#昊鼎王五:mongodb用户安全认证详解
#1.基础知识:
##1.1.前提:
本文基于:《昊鼎王五:如何配置mongodb集群的用户认证方式及创建访问权限用户?》
https://blog.csdn.net/haoding205/article/details/82257010
##1.2.验证原理扩展介绍
mongodb支持针对连接的用户验证,使用参数auth打开验证功能:
[root@mongodb2 ~]# mongod -h |grep aut
--keyFile arg private key for cluster authentication
--noauth run without security
authentication. Alternatives are
--auth run with security
--autoresync automatically resync if slave data is
为用户创建或者使用内建的指定角色,然后将角色赋予给用户授权,遵循的原则是最小权限原则.mongodb不能直接将权限赋予给用户.
在打开auth之前需至少添加一个管理员用户,然后在添加其它的额外用户,否则mongodb将使用一个本地认证,以便让你可以创建一个管理员账户.
mongodb认证方式有多种,如password认证,kerberos认证,ldap认证等等,这里主要讲的是密码认证,也是用的最多的.
#2.管理用户和角色
##2.1.创建一个管理员用户
在开启验证之前必须创建一个管理员用户,管理员用户拥有userAdminAnyDatabase角色.此角色拥有管理用户的权限,注意此角色并不是最大权限的角色.
我们使用db.createUser()来创建用户,下面例子我们创建一个管理员用户root,密码root:
>use admin
db.createUser(
{
user: "root",
pwd: "root",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
Successfully added user: {
"user" : "root",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
mongos>
使用root来登录mongodb:
[root@mongodb3 ~]# mongo --port 37017 -u root -p root --authenticationDatabase admin
userAdminAnyDatabase角色拥有如下权限:
changeCustomData
changePassword
createRole
createUser
dropRole
dropUser
grantRole
revokeRole
viewRole
viewUser
##2.2.创建一个超级管理员用户
一些角色提供了间接的或者直接的超级管理员权限.如果一个用户拥有下面三个角色那么可以称之为超级管理员权限
下列角色提供了在任何数据库中分配任何用户权限的能力,这就意味着他们可以分配给自己任何数据库任何权限:
1.dbOwner role, when scoped to the admin database
2.userAdmin role, when scoped to the admin database
3.userAdminAnyDatabase role
例如我们创建一个suq用户,拥有三个角色:
db.createUser(
{
user: "suq",
pwd: "suq",
roles: [
{ role: "dbOwner", db: "admin" },
{ role: "userAdmin", db: "admin" },
{ role: "userAdminAnyDatabase", db: "admin" }
]
}
)
mongodb还直接提供了一个超级管理员角色root,例如我们创建一个admin用户为超级管理员:
use admin
db.createUser(
{
user: "admin",
pwd: "admin",
roles: [ { role: "root",db:"admin" }]
}
)
当你使用admin登录mongodb的时候会有提示,不建议用超级管理员登录:
[root@mongodb3 ~]# mongo --port 37017 -u admin -p admin --authenticationDatabase admin
MongoDB shell version: 3.2.6
connecting to: 127.0.0.1:37017/test
Server has startup warnings:
2016-06-24T18:41:47.116+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2016-06-24T18:41:47.116+0800 I CONTROL [initandlisten]
切换用户使用db.auth()方法:
> db.auth("admin","admin")
##2.3.创建角色
角色用来授予给用户来控制用户使用mongodb的资源.mongdb提供了一套内置的角色,管理员可以直接使用这些角色来控制访问mongodb.然而如果这些内置的角色无法满足你的需求,你可以在单独的数据库里创建新的角色.
除了在admin数据库里创建的角色外,创建的的角色只能拥有此数据库内的权限.
在admin数据库内创建的角色,可以继承admin库,其他库,或者集群资源.也就是说在其它库里创建的角色只拥有此库的一些权限.
使用db.createRole()来创建角色.
创建角色你必须有如下两个条件:
1.在数据库有createRole权限
2.你需要有授予指定权限的权限
内建角色userAdmin 和 userAdminAnyDatabase满足上述要求.因此一般以此管理员登录用户来执行.
createRole()的语法如下:
{
role: "",
privileges: [
{ resource: { }, actions: [ "", ... ] },
...
],
roles: [
{ role: "", db: "" } | "",
...
]
}
其中:
role是创建的role的名字.
resource是你想授权所对应的对象,例如resource: { db: "users", collection: "usersCollection" }表示你想把users.userscollection的资源授予给此角色.这里是官网对resource的介绍:https://docs.mongodb.com/manual/reference/resource-document/#resource-document
actions是你想授予的动作,例如actions: [ "update", "insert", "remove" ],这里有官网对action的介绍:https://docs.mongodb.com/manual/reference/privilege-actions/#security-user-actions
roles是表示你想把某个角色授予给此角色.
