First, the default configuration of permissions
By default, mongod listens on 0.0.0.0, and any client can connect directly to 27017 without authentication. The advantage of this is that users can get started instantly without worrying about being distracted by a bunch of configurations. However, the disadvantage is also obvious. If MongoDB is built directly on the public network server, then everyone can directly access and modify the database data.
By default, mongod also does not have an administrator account. So unless you add an administrator account in the admin database using the db.addUser() command and start mongod with the --auth parameter, anyone in the database can execute all commands without authentication. Including delete and shutdown.
In addition, mongod will listen on port 28017 by default, which is also bound to all ips. This is a web monitoring interface that comes with mongod . From this, you can obtain information such as the current connection, log, status, and running system of the database. If you enable the --rest parameter, you can even query data directly through the web interface and execute the mongod command.
In fact, MongoDB itself has very detailed security configuration guidelines . Obviously, the developers also thought of it. However, he pushes the security tasks to users to solve. This strategy itself is biased towards ease of use. For security, you have to stand aside. .
2. MongoDB user type
There are two types of MongoDB users, one is the admin user and the other is a specific database user. The admin user has the highest privileges, while specific database users can only access specific databases. When there are no users in MongoDB's admin library, that is to say, when the entire MongoDB does not have a MongoDB user, even if the --auth permission requirement is turned on, the user can still enter MongoDB through the localhost interface for user settings, otherwise the entire MongoDB will be completely Can't access. After the user is created, subsequent user logins and operations need to be authorized, not directly logged in to use.
MongoDB has a strange setting that even if it is an admin user, authorization must be performed under the admin database, but not under other databases. After authorization, the admin user can perform any operation under any database. Of course, a database-level user cannot operate in other databases after being authorized under his own database. for example:
> use test
> db.auth(“someAdminUser”, password)
The operation fails, indicating that the afmin user has not been authorized under the admin database.
3. Operation example
Start MongoDB and enter the bin directory of the database in the cmd command box;
1. Enter the command: show dbs, you will find that it has two built-in databases, one named admin and one named local; this article only describes the admin database
2. Enter the command: use admin, you will find that the DB contains a collection named system.user, which is a user table used to store super administrators.
Remarks: The database version used in this article is 2.0.1. There is no default admin database, but an admin library is automatically created after the second step; of course, there is no default system.user table. After running the third step, it will be Automatically create system.user and system.indexes)
3. Enter the command: db.addUser('root','root'), here I add a super administrator user, the username is root, and the password is also root. First exit (ctrl+c) the program, and test whether you need to enter the user name and password as prompted to connect to MongoDB again after restarting the service.
4. Enter the command: use admin
5. Enter the command: show collections to view all the tables in the library. You will find that MongoDB does not prompt you to enter a user name and password. The reason is that, as mentioned at the beginning of the article, MongoDB is set to have no access restrictions by default. We need to set it to require permission access first
6. Re-open cmd, and in the bin directory of the mongodb path, execute mongod --dbpath d:\work\data\mongodb\db --auth
7. Enter the command: use admin
8. Enter the command: show collections, prompt: "$err" : "unauthorized db:admin lock type:-1 client:127.0.0.1"
Obviously, it has been prompted that there is no permission; use the username and password just set to access the collection
9. Enter the command: db.auth("root","root"), output a result value of 1, indicating that the user is matched, if the user name and password are incorrect, the output is 0
10. Enter the command: show collections, the result will be displayed successfully
Continue to operate, you can access the existing database, but still do not have permission to the newly created database; continue to operate, first exit (ctrl+c) the service
11. Enter the command: mongo TestDB
12. Enter the command: show collections, prompt: no permission
13. Enter the command: db.auth("root", "root"), the output result is 0, indicating that there is a problem with the user name or password, it was created just before, how can it be wrong? The reason is: when we access the MongoDB database alone and need permission access, the username and password are not the super administrator, but the user in the system.user table of the library. Note that I am talking about separate access here . Situation, what is the case without separate access ? I'll talk about it later. For the above situation, do the following:
14. Enter the command: db.addUser('test','111111'), it still prompts that there is no permission, the new database cannot be accessed by a super administrator, and there is no permission to create a user, but even if the super administrator user is set , then it must have access to all libraries
15. Enter the command: use admin
16. Enter the command: db.auth("root", "root")
17. Enter the command: use TestDB
18. Enter the command: show collections, and then you can use the super administrator user to access other libraries. This is the case without separate access . In the above operation process, we first enter the admin library, and then go to other libraries. admin is equivalent to the area where the highest-level user is located. For database operations, we need to go through the highest-level user, and then we can create a user for each database. .
19. Enter the command: db.addUser('test','12345'), we will add a user to the TestDB library, and every time I access the library in the future, I will use the user I just created, and we will exit first (ctrl+c)
20. Enter the command: mongo TestDB
21. Enter the command: show collections, prompting no permission
22. Enter the command: db.auth('test','12345'), the output result is 1, the user exists, and the authentication is successful
23. Enter the command: show collections, the results are displayed successfully
4. Various parameters for starting and closing MongoDB
See: http://blog.csdn.net/pgwindwind/article/details/8005262
For example, to change the default port of MongoDB, you can use the --port parameter like this:
Open cmd, and in the bin directory of the mongodb path, execute mongod --port 50107 --dbpath d:\work\data\mongodb\db --auth
Accessing MongoDB in this way is to access it on port 50107