Shulou(Shulou.com)05/31 Report--

This article is to share with you about how to achieve authentication and authentication in Mongodb. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

I. Authority Management of Mongodb

Understand authority management and explain the main concepts and relationships

Like most databases, Mongodb also provides a set of rights management mechanisms. In order to experience the permission management of Mongodb, we find a Mongodb that has been installed. You can build a single-node Mongodb here.

Open mongo shell directly:

. / bin/mongo-- port=27017

Try the stats command to view the status of the appdb database:

MongoDB Enterprise > use appdbMongoDB Enterprise > db.stats () {"ok": 0, "errmsg": "not authorized on nscl to execute command {dbstats: 1.0, scale: undefined}", "code": 13}

The prompt at this time indicates that your current operation is not licensed, and use the pre-created users of appdb for authentication:

> db.auth ('appuser','yourpassword') 1 > db.stats () {"db": "appdb", "collections": 0, "views": 0, "objects": 0, "avgObjSize": 0, "dataSize": 0, "storageSize": 0, "numExtents": 0, "indexes": 0, "indexSize": 0, "fileSize": 0, "ok": 1}

It can be found that after identity verification, the authentication of the stats operation is granted.

The above examples may give you a superficial understanding of database authentication, so let's talk about some concepts, which is roughly called role-based access control.

[figure-role permission Control]

Explain several entities in the following figure first:

Resource, a resource can be a database, a collection, or a cluster.. At large, anything that can be manipulated can be used as a resource.

Action, an action refers to an execution of a resource, such as reading a table or reading a database, where reading is an action.

Privilege, permission refers to the permission to perform certain actions on a certain class or some resources, which is consistent with the meaning of Permission.

Role, the role in the role system, usually represents a symbol of the level of power, such as the administrator, moderator, tourists, etc., in the forum, is the role; in the system definition, the role often represents a set of permissions.

User, an entity in which a user can log in to the system, and a user can usually be assigned multiple roles.

Oh, a simple explanation of the diagram: permissions define certain operations on certain resources, while roles can have multiple permissions; the user User can be assigned multiple roles to gain the permissions that these roles have to manipulate certain resources.

For Mongodb, as long as authentication is enabled, all DB access operations need to pass the permission check. The general operation flow is similar to the following figure.

[figure-mongo Authentication]

The user of Mongodb belongs to a database, and the user needs to authenticate in the database to which he belongs

Once authenticated, all operations in the current session (connection) will be checked according to the role permissions assigned to the user.

2. Authentication method

This paper expounds several authentication methods supported by Mongodb, which refers to a series of verification mechanisms of how Mongodb identifies access users and how to check whether the authority is legal or not.

SCRAM-SHA-1 SCRAM-SHA-1 is the default authentication mechanism, which is defined in IETF standard. RFC 5802 is a "challenge-response" authentication mechanism with high security. For "challenge-response", please refer to Wikipedia.

The mechanism previously adopted by MongoDB Challenge and Response (MONGODB-CR) 3.0 has been abandoned

X.509 Certificate Authentication. Certificate-based authentication, which can be used to establish SSL/TLS encrypted connections.

LDAP proxy authentication is based on the authentication of LDAP system, which is only supported by the enterprise version.

Kerberos authentication is based on Kerberos authentication, which is only supported by the enterprise version.

SCRAM-SHA-1 is the recommended authentication method. Since this is the case, it is necessary to continue to explain in the figure above:

Step interpretation

The client initiates a SCRAM authentication request; user name and client random string are included in the authentication parameters (to prevent replay attacks)

The server sends out a challenge response; the server first checks the user name, and then generates a salt factor, number of iterations, and merged strings (including client random strings and server random strings)

The client responds to a proof (proof data) and merges a string; the proof data of the response is generated according to the random parameters given by the service and the client key, which is the result of the XOR calculation of a client signature and key

The server combines the stored key with random parameters, uses the same algorithm to generate the signature and verifies the client proof data; if the verification passes, the server sends its own signature in a similar way

The client verifies the server signature data.

As you can see, SCRAM authentication is also similar to the handshake process of SSL/TLS, but it is much simpler and has advantages in terms of performance. Then let's look at the security part:

Information eavesdropping, all dynamic signatures are used in the transmission process to ensure that the password will not be transmitted

Replay attacks. Due to the use of random numbers, the data generated each time is different, which can avoid duplicate data attacks.

