Detailed explanation of mongdb security authentication

certified

MongoDB security certification

Introduction

MongoDB does not have an account by default, and can be connected directly without authentication, but in actual projects, permission verification must be required, otherwise the consequences will be disastrous

Authentication related operations

Docker creates MongoDB container in auth mode

docker run -itd --name mongo5 -p 27017:27017 mongo:xxx --auth

backup data

mongodump -h 127.0.0.1:27017 -d mydb -o /usr/local

Restoring data (after user authentication)

mongorestore -h localhost -u root -p 123456 --db mydb /dump/mydb --authenticationDatabase admin

Knowledge of role-based access control

Assign users to roles corresponding to the database

Note: The role is fixed and cannot be changed in mongdb

use admin;

db.createUser(
{
user: "账号",
pwd: "密码",
roles: [
{ role: "角色", db: "数据库" },
{ role: "角色", db: "数据库" }
]
}
)

user command

change Password

db.changeUserPassword( '账号' , '密码' );

add role

db.grantRolesToUser('用户名',[{ role:'角色名', db:'数据库名'}])

delete users

db.dropUser("用户名")

Authenticate user [return 1, indicating successful authentication]

db.auth("账号","密码")

built-in roles

root super account, super authority
read allows users to read the specified database
readwrite allows users to read and write the specified database
dbAdmin can read any database and clean up, modify, compress, obtain statistical information, perform checks, etc.
userAdmin can be in the specified database Create, delete and manage users
readAnyDatabase can read data in any database, except database config and local
readwriteAnyDatabase can read and write data in any database, except database config and local
userAdminAnyDatabase can create and modify in the specified database Users, except database config and local
dbAdminAnyDatabase can read any database and clean up, modify, compress, obtain statistical information, perform inspections and other operations, except database config and local
backup backup data permission
restore restore from backup data permissions

The default role corresponding to the user in mongdb

Database user read, readwrite
Database management role dbAdmin, userAdmin
All database roles readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase, dbAdminAnyDatabase
backup recovery role backup, restore
super user role root

administrator      

create admin

Before the security check is enabled on the MongoDB server, at least one administrator account is required. Users in the admin database are regarded as administrators.
If the admin database does not have any users, even if users are created in other databases, authentication is enabled.
By default The connection method will still have super permissions, that is, you can still perform CRUD without verifying the account password, and the security authentication is equivalent to invalid
Enter the container

docker exec -it mongo bash

enter terminal

mongo

Enter the admin database

use admin

Create an administrator account

db.createUser({ user: "root", pwd: "xx", roles: [{ role: "root", db: "admin" }] })

Verify that the user is added successfully

db.auth("root", "xx");

If it returns 1, it means success

Admin login

The client administrator logs in as the root user. After passing the security authentication, he has all permissions to all databases
and enters the container

docker exec -it mongo bash

enter terminal

mongo

log in as administrator

use admin

switched to db admin

db.auth("root","xx")

general user

create common user

Create the mydb database and create two users, zhangsan has read and write permissions, and lisi has read-only permissions to test the permissions of these two accounts. Log in as a super administrator with test permissions

> use mydb
switched to db mydb
> db.c1.insert({name:"testdb1"})
WriteResult({ "nInserted" : 1 })
> db.c2.insert({name:" testdb1"})
WriteResult({ "nInserted" : 1 })
> show tables
c1
c2
> db.c1.find()
{ "_id" : ObjectId("62a00e5c1eb2c6ab85dd5eec"), "name" : "testdb1" }
> db. c1.find({})
{ "_id" : ObjectId("62a00e5c1eb2c6ab85dd5eec"), "name" : "testdb1" }
> show dbs
admin 0.000GB
config 0.000GB
local 0.000GB
mydb 0.

Ordinary user login

Ordinary users still log in as before, and directly log in to the mydb database as shown below. The login is successful, but there are many things missing in the log after login, and the
execution of the show dbs command and the show tables command all fail. Even if the database is not authenticated, the user cannot operate
it because of insufficient authority. In a word: the user can only operate in the database within the scope of his authority

> db.auth("zhangsan","123456")
1
> show dbs
mydb 0.001GB
> show tables
c1
c2