certified
MongoDB security certification
Introduction
MongoDB does not have an account by default, and can be connected directly without authentication, but in actual projects, permission verification must be required, otherwise the consequences will be disastrous
Authentication related operations
Docker creates MongoDB container in auth mode
docker run -itd --name mongo5 -p 27017:27017 mongo:xxx --auth
backup data
mongodump -h 127.0.0.1:27017 -d mydb -o /usr/local
Restoring data (after user authentication)
mongorestore -h localhost -u root -p 123456 --db mydb /dump/mydb --authenticationDatabase admin
Knowledge of role-based access control
Assign users to roles corresponding to the database
Note: The role is fixed and cannot be changed in mongdb
use admin;
db.createUser(
{
user: "账号",
pwd: "密码",
roles: [
{ role: "角色", db: "数据库" },
{ role: "角色", db: "数据库" }
]
}
)
user command
change Password
db.changeUserPassword( '账号' , '密码' );
add role
db.grantRolesToUser('用户名',[{ role:'角色名', db:'数据库名'}])
delete users
db.dropUser("用户名")
Authenticate user [return 1, indicating successful authentication]
db.auth("账号","密码")
built-in roles
root super account, super authority
read allows users to read the specified database
readwrite allows users to read and write the specified database
dbAdmin can read any database and clean up, modify, compress, obtain statistical information, perform checks, etc.
userAdmin can be in the specified database Create, delete and manage users
readAnyDatabase can read data in any database, except database config and local
readwriteAnyDatabase can read and write data in any database, except database config and local
userAdminAnyDatabase can create and modify in the specified database Users, except database config and local
dbAdminAnyDatabase can read any database and clean up, modify, compress, obtain statistical information, perform inspections and other operations, except database config and local
backup backup data permission
restore restore from backup data permissions
The default role corresponding to the user in mongdb
Database user read, readwrite
Database management role dbAdmin, userAdmin
All database roles readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase, dbAdminAnyDatabase
backup recovery role backup, restore
super user role root
administrator
create admin
Before the security check is enabled on the MongoDB server, at least one administrator account is required. Users in the admin database are regarded as administrators.
If the admin database does not have any users, even if users are created in other databases, authentication is enabled.
By default The connection method will still have super permissions, that is, you can still perform CRUD without verifying the account password, and the security authentication is equivalent to invalid
Enter the container
docker exec -it mongo bash
enter terminal
mongo
Enter the admin database
use admin
Create an administrator account
db.createUser({ user: "root", pwd: "xx", roles: [{ role: "root", db: "admin" }] })
Verify that the user is added successfully
db.auth("root", "xx");
If it returns 1, it means success
Admin login
The client administrator logs in as the root user. After passing the security authentication, he has all permissions to all databases
and enters the container
docker exec -it mongo bash
enter terminal
mongo
log in as administrator
use admin
switched to db admin
db.auth("root","xx")
general user
create common user
Create the mydb database and create two users, zhangsan has read and write permissions, and lisi has read-only permissions to test the permissions of these two accounts. Log in as a super administrator with test permissions
> use mydb
switched to db mydb
> db.c1.insert({name:"testdb1"})
WriteResult({ "nInserted" : 1 })
> db.c2.insert({name:" testdb1"})
WriteResult({ "nInserted" : 1 })
> show tables
c1
c2
> db.c1.find()
{ "_id" : ObjectId("62a00e5c1eb2c6ab85dd5eec"), "name" : "testdb1" }
> db. c1.find({})
{ "_id" : ObjectId("62a00e5c1eb2c6ab85dd5eec"), "name" : "testdb1" }
> show dbs
admin 0.000GB
config 0.000GB
local 0.000GB
mydb 0.
Ordinary user login
Ordinary users still log in as before, and directly log in to the mydb database as shown below. The login is successful, but there are many things missing in the log after login, and the
execution of the show dbs command and the show tables command all fail. Even if the database is not authenticated, the user cannot operate
it because of insufficient authority. In a word: the user can only operate in the database within the scope of his authority
> db.auth("zhangsan","123456")
1
> show dbs
mydb 0.001GB
> show tables
c1
c2