首先要知道mongodb默认安装后是没有任何认证开启的,也就是说,所有能连接到服务器的人都能进数据库查看,当然,你可以用防火墙来挡。但没有防火墙的保护,数据库暴露出来是非常危险的。
mongodb关于安全分为几个方面,主要是:认证,基于角色的访问控制(授权),审计,加密,部署和环境的安全(涉及到网络跟系统的访问环境)。
一 关于认证
使用用户名认证指令为:
mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
(mongodb跟mysql管理用户信息处理有点不同,mysql会统一保存在mysql库的user表里,mongodb可以把用户认证信息放不同的数据库里,但认证的时候要指定认证的数据库--authenticationDatabase)
php里应该使用以下格式进行认证,不指定mydb默认使用admin库:
$connection = new Mongo("mongodb://admin:[email protected]/");创建系统级别的的admin用户,分配root角色,可以管理所有数据库,做任意的操作:
注意:创建用户产生的数据正常情况下应该保存在admin库统一管理,但也可以指定保存在其他数据库,先运行 use dbname,表示对dbname这个库操作,然后运行创建用户的命令之后,数据就保存在"dbname"数据库了
use admin
db.createUser(
{
user: "superuser",
pwd: "12345678",
roles: [ "root" ]
})或者创建指定数据库的管理员用户:
use admin
db.createUser(
{
user: "tracking",
pwd: "track",
roles: [
{ role: "readWrite", db: "user_data_tracking" }
, { role: "dbAdmin", db: "user_data_tracking" }
]
}
)还可以创建专门管理用户的用户角色:
use admin
db.createUser(
{
user: "siteUserAdmin",
pwd: "password",
roles:
[
{
role: "userAdminAnyDatabase",
db: "admin"
}
]
})userAdminAnyDatabase和userAdmin区别
userAdminAnyDatabase Provides the same access to user administration operations as userAdmin, except it applies to all databases in the cluster.
use products
db.createUser(
{
user: "recordsUserAdmin",
pwd: "password",
roles:
[
{
role: "userAdmin",
db: "records"
}
]
})登录后可以查看用户权限,用此命令:
db.runCommand(
{
usersInfo:"manager",
showPrivileges:true
})创建只读权限的用户:
use reporting
db.createUser(
{
user: "reportsUser",
pwd: "12345678",
roles: [
{ role: "read", db: "reporting" },
{ role: "read", db: "products" },
{ role: "read", db: "sales" }
]
})use admindb.grantRolesToUser(
"accountAdmin01",
[
{
role: "readWrite", db: "products"
},
{
role: "readAnyDatabase", db:"admin"
}
])查看用户权限:
> use admin
> db.getUser("tracking")
{
"_id" : "admin.tracking",
"user" : "tracking",
"db" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "user_data_tracking"
},
{
"role" : "dbAdmin",
"db" : "user_data_tracking"
}
]
}创建角色:
use admin
db.createRole(
{
role: "myClusterwideAdmin",
privileges:
[
{ resource: { cluster: true }, actions: [ "addShard" ] },
{ resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert" ] },
{ resource: { db: "users", collection: "usersCollection" }, actions: [ "update" ] },
{ resource: { db: "", collection: "" }, actions: [ "find" ] }
],
roles:
[
{ role: "read", db: "admin" }
],
writeConcern: { w: "majority" , wtimeout: 5000 }
})这个语句定义了myClusterwideAdmin角色的权限,用array包着,在roles里,定义了此用户继承了admin数据库的read 角色。
创建完可以这么查看所创建的角色信息
> db.runCommand( { rolesInfo: 1, showPrivileges: 1 } )
{
"roles" : [
{
"role" : "bruceAdmin",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
],
"privileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"addShard"
]
},
{
"resource" : {
"db" : "config",
"collection" : ""
},
"actions" : [
"find",
"insert",
"update"
]
},
{
"resource" : {
"db" : "users",
"collection" : "usersCollection"
},
"actions" : [
"update"
]
},
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"addShard"
]
},
{
"resource" : {
"db" : "config",
"collection" : ""
},
"actions" : [
"find",
"insert",
"update"
]
},
{
"resource" : {
"db" : "users",
"collection" : "usersCollection"
},
"actions" : [
"update"
]
},
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "admin",
"collection" : ""
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"planCacheRead"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.indexes"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"planCacheRead"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.js"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"planCacheRead"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.namespaces"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"planCacheRead"
]
}
]
}
],
"ok" : 1
}修改角色
回收:
官网里有这么一个解释说回收后生效的时间
Access revocations apply as soon as the user tries to run a command. On a mongos revocations are instant on the mongos on which the command ran, but there is up to a 10-minute delay before the user cache is updated on the other mongos instances in the cluster. The following example operation removes thereadWrite role on the accounts database from theaccountUser01 user’s existing roles:
use accountsdb.revokeRolesFromUser(
"accountUser01",
[
{ role: "readWrite", db: "accounts" }
])这里提到了mongos的知识,属于分布式的数据库部署方式,暂时还没用到,先搁着。
分配角色,在上面提到过了
修改密码:
db.changeUserPassword("reporting", "SOh3TbYhxuLiW8ypJPxmt1oOfL")还支持插入自定义的数据:
db.runCommand(
{ updateUser: "manager",
pwd: "KNlZmiaNUp0B",
customData: { title: "Senior Manager" }
})关于认证,先学习到这里,估计熟悉这些命令已经够用了。继续下一步学习》》》