When the service is faked, the authentication process is two-way, that is, the client verifies the identity of the server, and the server key is generated according to the password, and the middleman cannot copy it.

The storage is secure, and the passwords are not stored in clear text in the database, but are encrypted and stored through irreversible algorithms.

In addition, the advantages of SCRAM-SHA-1 over MONGODB-CR include:

A tunable work factor (iterationCount), flexible adjustable safety factor Per-user random salts rather than server-wide salts each user has an independent random coefficient A cryptographically stronger hash function (SHA-1 rather than MD5), a more secure hash function Authentication of the server to the client as well as the client to the server. Support two-way authentication

Interested in the implementation of SCRAM-SHA-1? Poke here.

III. Internal authentication

Authentication method in replica set and fragment cluster

Internal authentication refers to the authentication method of access between the nodes within the Mongo cluster, such as the access between master and slave in the replica set, and the access between Mongos and Mongod in the sharding cluster. Internal authentication currently supports two methods:

The KeyFiles key file uses the authentication mechanism of SCAM-SHA-1. The file contains a shared key, which is jointly held by all members of the cluster. Typically, the length of the key is within 6-1024 characters and is encoded in Base64. How to use it?

X.509 certificate authentication, which is used for SSL/TLS encrypted connection channels. How to use it?

IV. Database role

Explain the various roles in the Mongodb database

Database access

Role name has permissions read allows to read the role of the specified database readWrite allows read and write to the role of the specified database

Database management

Role name has permissions dbAdmin allows users to perform administrative functions in a specified database, such as index creation, deletion, viewing statistics, or accessing system.profileuserAdmin allows users to manage the current database, such as creating users, authorizing users to own the dbOwner database (up to), and aggregating dbAdmin/userAdmin/readWrite role permissions

Cluster management

Role name has permissions clusterAdmin cluster top administrator, collection clusterManager/clusterMonitor/hostManager role permissions clusterManager cluster management role, allows management operations on shard and replica set clusters, such as addShard,resync and other clusterMonitor cluster monitoring roles, allows monitoring of shard and replica set clusters, such as viewing serverStatushostManager node management roles, allows monitoring and management of nodes, such as killOp and shutdown operations

Backup and recovery

Role name has permissions backup backup permissions, allow mongodump operations restore restore permissions, allow mongoresotre operations

Database universal role

Role names have permissions readAnyDatabase allows to read all databases readWriteAnyDatabase allows to read and write to all databases userAdminAnyDatabase allows users to manage all databases dbAdminAnyDatabase allows management of all databases

Special role

Role name has permissions root Super Admin, has all permissions _ _ system internal roles, used for inter-cluster node communication

If you are interested in this, you can take a look at the official built-in role Mongodb. The user and role data are generally located in the admin database of the current instance, and system.users stores all the data. The exception is sharding cluster, where the application is connected to the mongos node, and the authentication data is stored in the config node. Therefore, sometimes in order to facilitate the management of the sharding cluster, independent management operation users will be created separately for the shard internal nodes.

V. related operations

Simply list the common operations related to user permissions

Authorization start

. / bin/mongod-- auth

Unauthorized startup by default can also be specified through security.authorization configuration

Create an administrator user

Use admindb.createUser ({user:'admin',pwd:'admin@2016',roles: [{role:'clusterAdmin',db:'admin'}, {role:'userAdminAnyDatabase',db:'admin'}]})

Create a user

Use appdbdb.createUser ({user:'appuser',pwd:'appuser@2016'})

Grant authority

Use appdbdb.grantRolesToUser ("appuser", [{role:'readWrite',db:'appdb'}])

Delete permission

Use appdbdb.revokeRolesFromUser ("appuser", [{role: "read", db: "appdb"}])

More actions

VI. Frequently asked questions

Shell operation prompt error

Use appdbMongoDB Enterprise > db.stats () {"ok": 0, "errmsg": "not authorized on appdb to execute command {dbstats: 1.0, scale: undefined}", "code": 13}

Reason: the current connection is not authenticated or the user does not have the operation permission to solve the problem: assign appropriate permissions to the user, and perform auth operations, as follows:

Db.auth ('appuser','yourpassword')

Unable to perform eval operation

Db.eval () is a global operation that executes arbitrary database scripts; anyAction or anyResource permissions are required to execute this command, which is generally not recommended for database users. This command is a security risk and is no longer recommended (it has expired since mongodb 3.0).

The above is how to achieve authentication and authentication in Mongodb. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.