - until the connection ends. +- Credentials used to authenticate the arbiter with the replica set. All + MongoDB processes within a replica set use keyfiles. These exchanges + are encrypted. -- Replica set configuration data and voting are unencrypted. +- Replica set configuration data and voting data. This information is + not encrypted. Only credential exchanges are encrypted. -You must always run arbiters on secure networks. +If your MongoDB deployment uses SSL, then all communications between +arbiters and the other members of the replica set are secure. See the +documentation for :doc:`/administration/ssl` for more information. Run +all arbiters on secure networks, as with all MongoDB components. Which members of a replica set vote in elections? -------------------------------------------------