原文地址:http://brucetam.blog.51cto.com/1863614/1540119
首先要知道mongodb默认安装后是没有任何认证开启的,也就是说,所有能连接到服务器的人都能进数据库查看,当然,你可以用防火墙来挡。但没有防火墙的保护,数据库暴露出来是非常危险的。
mongodb关于安全分为几个方面,主要是:认证,基于角色的访问控制(授权),审计,加密,部署和环境的安全(涉及到网络跟系统的访问环境)。
一 关于认证
使用用户名认证指令为:
mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
(mongodb跟mysql管理用户信息处理有点不同,mysql会统一保存在mysql库的user表里,mongodb可以把用户认证信息放不同的数据库里,但认证的时候要指定认证的数据库--authenticationDatabase)
php里应该使用以下格式进行认证,不指定mydb默认使用admin库:
$connection = new Mongo("mongodb://admin:adminpass@127.0.0.1/");创建系统级别的的admin用户,分配root角色,可以管理所有数据库,做任意的操作:
注意:创建用户产生的数据正常情况下应该保存在admin库统一管理,但也可以指定保存在其他数据库,先运行 use dbname,表示对dbname这个库操作,然后运行创建用户的命令之后,数据就保存在"dbname"数据库了
|
1
2
3
4
5
6
7
8
|
use admin
db.createUser(
{
user:
"superuser"
,
pwd:
"12345678"
,
roles: [
"root"
]
})
|
或者创建指定数据库的管理员用户:
|
1
2
3
4
5
6
7
8
9
10
11
|
use admin
db.createUser(
{
user:
"tracking"
,
pwd:
"track"
,
roles: [
{ role:
"readWrite"
, db:
"user_data_tracking"
}
, { role:
"dbAdmin"
, db:
"user_data_tracking"
}
]
}
)
|
还可以创建专门管理用户的用户角色:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
use admin
db.createUser(
{
user:
"siteUserAdmin"
,
pwd:
"password"
,
roles:
[
{
role:
"userAdminAnyDatabase"
,
db:
"admin"
}
]
})
|
userAdminAnyDatabase和userAdmin区别
userAdminAnyDatabase Provides the same access to user administration operations as userAdmin, except it applies to all databases in thecluster.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
use products
db.createUser(
{
user:
"recordsUserAdmin"
,
pwd:
"password"
,
roles:
[
{
role:
"userAdmin"
,
db:
"records"
}
]
})
|
登录后可以查看用户权限,用此命令:
|
1
2
3
4
5
|
db.runCommand(
{
usersInfo:
"manager"
,
showPrivileges:
true
})
|
创建只读权限的用户:
|
1
2
3
4
5
6
7
8
9
10
11
12
|
use reporting
db.createUser(
{
user:
"reportsUser"
,
pwd:
"12345678"
,
roles: [
{ role:
"read"
, db:
"reporting"
},
{ role:
"read"
, db:
"products"
},
{ role:
"read"
, db:
"sales"
}
]
})
|
创建完后可以分配角色:
|
1
2
3
4
5
6
7
8
9
10
|
use admindb.grantRolesToUser(
"accountAdmin01"
,
[
{
role:
"readWrite"
, db:
"products"
},
{
role:
"readAnyDatabase"
, db:
"admin"
}
])
|
查看用户权限:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
> use admin
> db.getUser(
"tracking"
)
{
"_id"
:
"admin.tracking"
,
"user"
:
"tracking"
,
"db"
:
"admin"
,
"roles"
: [
{
"role"
:
"readWrite"
,
"db"
:
"user_data_tracking"
},
{
"role"
:
"dbAdmin"
,
"db"
:
"user_data_tracking"
}
]
}
|
创建角色:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
use admin
db.createRole(
{
role:
"myClusterwideAdmin"
,
privileges:
[
{ resource: { cluster:
true
}, actions: [
"addShard"
] },
{ resource: { db:
"config"
, collection:
""
}, actions: [
"find"
,
"update"
,
"insert"
] },
{ resource: { db:
"users"
, collection:
"usersCollection"
}, actions: [
"update"
] },
{ resource: { db:
""
, collection:
""
}, actions: [
