MongoDB 3.6 Authentication IP Restrictions
Foreword
Well, read this title, I do not know if you have a subconscious, if there is, yes, it is this, and MongoDB finally opened I think for a security database, the more important a module of - - IP whitelist.
As we all know, MySQL, the Oracle, SqlServer other well-known database are all making considerable protection in terms of security.
IP whitelist
Permission for the library, watch distinction
Change search for different additions and deletions, transaction, ADMIN and other rights assignment
Even Oracle also provides a logical role in the combination of different privileges, MySQL in this respect also made corresponding adjustments.
But look back MongoDB, from the most simple username + password ways the very beginning, and after the introduction of the concept of Bult-in Role, Custom Role, Privilege and other launch, and then in the upcoming 3.6, clear the bind_ip adjustment became localhost , which is also affected by the Bitcoin case affect it.
This time, 3.6, new entrants to the authenticationRestrictions , is used to solve the defect IP whitelist.
So then let us look, this feature is very attractive to me how to achieve it.
Reason things out
Above all, take a look at MongoDB official document it. https://docs.mongodb.com/master/reference/method/db.createUser/#authentication-restrictions
| Field Name |
Value |
Description |
| ClientSource |
Array of IP addresses and/or CIDR ranges |
If present, when authenticating a user, the server verifies that the client’s IP address is either in the given list or belongs to a CIDR range in the list. If the client’s IP address is not present, the server does not authenticate the user. |
| serverAddress |
Array of IP addresses and/or CIDR ranges |
A list of IP addresses or CIDR ranges to which the client can connect. If present, the server will verify that the client’s connection was accepted via an IP address in the given list. If the connection was accepted via an unrecognized IP address, the server does not authenticate the user. |
In simple terms, clientSource is done for the client's IP whitelist control. serverAddress is to do a whitelist IP control for server-side.
This question is, the client IP is easy to understand, even over nothing more than where it is connected, and we all agree that understanding, then the server IP to it? What does this mean? IP Here, the server refers to the client when connecting over a specified host address, such as: mongo --host = 192.168.56.101 , then serverAddress must contain 192.168.56.101 , here contain What does it mean? And MySQL, same can specify B, C segment, to achieve open more than one address, the only access wording slightly, MySQL is:. 192.168.56 * , MongoDB is: 192.168.56.0/24 . So if you are using the drive, then, is the same, the designated corresponding IP to host parameter.
So then we have to operate one.
Present the facts
1. Create an application account miracle
use admin
db.createUser(
{
user: "root",
pwd: "root",
roles: [{role: 'root', db: 'admin'} ]
}
)
db.createUser(
{
user: "miracle",
pwd: "young",
roles: [ {role: 'readWrite', db: 'young'} ],
authenticationRestrictions: [ {
clientSource: ["192.168.31.246"],
serverAddress: ["192.168.31.246"]
} ]
}
)
2. Restart the database, open the certification authority
3. Enter miracle database and verify
4. meet the requirements of the format database reconnect
5. The fourth step in the wrong reason is because the default 3.6 = localhost opened bind_ip , and since the beginning ignored the problem, toss me a long time. Restart the database plus --bind_ip_all
6. Reconnect
to sum up
At this point, MongoDB's IP whitelist feature is verified, hoping to help developers permission to everyone more secure control in real good maintenance.
Shanghai chubby [MiracleYoung] Original Address: https://segmentfault.com/u/shanghaixiaopang/articles