首先要知道mongodb默認安裝後是沒有任何認證開啓的,也就是說,所有能連接到服務器的人都能進數據庫查看,當然,你可以用防火牆來擋。但沒有防火牆的保護,數據庫暴露出來是非常危險的。
mongodb關於安全分爲幾個方面,主要是:認證,基於角色的訪問控制(授權),審計,加密,部署和環境的安全(涉及到網絡跟系統的訪問環境)。
一 關於認證
使用用戶名認證指令爲:
mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
(mongodb跟mysql管理用戶信息處理有點不同,mysql會統一保存在mysql庫的user表裏,mongodb可以把用戶認證信息放不同的數據庫裏,但認證的時候要指定認證的數據庫--authenticationDatabase)
php裏應該使用以下格式進行認證,不指定mydb默認使用admin庫:
$connection = new Mongo("mongodb://admin:[email protected]/");創建系統級別的的admin用戶,分配root角色,可以管理所有數據庫,做任意的操作:
注意:創建用戶產生的數據正常情況下應該保存在admin庫統一管理,但也可以指定保存在其他數據庫,先運行 use dbname,表示對dbname這個庫操作,然後運行創建用戶的命令之後,數據就保存在"dbname"數據庫了
use admin
db.createUser(
{
user: "superuser",
pwd: "12345678",
roles: [ "root" ]
})或者創建指定數據庫的管理員用戶:
use admin
db.createUser(
{
user: "tracking",
pwd: "track",
roles: [
{ role: "readWrite", db: "user_data_tracking" }
, { role: "dbAdmin", db: "user_data_tracking" }
]
}
)還可以創建專門管理用戶的用戶角色:
use admin
db.createUser(
{
user: "siteUserAdmin",
pwd: "password",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
})userAdminAnyDatabase和userAdmin區別
userAdminAnyDatabase Provides the same access to user administration operations as userAdmin, except it applies to all databases in the cluster.
use products
db.createUser(
{
user: "recordsUserAdmin",
pwd: "password",
roles:
[
{
role: "userAdmin",
db: "records"
}
]
})登錄後可以查看用戶權限,用此命令:
db.runCommand(
{
usersInfo:"manager",
showPrivileges:true
})創建只讀權限的用戶:
use reporting
db.createUser(
{
user: "reportsUser",
pwd: "12345678",
roles: [
{ role: "read", db: "reporting" },
{ role: "read", db: "products" },
{ role: "read", db: "sales" }
]
})use admindb.grantRolesToUser(
"accountAdmin01",
[
{
role: "readWrite", db: "products"
},
{
role: "readAnyDatabase", db:"admin"
}
])查看用戶權限:
> use admin
> db.getUser("tracking")
{
"_id" : "admin.tracking",
"user" : "tracking",
"db" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "user_data_tracking"
},
{
"role" : "dbAdmin",
"db" : "user_data_tracking"
}
]
}創建角色:
use admin
db.createRole(
{
role: "myClusterwideAdmin",
privileges:
[
{ resource: { cluster: true }, actions: [ "addShard" ] },
{ resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert" ] },
{ resource: { db: "users", collection: "usersCollection" }, actions: [ "update" ] },
{ resource: { db: "", collection: "" }, actions: [ "find" ] }
],
roles:
[
{ role: "read", db: "admin" }
],
writeConcern: { w: "majority" , wtimeout: 5000 }
})這個語句定義了myClusterwideAdmin角色的權限,用array包着,在roles裏,定義了此用戶繼承了admin數據庫的read 角色。
創建完可以這麼查看所創建的角色信息
> db.runCommand( { rolesInfo: 1, showPrivileges: 1 } )
{
"roles" : [
{
"role" : "bruceAdmin",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
],
"privileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"addShard"
]
},
{
"resource" : {
"db" : "config",
"collection" : ""
},
"actions" : [
"find",
"insert",
"update"
]
},
{
"resource" : {
"db" : "users",
"collection" : "usersCollection"
},
"actions" : [
"update"
]
},
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"addShard"
]
},
{
"resource" : {
"db" : "config",
"collection" : ""
},
"actions" : [
"find",
"insert",
"update"
]
},
{
"resource" : {
"db" : "users",
"collection" : "usersCollection"
},
"actions" : [
"update"
]
},
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "admin",
"collection" : ""
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"planCacheRead"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.indexes"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"planCacheRead"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.js"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"planCacheRead"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.namespaces"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"planCacheRead"
]
}
]
}
],
"ok" : 1
}修改角色
回收:
官網裏有這麼一個解釋說回收後生效的時間
Access revocations apply as soon as the user tries to run a command. On a mongos revocations are instant on the mongos on which the command ran, but there is up to a 10-minute delay before the user cache is updated on the other mongos instances in the cluster. The following example operation removes thereadWrite role on the accounts database from theaccountUser01 user’s existing roles:
use accountsdb.revokeRolesFromUser(
"accountUser01",
[
{ role: "readWrite", db: "accounts" }
])這裏提到了mongos的知識,屬於分佈式的數據庫部署方式,暫時還沒用到,先擱着。
分配角色,在上面提到過了
修改密碼:
db.changeUserPassword("reporting", "SOh3TbYhxuLiW8ypJPxmt1oOfL")還支持插入自定義的數據:
db.runCommand(
{ updateUser: "manager",
pwd: "KNlZmiaNUp0B",
customData: { title: "Senior Manager" }
})關於認證,先學習到這裏,估計熟悉這些命令已經夠用了。繼續下一步學習》》》