编程知识 cdmana.com

Mongodb learning -- Security Authentication of mongodb single machine and cluster under Linux

 

One 、 summary

MongoDB The default is no account , It can be connected directly , No authentication . In the actual project, it is necessary to verify the permissions , Otherwise, the consequences are unimaginable . from 2016 Year begins There have been a number of incidents MongoDB Hacker ransom incident , Most of the MongoDB safety problem The short board that exposes security problems is actually the user , First of all, users do not pay attention to the security of the database , Secondly, users may not form a good habit of regular backup in the process of using , Finally, enterprises may lack experienced and technical professionals . So for MongoDB Security certification is a must

Two 、 User related operations

2-1  Switch to admin Database addition to users

use admin
db.createUser(
{
user: " account number ",
pwd: " password ",
roles: [
{ role: " role ", db: " Security certified database " },
{ role: " role ", db: " Security certified database " }
 ]
}
)

user: Created user name , Such as admin、root 、lagou
pwd: User login password
roles: Assign roles to users , Different roles have different permissions , Parameters are arrays , You can set more than one
role: role ,MonngoDB The roles that have been agreed upon , Different roles correspond to different permissions I'll be right back role Explain in detail
db: Database instance name , Such as MongoDB 4.0.2 The default is admin、local、config、test etc. , Which number is it
Case base Set user

db.createUser(
{
user:"root",
pwd:"123321",
roles:[{role:"root",db:"admin"}]
}
)

2.2 Change Password

db.changeUserPassword( 'root' , 'rootNew' );

2.3 Users add roles

db.grantRolesToUser( ' user name ' , [{ role: ' The role of ' , db: ' Database name '}])

 


2.4 With auth Direction activated mongod

./bin/mongod -f conf/mongo.conf --auth
( It can also be in mongo.conf  Add auth=true  Parameters )


2.5 Validate users

db.auth(" account number "," password ")

2.6 Delete user

db.dropUser(" user name ")

2.7 role

Database built-in roles

// General Settings 

read: Allows the user to read the specified database readWrite: Allows users to read and write to a specified database

// Advanced settings , Have these full authority users , Equivalent to no security certification , Too much authority
dbAdmin: Allows the user to execute administrative functions in the specified database , Like index creation 、 Delete , View statistics or access system.profile userAdmin: Allow the user to system.users A collection of written , You can find the specified database to create 、 Delete and manage users clusterAdmin: Only in admin Available in the database , Gives the user administrative rights to all sharding and copy-set related functions readAnyDatabase: Only in admin Available in the database , Give the user read rights to all databases readWriteAnyDatabase: Only in admin Available in the database , Gives the user read and write access to all databases userAdminAnyDatabase: Only in admin Available in the database , That gives the user all the databases userAdmin jurisdiction dbAdminAnyDatabase: Only in admin Available in the database , That gives the user all the databases dbAdmin jurisdiction root: Only in admin Available in the database . Super account , Super authority dbOwner: Library owner rights , namely readWrite、dbAdmin、userAdmin The combination of characters

The roles of different types of users

 Database user role :read、readWrite
 Database management role :dbAdmin、dbOwner、userAdmin
 The role of cluster management :clusterAdmin、clusterManager、clusterMonitor、hostManager
 Backup recovery role :backup、restore;
 All database roles :readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、
dbAdminAnyDatabase
 Super user role :root
 There are also several roles that indirectly or directly provide access to system super users (dbOwner 、userAdmin、
userAdminAnyDatabase)

3、 ... and 、 Single machine security process authentication

3.1. Create administrator

MongoDB Before the server starts the security check , At least one administrator account is required ,admin Users in the database are treated as administrators , If admin If the library doesn't have any users , Even if users are created in other databases , Enable Authentication , The default connection method will still have super permissions , That is, you can still do it without verifying your account and password CRUD, Security authentication is equivalent to invalidity .

  • Connect to MongoDB 
./bin/mongo --port 57017
  • Switch to admin Database addition to users

>use admin
switched to db admin
> db
admin
> db.createUser(
... {
... user:"root",
... pwd:"123456",
... roles:[{role:"root",db:"admin"}]
... })

 

 

 

  •   verification ( No access )

 

 

  •     Authentication access

 

 

 3.2 Create a normal user

    testdb  New database of your own , You can do it without security certification CRUD, The rest are mongoDB 4.0.2 The database that comes with it ,

 

Even after you create a user, you can still at will CRUD()

 

 

 

 

  close MongoDB Server side , After that, the server will start in the way of security authentication

> use admin
switched to db admin
> db.shutdownServer()
server should be down...

 

 

Four 、 Security authentication of cluster

4.1 Before you start Security Certification Enter the route to create administrators and ordinary users

  Refer to stand-alone authentication to create users

 

 

 4.2 Shut down all configuration nodes Sharded nodes and Routing node

 install psmisc
yum install psmisc
 After installation, you can use killall  command   Quickly shut down multiple processes 
killall mongod

 

 

 4.3  Generate key file And modify the authority

openssl rand -base64 756 > data/mongodb/testKeyFile.file
chmod 600 data/mongodb/testKeyFile.file

 

 

4.4 17017~17019.conf Configure node clusters and (37017-37019.conf)(47017-47019.conf) The partition node cluster turns on the security authentication and the specified key file

In the folder shard_cluster Next mkdir  /data/mongodb -p

auth=true
keyFile=data/mongodb/testKeyFile.file

4.5   In the routing profile Set the key file 27017

keyFile=data/mongodb/testKeyFile.file

4.6  Start all configuration nodes Sharded nodes and Routing node Use routing for permission verification

You can write a shell Script Mass launch startup.sh  , to grant authorization   chmod +x  startup.sh

./bin/mongod -f mongo_17017.conf
./bin/mongod -f mongo_17018.conf
./bin/mongod -f mongo_17019.conf
./bin/mongod -f shard/shard1/shard1_37017.conf
./bin/mongod -f shard/shard1/shard1_37018.conf
./bin/mongod -f shard/shard1/shard1_37019.conf
./bin/mongod -f shard/shard2/shard2_47017.conf
./bin/mongod -f shard/shard2/shard2_47018.conf
./bin/mongod -f shard/shard2/shard2_47019.conf
./bin/mongos -f route/route_27017.conf

4.7 start-up

./startup.sh

 

 

 

 

 

 

 

                                                               down......................................................................................

 

版权声明
本文为[VIP 灬 cnblog]所创,转载请带上原文链接,感谢
https://cdmana.com/2020/12/20201225150736479W.html

Scroll to Top