Mongodb enable authentication
MongoDB default directly connected without authentication, if the current machine can access the public network, do not pay attention to Mongodb port (default 27017) is the open state, then Mongodb would create a security risk, and is used to configure this vulnerability, intrusion database.
Vulnerable to invasion environment
- Use the default command to start Mongodb mongod
- The machine can be accessed by the public network
- Mongodb open the port in the public Internet
Security Risk
- Database of privacy
- The database is empty
- The database is running slow
solution
1. prohibit public access Mongodb port
1.1 Network Configuration
Vary due to network configuration needs to be configured according to their actual environment, without redundant described later. It can generally be prohibited from the following aspects.
- Close port forwarding in the router
- Iptables firewall disable access
1.2 verify whether the port access method
Outside the network machines running the command line
-
telnet your.machine.open.ip 27017 -
2. Enable verification
2.1 Create a user account administrator
The current database version: Mongodb 3.4
Mongod start the database using
the new terminal
mongod --port 27017 --dbpath /data/db1
The default parameters can not add, if custom parameters, only to add, the same below.
The other from a terminal, run the following command
-
mongo --port 27017 -
-
use admin -
-
db.createUser( -
{ -
user: "adminUser", -
pwd: "adminPass", -
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] -
} -
) -
Administrators create success, now have a user administrator
username: lyl
Password: 123456
Then, disconnect mongodb connection, close the database
under two terminal <C - c>
2.2 Mongodb user authentication landing
Start with access control Mongodb
new terminal
mongod --auth --port 27017 --dbpath /data/db1
There are two ways to verify a user's identity
first (similar to MySql)
When a client connects, specify a user name, password, db name
mongo --port 27017 -u "lyl" -p "123456" --authenticationDatabase "admin"
Second
the client is connected, and then to verify
-
mongo --port 27017 -
-
use admin -
db.auth("adminUser", "adminPass") -
-
// 输出 1 表示验证成功 -
2.3 Create a regular user
The process is similar to creating an administrator account, but the role is different
-
use foo -
-
db.createUser( -
{ -
user: "simpleUser", -
pwd: "simplePass", -
roles: [ { role: "readWrite", db: "foo" }, -
{ role: "read", db: "bar" } ] -
} -
) -
Now we have a common user
Username: simpleUser
Password: simplePass
permissions: read-write database foo, read-only database bar.
Note
NOTE
WARN use foomeans that the user created in the foo library, be sure to verify the identity of library foo that follow along with the user's information database. For example, although the above simpleUser have read access bar library, but must first authenticate foo library, direct access will prompt validation fails.
-
use foo
-
db.auth( "simpleUser", "simplePass")
-
-
use bar
-
show collections
Another point to note, if the library does not have any admin users, create a user even in other databases, to enable authentication, the default connection will still be super powers
2.4 Built-in role
- Read: allows the user to specify the database to read
- readWrite: allows the user to specify the database to read and write
- dbAdmin: allows users to perform the specified database management functions, such as indexing to create, delete, view statistics or access system.profile
- userAdmin: allowing a user to write to system.users, you can find specify the database to create, delete, and manage users
- clusterAdmin: admin only available in the database, the user gives all privileges fragmentation and replication sets associated function.
- readAnyDatabase: admin is only available in the database, giving users read access to all databases
- readWriteAnyDatabase: only available in the database admin, read and write access gives the user all databases
- userAdminAnyDatabase: admin is only available in the database, the user gives permission to all databases userAdmin
- dbAdminAnyDatabase: admin is only available in the database, the user gives permission dbAdmin all databases.
- root: admin is only available in the database. Super accounts, super powers
2.5 URI in the form of access
Commonly used in production of the form connect to the database URI
-
mongodb://your.db.ip.address:27017/foo -
Add the user name and password verification
mongodb://simpleUser:[email protected]:27017/foo
原文链接:https://blog.csdn.net/qq_32502511/article/details/80619277
原文转载地址:https://blog.csdn.net/singgel/article/details/79407774