Shulou(Shulou.com)06/01 Report--

Mongodb rights management

Version: Mongodb3.0

When it comes to database security, we usually consider how to solve the database security problem from the following points.

1. The safest thing is physical isolation:

two。 Network isolation:

3. Firewall isolation:

4. Username and password:

Let's talk about mongodb's username and password authentication:

Authentication is the mechanism for determining the identity of client. By default, mongodb does not enable permission authentication. We need to do it after we deploy MGDB. Generally speaking, the common methods of mongodb permission authentication are:

1.auth is enabled (know at startup-- auth=true)

2.Keyfile is enabled

How to authenticate, in the command line mongo-auth or add configuration information in the configuration file to enable authentication; auth is a Boolean value, only need to add auth=ture in the configuration file to enable authentication, what about Keyfile?

The difference between Auth and keyfile:

Auth: stand-alone instance authentication

Keyfile: verification between replica sets and shards

Replication sets are a whole, and communication between replication sets needs to verify the identity of each other. Because there is no Keyfile, nodes do not know about other nodes. Keyfile is a × × × Ming between cluster nodes. How to create keyfile, we can use the openssl command.

[root@localhost ~] # openssl rand-base64 111.keyFile

[root@localhost ~] # cat .keyFile

EG8ABQZU9C87lPRKFVbClBYhxTw8Hyv91NkOoqLBF3eRfnAUxPCTcevB82fYM+Zo+tPOjnsPiVZrCZmAsG26ZFrB/SHhTj/E+F3QARFWKnm4DJNBhzLnjZOKtoao61BMcRAye0H7HG0geMQtbGBX

Do not create users when keyfile authentication is not enabled, otherwise, user creation may be rolled back when keyfile configuration is restarted, and authentication will be carried out to create users after we have completed keyfile creation.

Note from Keyfile:

1. Content base64 code set [amurz Amurz Z + /]

two。 Length 1000bytes

3. Permissions chmod 600keyfile

Now we begin to preach.

Create a user

Grammar.

Db.createUser (

{

User:, # string

Pwd: # string

Roles: # Array + object

}

)

To create a root user, we enabled auth authentication before creation, but the library does not have any users, so we need to add the parameter setParametmer=enableLocalhostAuthBypass=1 to skip authentication when local login does not require authentication.

When creating a root user, it is a global user and must only be created in the admin library

> db.createUser ({user:'admin',pwd:'123123',roles: [{role:'root',db:'admin'}]})

Successfully added user: {

"user": "admin"

"roles": [

{

"role": "root"

"db": "admin"

}

]

}

[root@localhost ~] # mongo localhost:27017

MongoDB shell version: 3.0.12

Connecting to: localhost:27017/test

> show dbs

Admin 0.078GB

Local 0.078GB

> use admin

Switched to db admin

> show users

{

"_ id": "admin.admin"

"user": "admin"

"db": "admin", # your user is created in the admin library

"roles": [

{

"role": "root"

"db": scope of the "admin" # role

}

]

}

> db.auth ('admin','123123') # certification

> 1 # Certification succeeded

Delete a user:

1. Db.dropUser () deletes a user

2. Db.dropAllUser () deletes all users

How to change a user's password:

Roles:

What is a role: a collection of permissions on a resource

What are the roles of mongodb:

MongoBD has two roles

1. Own role (bulid-in roles)

Read and write:

Read 、 readWrite

Administrator:

DbAdmin 、 dbOwner 、 userAdmin 、 clusterAdmin

ClusterManager 、 clusterMonitor 、 hostManager

Backup:

Backup 、 restore

Global:

ReadAnyDatabase 、 readWriteAnyDatabase 、

UserAdminAnyDatabase 、 dbAdminAnyDatabase

Super user:

Root

two。 Custom role

Syntax:

Use admin

DbCreateRole (

{

Role:, # role name

Privileges: [

{resource: {db:,collection:}

Actions: []} # the operation is very small. Different operations correspond to different commands.

]

Roles: [{role:}, db:] # does the character you create need to inherit from other role

}

)

Create a role:

> use ycj

> db

> ycj

> db.createRole ({role:'testycj',privileges: [{resource: {db:'ycj',collection:''}, actions: ['find','insert','re

Move']}], roles: [{role:'read',db:'test'}]})

Error: Roles on the 'ycj' database cannot be granted roles from other databases (roles cannot be created under other databases)

At this point, we go to the admin library, > use admin, and the user is created successfully, because the role we created is created under admain.

> show users # users who view db

{

"_ id": "admin.admin"

"user": "admin"

"db": "admin"

"roles": [

{

"role": "root"

"db": "admin"

}

]

}

To view the permissions of admin:

> show roles

{

"role": "readWriteAnyDatabase"

"db": "admin"

"isBuiltin": true

"roles": []

"inheritedRoles": []

}

.

.

.

{

"role": "testycj"

"db": "admin"

"isBuiltin": false

"roles": [

{

"role": "read"

"db": "test"

}

]

"inheritedRoles": [

{

"role": "read"

"db": "test"

}

]

}

{

"role": "userAdmin"

"db": "admin"

"isBuiltin": true

"roles": []

"inheritedRoles": []

}

You can see that the root permission of our admin already exists our missionary testycj permission. At the same time, we also found that the root permission is actually a collection of other permissions, such as readwrite, restore, readWriteAnyDatabase..., because we created the permission under admin, and the scope of all this custom permission is admin, which cannot be used in other domains.

> db.runCommand ({usersInfo:'admin',showPrivileges:1}) # View all the information about this user

{

"users": [

{

"_ id": "admin.admin"

"user": "admin"

"db": "admin", # in which library was created

"roles": [

{

"role": "root"

"db": "admin"

}

]

"inheritedRoles": [# inherited roles

{

"role": "root"

"db": "admin"

}

]

"inheritedPrivileges": [

{

"resource": {

"cluster": true # requires permissions for cluster operations

}

"actions": [# permissions for operation

"addShard"

"appendOplogNote"

"applicationMessage"

"authSchemaUpgrade"

"cleanupOrphaned"

"connPoolStats"

.

.

Next, we will create the user with yjctest privileges

> use admin

> db.createUser ({user:'ycj',pwd:'123',roles: [{role:'testycj',db:'admin'}]})

> db.auth ('ycj','123')

> 1

Now let's open two remote total segment responses An and B to test it.

A:ycj

B:admin

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.