MongoDB系列文章目录

• 史上最全MongoDB之初识篇
• 史上最全MongoDB之部署篇
• 史上最全MongoDB之Mongo Shell使用
• 史上最全MongoDB之安全认证

如果本文对你们的开发之路有所帮助，请帮忙点个赞，您的支持是我坚持写博客的动力
扫描文章底部二维码获取电子书和最新面试资料

前言

本系列课程将带着大家以面试题的方式 深入分布式专题之MongoDB。这篇文章带着大家深入MongoDB安全认证

MongoDB 的用户权限介绍

• MongoDB 2.4支持RABC模型，使用的是基于角色的访问控制(Role-Based Access Control,RBAC)来管理用户对实例的访问

RBAC(基于角色的访问控制)：英文名称Role-Based Access Control

MongoDB 角色

MongoDB 权限

MongoDB 的用户权限建议

• 默认情况，MongoDB 服务端启动没有启动用户 访问权限, 客户端连接MongoDB 服务端不需要安全认证，可以随意操作存在很大风险
• 生产环境 开启安全认证，通过命令行方式启动加上 --auth,或配置文件(mongod.conf)加上auth=true
• 生产环境建议修改默认端口（27017）
• MongoDB应部署在内网环境，bind_ip参数（默认为localhost），根据客户端ip修改,格式：bind_ip=1.1.1.1,2.2.2.2，禁止bind_ip使用0.0.0.0或bind_ip_all设置为true
• 客户端操作数据库，应该用dbOwner（数据库管理角色）的账号操作，禁止使用管理员角色(/权限高账号)操作数据库

操作用户角色命令

show roles 查看角色列表命令

概念

查看角色列表

命令应用

> show roles
{
	"role" : "dbAdmin",
	"db" : "test",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "dbOwner",
	"db" : "test",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "enableSharding",
	"db" : "test",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "read",
	"db" : "test",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "readWrite",
	"db" : "test",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "userAdmin",
	"db" : "test",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

db.createUser(用户信息) 创建用户 命令

概念

创建用户

命令格式

db.createUser({user:“用户名”,pwd:“名称”,roles:[“角色”]})

命令应用

创建test库，并指定test库的管理员

> use test
switched to db test
> db.createUser({user:"test",pwd:"test",roles:['dbOwner']})
uncaught exception: ReferenceError: dn is not defined :
@(shell):1:1
> use test
switched to db test
> db.createUser({user:"test",pwd:"test",roles:['dbOwner']})
Successfully added user: { "user" : "test", "roles" : [ "dbOwner" ] }
> show users
{
	"_id" : "test.test",
	"userId" : UUID("d9be5de9-8c28-4b2b-8d88-530be7846b14"),
	"user" : "test",
	"db" : "test",
	"roles" : [
		{
			"role" : "dbOwner",
			"db" : "test"
		}
	],
	"mechanisms" : [
		"SCRAM-SHA-1",
		"SCRAM-SHA-256"
	]
}
> 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

db.dropUser(用户名称) 删除用户 命令

概念

创建用户

命令格式

db.dropUser(“用户名”)

命令应用

db.dropUser(“test”)

> use test
switched to db test
> dn.createUser({user:"test",pwd:"test",roles:['dbOwner']})
uncaught exception: ReferenceError: dn is not defined :
@(shell):1:1
> use test
switched to db test
> db.createUser({user:"test",pwd:"test",roles:['dbOwner']})
Successfully added user: { "user" : "test", "roles" : [ "dbOwner" ] }
> show users
{
	"_id" : "test.test",
	"userId" : UUID("d9be5de9-8c28-4b2b-8d88-530be7846b14"),
	"user" : "test",
	"db" : "test",
	"roles" : [
		{
			"role" : "dbOwner",
			"db" : "test"
		}
	],
	"mechanisms" : [
		"SCRAM-SHA-1",
		"SCRAM-SHA-256"
	]
}
> 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

db.grantRolesToUser(用户名称,[]) 授权用户权限 命令

概念

授权用户权限

命令格式

db.grantRolesToUser(“用户名”, [{
role: “角色code”,
db: “数据库名称”
},

…

])

命令应用

db.grantRolesToUser(“test”, [{
role: “dbAdmin”,
db: “test”
}
])

> use test
switched to db test
> db.createUser({user:"test",pwd:"test",roles:['dbOwner']})
Successfully added user: { "user" : "test", "roles" : [ "dbOwner" ] }
> db.grantRolesToUser("test", [{
... role: "dbAdmin",
... db: "test"
... }
... ])
> 
1
2
3
4
5
6
7
8
9
10

授权账号登录 命令

概念

授权账号登录

命令格式

mongo MONGO_HOST:PORT -u USER -p PWD --authenticationDatabase=DB

命令应用

mongo 127.0.0.1:27017 -u test -p test --authenticationDatabase=test

[root@localhost mongodb]# mongo 127.0.0.1:27017 -u test -p test --authenticationDatabase=test
MongoDB shell version v4.4.14
connecting to: mongodb://127.0.0.1:27017/test?authSource=test&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("bf4865d7-def1-4824-8240-d8687d820a2e") }
MongoDB server version: 4.4.14
---
The server generated these startup warnings when booting: 
        2022-06-29T02:07:49.470-07:00: Access control is not enabled for the database. Read and write access to data and configuration is unrestricted
        2022-06-29T02:07:49.471-07:00: You are running this process as the root user, which is not recommended
        2022-06-29T02:07:49.471-07:00: /sys/kernel/mm/transparent_hugepage/enabled is 'always'. We suggest setting it to 'never'
        2022-06-29T02:07:49.471-07:00: /sys/kernel/mm/transparent_hugepage/defrag is 'always'. We suggest setting it to 'never'
        2022-06-29T02:07:49.471-07:00: Soft rlimits too low
        2022-06-29T02:07:49.471-07:00:         currentValue: 1024
        2022-06-29T02:07:49.471-07:00:         recommendedMinimum: 64000
---
---
        Enable MongoDB's free cloud-based monitoring service, which will then receive and display
        metrics about your deployment (disk utilization, CPU, operation statistics, etc).

        The monitoring data will be available on a MongoDB website with a unique URL accessible to you
        and anyone you share the URL with. MongoDB may use this information to make product
        improvements and to suggest MongoDB products and deployment options to you.

        To enable free monitoring, run the following command: db.enableFreeMonitoring()
        To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---
> show dbs;
admin   0.000GB
config  0.000GB
local   0.000GB
> 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

初次见面，也不知道送你们啥。干脆就送几百本电子书和最新面试资料，祝你们找到更好的工作，扫描下面二维码获取