Shulou(Shulou.com)05/31 Report--

This article mainly shows you the "sample Analysis of MongoDB Security and identity Authentication", which is easy to understand and well-organized. I hope it can help you solve your doubts. Let the editor lead you to study and study the "sample Analysis of MongoDB Security and identity Authentication".

Overview

MongoDB security mainly includes the following four aspects

1. Physical isolation

No matter how well designed the system is, there will always be some loopholes in the process of implementation. If you can physically isolate the insecure user from the MongoDB database, that is, you can't connect to the database by any means, this is the most secure protection. But, usually, this is not realistic. Some important data may be saved and placed in a physically isolated computer room.

2. Network isolation

Many companies' development machines are in an intranet environment. Even if there is a loophole in the database, there is no opportunity to exploit the external environment because it is impossible to access the intranet at all

3. Firewall isolation

You can use the firewall to configure IP whitelist, allow only some IP to access the database, and increase the security of MongoDB to a certain extent.

4. User name and password authentication

Compared with the above three methods, username password authentication mechanism is the most common MongoDB security measure. If the password setting is relatively simple, or the connection environment is not an encrypted environment, the user name and password are likely to be obtained by a third party, thus causing danger to the MongoDB database.

Authority authentication

Mongodb stores all user information in the collection system.users of the admin database, saving user names, passwords, and database information. Mongodb does not enable permission authentication by default, as long as you can connect to the server, you can connect to mongod. To enable security authentication, you need to change the profile parameter authorization, which can also be abbreviated to auth.

Then, restart mongod. Check the log file and find that permission authentication has been turned on

However, you can still connect to the database without using a user name and password. This is because we haven't created a user yet. After the user is created and permission authentication is turned on, you will not be able to connect to the database without using a user name and password

Role management

Before doing user management, you should first understand role management.

MongoDB supports role-based access control (RBAC) to manage access to MongoDB systems. A user can be granted one or more: ref: roles to determine the user's access to database resources and operations. Outside of permissions, users cannot access the system

The database role is set in the role parameter in the create user. Roles are divided into built-in roles and custom roles

[built-in role]

MongoDB built-in roles include the following categories

1. Database user role

Read: allows users to read the specified database readWrite: allows users to read and write to the specified database

2. Database administrator role

DbAdmin: allows users to create, delete, view statistics, or access system.profile, but without role and user management permissions userAdmin: provides the ability to create and modify roles and users in the current database dbOwner: provides the ability to perform any administrative operations on the database. This role combines privileges granted by the readWrite, dbAdmin, and userAdmin roles.

3. Cluster management role

ClusterAdmin: provides the most powerful cluster management access. The ability to combine clusterManager, clusterMonitor, and hostManager roles. DropDatabase operations clusterManager is also provided: management and monitoring operations are provided on the cluster. Access to configuration and local databases for sharding and replicating clusterMonitor, respectively: provide read-only access to monitoring tools, such as MongoDB Cloud Manager and Ops Manager monitoring agents. HostManager: provides the ability to monitor and manage servers.

4. Backup recovery role

Backup: provides the ability to back up data, using MongoDB Cloud Manager backup Agent, Ops Manager backup Agent, or using mongodumprestore: provides the ability to restore data using mongorestore

5. All database roles

ReadAnyDatabase: available only in admin databases, giving users read permissions to all databases readWriteAnyDatabase: available only in admin databases, giving users read and write permissions to all databases userAdminAnyDatabase: available only in admin databases, giving users userAdmin permissions to all databases dbAdminAnyDatabase: available only in admin databases, giving users dbAdmin permissions to all databases.

6. Superuser role

Root: provides access to all resources of readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase, clusterAdmin, restore, and backup

7. Internal role

_ _ system: provides privileges for any operation on any object in the database

[custom role]

In addition to using built-in roles, MongoDB also supports the use of the db.createRole () method to customize roles

[note] roles can only be created in the admin database, otherwise they will fail

Role: name of the custom role

Privileges: permission operation

Roles: inherited roles. If there are no inherited roles, you can set it to an empty array

Use admindb.createRole ({role: "myClusterwideAdmin", privileges: [{resource: {cluster: true}, actions: ["addShard"]}, {resource: {db: "config", collection: ""}, actions: ["find", "update", "insert", "remove"]}, {resource: {db: "users", collection: "usersCollection"}, actions: ["update", "insert" "remove"]}, {resource: {db: ", collection:"}, actions: ["find"]}], roles: [{role: "read", db: "admin"}]}, {w: "majority", wtimeout: 5000})

User management

[create user]

Use the createUser command to create a user

User: user name pwd: password

CustomData: description of username and password (optional)

Roles: {role: what role type is inherited from, db: database name}

Db.createUser ({user: "...", pwd: "...", customDate: "...", roles: [{role: "...", db: "..."}]})

1. Create an administrator user

MongoDB does not have a default administrator account, so add an administrator account first. Switch to the admin database, and the added account is the administrator account.

In the admin database, add a user and give userAdminAnyDatabase the role

Db.createUser ({user: "admin", pwd: "123456", roles: [{role: "userAdminAnyDatabase", db: "admin"}]})

2. Log in to the database again and verify the permissions

If the auth () method returns 0, the authorization fails, and 1 indicates the authorization is successful.

Db.auth ()

3. Add ordinary users

Once a certified user administrator, you can use db.createUser () to create additional users. You can assign mongodb built-in roles or user-defined roles to users

[note] the authentication needs to be done under the admin database, otherwise the authentication will not succeed

Write data failed because the user only has read permission

4. Create a super user

[view users]

Db.system.users.find ()

[delete user]

Db.dropUser ()

[add user permissions]

Db.grantRolesToUser ()

Add write permissions to the read-only x user in the db1 database

[change password]

Db.changeUserPassword ()

The above is all the contents of the article "sample Analysis of MongoDB Security and identity Authentication". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.