"find"
] }
],
roles:
[
{ role:
"read"
, db:
"admin"
}
],
writeConcern: { w:
"majority"
, wtimeout: 5000 }
})
|
这个语句定义了myClusterwideAdmin角色的权限,用array包着,在roles里,定义了此用户继承了admin数据库的read 角色。
创建完可以这么查看所创建的角色信息
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
> db.runCommand( { rolesInfo: 1, showPrivileges: 1 } )
{
"roles"
: [
{
"role"
:
"bruceAdmin"
,
"db"
:
"admin"
,
"isBuiltin"
:
false
,
"roles"
: [
{
"role"
:
"read"
,
"db"
:
"admin"
}
],
"inheritedRoles"
: [
{
"role"
:
"read"
,
"db"
:
"admin"
}
],
"privileges"
: [
{
"resource"
: {
"cluster"
:
true
},
"actions"
: [
"addShard"
]
},
{
"resource"
: {
"db"
:
"config"
,
"collection"
:
""
},
"actions"
: [
"find"
,
"insert"
,
"update"
]
},
{
"resource"
: {
"db"
:
"users"
,
"collection"
:
"usersCollection"
},
"actions"
: [
"update"
]
},
{
"resource"
: {
"db"
:
""
,
"collection"
:
""
},
"actions"
: [
"find"
]
}
],
"inheritedPrivileges"
: [
{
"resource"
: {
"cluster"
:
true
},
"actions"
: [
"addShard"
]
},
{
"resource"
: {
"db"
:
"config"
,
"collection"
:
""
},
"actions"
: [
"find"
,
"insert"
,
"update"
]
},
{
"resource"
: {
"db"
:
"users"
,
"collection"
:
"usersCollection"
},
"actions"
: [
"update"
]
},
{
"resource"
: {
"db"
:
""
,
"collection"
:
""
},
"actions"
: [
"find"
]
},
{
"resource"
: {
"db"
:
"admin"
,
"collection"
:
""
},
"actions"
: [
"collStats"
,
"dbHash"
,
"dbStats"
,
"find"
,
"killCursors"
,
"planCacheRead"
]
},
{
"resource"
: {
"db"
:
"admin"
,
"collection"
:
"system.indexes"
},
"actions"
: [
"collStats"
,
"dbHash"
,
"dbStats"
,
"find"
,
"killCursors"
,
"planCacheRead"
]
},
{
"resource"
: {
"db"
:
"admin"
,
"collection"
:
"system.js"
},
"actions"
: [
"collStats"
,
"dbHash"
,
"dbStats"
,
"find"
,
"killCursors"
,
"planCacheRead"
]
},
{
"resource"
: {
"db"
:
"admin"
,
"collection"
:
"system.namespaces"
},
"actions"
: [
"collStats"
,
"dbHash"
,
"dbStats"
,
"find"
,
"killCursors"
,
"planCacheRead"
]
}
]
}
],
"ok"
: 1
}
|
修改角色
回收:
官网里有这么一个解释说回收后生效的时间
Accessrevocations apply as soon as the user tries to run a command. On a mongos revocations are instant on the mongos onwhich the command ran, but there is up to a 10-minute delay before the usercache is updated on the other mongos instances in thecluster. The following example operation removes thereadWrite role on the accounts database from theaccountUser01 user’s existing roles:
|
1
2
3
4
5
|
use accountsdb.revokeRolesFromUser(
"accountUser01"
,
[
{ role:
"readWrite"
, db:
"accounts"
}
])
|
这里提到了mongos的知识,属于分布式的数据库部署方式,暂时还没用到,先搁着。
分配角色,在上面提到过了
修改密码:
|
1
|
db.changeUserPassword(
"reporting"
,
"SOh3TbYhxuLiW8ypJPxmt1oOfL"
)
|
还支持插入自定义的数据:
|
1
2
3
4
5
|
db.runCommand(
{ updateUser:
"manager"
,
pwd:
"KNlZmiaNUp0B"
,
customData: { title:
"Senior Manager"
}
})
|
扫一扫
1831
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
