Mongodb 权限控制以及角色使用

1.访问控制,从来源IP以及端口进行限制
2.用户权限划分,数据库内部进行权限划分,不让权限放大

1.访问控制
通过iptables控制访问来源IP,以及端口
vim /etc/sysconfig/iptables
加入以下规则:
#app servers
-A INPUT -m iprange --src-range 192.168.xxx.xxx -p tcp -m multiport --destination-ports xxxx -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m multiport --destination-ports 5888 -j REJECT

mongo 192.168.101.115:5888/admin
MongoDB shell version: 3.2.8
connecting to: 192.168.101.115:5888/admin
2017-04-14T14:13:25.551+0800 W NETWORK  [thread1] Failed to connect to 192.168.101.115:5888, reason: errno:111 Connection refused
2017-04-14T14:13:25.598+0800 E QUERY    [thread1] Error: couldn't connect to server 192.168.101.115:5888, connection attempt failed :
connect@src/mongo/shell/mongo.js:231:14

打开访问端口和访问IP
修改
-A INPUT -m iprange --src-range 192.168.xxx.xxx -p tcp -m multiport --destination-ports 5888 -j ACCEPT
-A INPUT -m iprange --src-range 192.168.8.88 -p tcp -m multiport --destination-ports 5888 -j ACCEPT

重启iptables
service  iptables restart

那么在192.168.8.88上就可以连接过来了
mongo 192.168.101.115:5888/admin
MongoDB shell version: 3.2.8
connecting to: 192.168.101.115:5888/admin
hank:PRIMARY>


2.用户权限划分
这里mongodb用role划分权限,然后把role赋予user
这里先介绍下role的概念,role实就是权限的集合,和其他数据库的role基本意思一样
比如系统自带的role,可以通过show roles;
具体解释https://docs.mongodb.com/manual/core/security-built-in-roles/

以下为具体分类:
Database User Roles:read,readWrite
Database Administration Roles:dbAdmin,dbOwner,userAdmin
Cluster Administration Roles:clusterAdmin,clusterManager,clusterMonitor,hostManager
Backup and Restoration Roles:backup,restore
All-Database Roles:readAnyDatabase,readWriteAnyDatabase,userAdminAnyDatabase,dbAdminAnyDatabase
Superuser Roles:root 
Internal Role:__system

比如以下,一般数据库下有这些roles,admin下面的role会更多一些
hank:PRIMARY> show roles;
{
        "role" : "dbAdmin",
        "db" : "test",
        "isBuiltin" : true,
        "roles" : [ ],
        "inheritedRoles" : [ ]
}
{
        "role" : "dbOwner",
        "db" : "test",
        "isBuiltin" : true,
        "roles" : [ ],
        "inheritedRoles" : [ ]
}
{
        "role" : "enableSharding",
        "db" : "test",
        "isBuiltin" : true,
        "roles" : [ ],
        "inheritedRoles" : [ ]
}
{
        "role" : "read",
        "db" : "test",
        "isBuiltin" : true,
        "roles" : [ ],
        "inheritedRoles" : [ ]
}
{
        "role" : "readWrite",
        "db" : "test",
        "isBuiltin" : true,
        "roles" : [ ],
        "inheritedRoles" : [ ]
}
{
        "role" : "userAdmin",
        "db" : "test",
        "isBuiltin" : true,
        "roles" : [ ],
        "inheritedRoles" : [ ]
}



如果知道具体role的权限呢,利用以下命令可以看到,这里我选择了权限较小的enableSharding,其他权限大家可以自行查阅
hank:PRIMARY> db.getRole("enableSharding",{showPrivileges: true});
{
        "role" : "enableSharding",
        "db" : "local",
        "isBuiltin" : true,
        "roles" : [ ],
        "inheritedRoles" : [ ],
        "privileges" : [
                {
                        "resource" : {
                                "db" : "",
                                "collection" : ""
                        },
                        "actions" : [
                                "enableSharding"
                        ]
                }
        ],
        "inheritedPrivileges" : [
                {
                        "resource" : {
                                "db" : "",
                                "collection" : ""
                        },
                        "actions" : [
                                "enableSharding"
                        ]
                }
        ]
}


切换至admin,用户创建一个role是root的用户hank,密码也是hank

db.createUser(
  {
        user:"hank",
        pwd:"hank",
       roles:
        [ 
           {
            role:"root",
            db:"admin"
            }
        ]
    }
);