下面一个实例:
use admin
db.createRole(
{
role: "myClusterwideAdmin",
privileges: [
{ resource: { cluster: true }, actions: [ "addShard" ] },
{ resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert", "remove" ] },
{ resource: { db: "users", collection: "usersCollection" }, actions: [ "update", "insert", "remove" ] },
{ resource: { db: "", collection: "" }, actions: [ "find" ] }
],
roles: [
{ role: "read", db: "admin" }
]
},
{ w: "majority" , wtimeout: 5000 }
)
下面介绍几个创建角色的例子:
创建一个角色管理当前操作
这个角色可以kill任何操作.以上面的root用户登录mongod:
[root@mongodb3 ~]# mongo --port 37017 -u root -p root --authenticationDatabase admin
use admin
db.createRole(
{
role: "manageOpRole",
privileges:
[
{
resource: { cluster: true },
actions: [ "killop", "inprog" ]
},
{
resource: { db: "", collection: "" },
actions: [ "killCursors" ]
}
],
roles: []
}
)
创建一个角色可以运行mongostat
use admin
db.createRole(
{
role: "mongostatRole",
privileges: [
{
resource: { cluster: true },
actions: [ "serverStatus" ]
}
],
roles: []
}
)
##2.4.查看角色权限
使用db.getRole()方法来获得角色的权限:
> db.getRole("mongostatRole")
{
"role" : "mongostatRole",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ]
}
查看详细的角色:
> db.getRole("mongostatRole",{showPrivileges: true})
{
"role" : "mongostatRole",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"serverStatus"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"serverStatus"
]
}
]
}
还可以使用db.getRoles()查看所有的非内建的角色:
> db.getRoles()
[
{
"role" : "manageOpRole",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "mongostatRole",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ]
}
]
> db.getRoles({showPrivileges: true})
[
{
"role" : "manageOpRole",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"inprog",
"killop"
]
},
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"killCursors"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"inprog",
"killop"
]
},
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"killCursors"
]
}
]
},
{
"role" : "mongostatRole",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"serverStatus"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"serverStatus"
]
}
]
}
]
##2.5.查看用户角色
使用db.getUser()方法来查看用户的所赋予的角色:
> db.getUser("suq")
{
"_id" : "admin.suq",
"user" : "suq",
"db" : "admin",
"roles" : [
{
"role" : "dbOwner",
"db" : "admin"
},
{
"role" : "userAdmin",
"db" : "admin"
},
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
还可以使用db.getUsers()获取全部的用户信息:
> db.getUsers()
[
{
"_id" : "admin.root",
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
},
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
},
{
"_id" : "admin.suq",
"user" : "suq",
"db" : "admin",
"roles" : [
{
"role" : "dbOwner",
"db" : "admin"
},
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
]
##2.6.授予/收回角色权限
使用db.revokePrivilegesFromRole()和db.grantPrivilegesToRole()方法收回和赋予角色权限
db.revokePrivilegesFromRole(
"manageOpRole",
[
{ resource: {"cluster" : true}, actions: ["inprog","killop"] }
]
)
db.grantPrivilegesToRole(
"manageOpRole",
[
{
resource: {"cluster" : true},
actions: ["inprog","killop"]
}
]
)
##2.7.授予/收回用户角色
使用db.revokeRolesFromUser()来收回用户所赋予的角色
db.revokeRolesFromUser(
"suq",
[
{ role: "userAdmin", db: "admin" }
]
)
使用db.grantRolesToUser()来给用户授予角色:
db.grantRolesToUser(
“reportsUser”,
[
{ role: “userAdmin”, db: “admin” }
]
)
##2.8.修改用户密码
使用db.changeUserPassword()方法来给用户修改密码:
> db.system.users.find();
> use dbname;
> db.changeUserPassword("suq", "111111");
##2.9.删除用户
#方式1:
> db.system.users.find();
> use dbname;
> db.dropUser("suq");
#方式2:
> db.system.users.find();
> db.system.users.remove({"_id" : "xxx.yyy"});
WriteResult({ "nRemoved" : 1 })
#3.内置角色和内置权限
#内置的角色,查看官方文档:
https://docs.mongodb.com/manual/reference/built-in-roles
#4.用户和角色方法
详细参见官方文档:
https://docs.mongodb.com/manual/reference/method/#role-management
Role Management
Name Description
db.createRole()
Creates a role and specifies its privileges.
db.updateRole()
Updates a user-defined role.
db.dropRole()
Deletes a user-defined role.
db.dropAllRoles()
Deletes all user-defined roles associated with a database.
db.grantPrivilegesToRole()
Assigns privileges to a user-defined role.
db.revokePrivilegesFromRole()
Removes the specified privileges from a user-defined role.
db.grantRolesToRole()
Specifies roles from which a user-defined role inherits privileges.
db.revokeRolesFromRole()
Removes inherited roles from a role.
db.getRole()
Returns information for the specified role.
db.getRoles()
Returns information for all the user-defined roles in a database.
User Management
Name Description
db.auth()
Authenticates a user to a database.
db.createUser()
Creates a new user.
db.updateUser()
Updates user data.
db.changeUserPassword()
Changes an existing user’s password.
db.removeUser()
Deprecated. Removes a user from a database.
db.dropAllUsers()
Deletes all users associated with a database.
db.dropUser()
Removes a single user.
db.grantRolesToUser()
Grants a role and its privileges to a user.
db.revokeRolesFromUser()
Removes a role from a user.
db.getUser()
Returns information about the specified user.
db.getUsers()
Returns information about all users associated with a database.
#5.用户角色权限集合
mongodb的用户和角色信息存放在admin数据库下的system.users和system.roles集合中.
mongodb建议修改用户和角色使用上面的用户和角色的方法,不要直接修改集合的数据.
system.roles集合数据大致如下:
{
_id: ,
role: "",
db: "",
privileges:
[
{
resource: { },
actions: [ "", ... ]
},
...
],
roles:
[
{ role: "", db: "" },
...
]
}
system.users集合数据大致如下:
{
_id: ,
user: "",
db: "",
credentials: { },
roles: [
{ role: "", db: "" },
...
],
customData:
}
#具体的说明几乎和上面的一致,就不赘述了,有兴趣的话可以查看官方文档:
https://docs.mongodb.com/manual/reference/system-users-collection/
https://docs.mongodb.com/manual/reference/system-roles-collection/
好了,聪明如你,知道了mongodb用户安全认证详解,是不是很欢喜 _