本环境是replica sets,要启用验证,需要keyfile
生成keyfile,并把keyfile复制到各节点
openssl rand -base64 600 > mongodb_keyfile
chmod 600 mongodb_keyfile
添加至配置文件
keyFile = /home/mongo/mongodb_keyfile
重新启动mongodb即可

需要注意的是,之前在那个db下建立的用户,那么就需要在那个db下进行验证登陆
如以下验证失败
mongo 127.0.0.1:5888/test
MongoDB shell version: 3.2.8
connecting to: 127.0.0.1:5888/test
hank:PRIMARY>  db.auth('hank','hank');
Error: Authentication failed.
0

必须切换至admin
hank:PRIMARY> use admin
switched to db admin
hank:PRIMARY>  db.auth('hank','hank');
1

切换到数据库建立普通操作用户,一般dbOwner角色即可,dbOwner包含了readWrite,dbAdmin,userAdmin的权限
use test
db.createUser(
  {
        user:"test",
        pwd:"test",
       roles:
        [ 
           {
            role:"dbOwner",
            db:"test"
            }
        ]
    }
);

如果需要具体到表的读写权限,可以建立相应role,然后赋予用户或者创建用户的时候指定role
use admin 

db.createRole(
   {
     role: "myadminuser",
     privileges: [
       { resource: { db: "test", collection: "tb1" }, actions: [ "find"] },
       { resource: { db: "hank", collection: "" }, actions: [ "find" ] }
     ],
     roles: [
       { role: "read", db: "admin" }
     ]
   },
   { w: "majority" , wtimeout: 5000 }
)

db.createUser(
   {
     user: "user1",
     pwd: "user1",
     roles: [ {role:"myadminuser",db:"test"}]
   }
)



具体例子:
建角色:
db.createRole(
   {
     role: "rotb1",
     privileges: [
       { resource: { db: "test", collection: "tb1" }, actions: [ "find"] },
       { resource: { db: "test", collection: "hank" }, actions: [ "remove"] }
     ],
     roles: []    
    }
)

这里roles:[]表示不继承任何role权限
建用户:
db.createUser(
   {
     user: "testuser",
     pwd: "user",
     roles:[{role:"rotb1",db:"test"}]
   }
)
或者建立用户后,再通过以下语句赋予权限
db.grantRolesToUser( "testuser", [ "rotb1" ] )

这里resource里面有几种情况:
{ db: "test", collection: "" }  表示拥有test数据库下所有非系统表的相关权限
{ db: "", collection: "tb1" }  表示拥有每个数据库下,表名为tb1的相关权限
{ db: "", collection: "" }     表示在所有数据库,非系统表的相关权限

测试权限:
mongo 127.0.0.1:5888/test
db.auth('testuser','user');
hank:PRIMARY> db.hank.find();
Error: error: {
        "ok" : 0,
        "errmsg" : "not authorized on test to execute command { find: \"hank\", filter: {} }",
        "code" : 13
}

hank:PRIMARY> db.tb1.insert({name:"hank"})
WriteResult({
        "writeError" : {
                "code" : 13,
                "errmsg" : "not authorized on test to execute command { insert: \"tb1\", documents: [ { _id: ObjectId('58f45d4dc98d40d1b53fbe6f'), name: \"hank\" } ], ordered: true }"
        }
})
可以见以上操作均失败

hank:PRIMARY> db.tb1.find();  //只有find权限
{ "_id" : ObjectId("58f4496d48b14a04810f5491"), "a" : "dazuiba" }
{ "_id" : ObjectId("58f44a5048b14a04810f5495"), "a" : "dazuiba" }
{ "_id" : ObjectId("58f44aa948b14a04810f5496"), "a" : "dazuiba" }
{ "_id" : ObjectId("58f45aaa48b14a04810f5497"), "a" : "hank" }
{ "_id" : ObjectId("58f45aac48b14a04810f5498"), "a" : "hank" }
{ "_id" : ObjectId("58f45aac48b14a04810f5499"), "a" : "hank" }
{ "_id" : ObjectId("58f45b8c48b14a04810f549a"), "a" : "hank" }
{ "_id" : ObjectId("58f45ba248b14a04810f549b"), "a" : "hank" }
hank:PRIMARY> db.hank.remove('');   //只有remove权限
WriteResult({ "nRemoved" : 4 })

可以通过show users,show roles查看相关用户以及角色



参考:
https://docs.mongodb.com/manual/reference/method/js-user-management/
https://docs.mongodb.com/manual/reference/method/js-role-management/

你可能感兴趣的:(#,mongodb)