1.访问控制,从来源IP以及端口进行限制
2.用户权限划分,数据库内部进行权限划分,不让权限放大
1.访问控制
通过iptables控制访问来源IP,以及端口
vim /etc/sysconfig/iptables
加入以下规则:
#app servers
-A INPUT -m iprange --src-range 192.168.xxx.xxx -p tcp -m multiport --destination-ports xxxx -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m multiport --destination-ports 5888 -j REJECT
mongo 192.168.101.115:5888/admin
MongoDB shell version: 3.2.8
connecting to: 192.168.101.115:5888/admin
2017-04-14T14:13:25.551+0800 W NETWORK [thread1] Failed to connect to 192.168.101.115:5888, reason: errno:111 Connection refused
2017-04-14T14:13:25.598+0800 E QUERY [thread1] Error: couldn't connect to server 192.168.101.115:5888, connection attempt failed :
connect@src/mongo/shell/mongo.js:231:14
打开访问端口和访问IP
修改
-A INPUT -m iprange --src-range 192.168.xxx.xxx -p tcp -m multiport --destination-ports 5888 -j ACCEPT
为
-A INPUT -m iprange --src-range 192.168.8.88 -p tcp -m multiport --destination-ports 5888 -j ACCEPT
重启iptables
service iptables restart
那么在192.168.8.88上就可以连接过来了
mongo 192.168.101.115:5888/admin
MongoDB shell version: 3.2.8
connecting to: 192.168.101.115:5888/admin
hank:PRIMARY>
2.用户权限划分
这里mongodb用role划分权限,然后把role赋予user
这里先介绍下role的概念,role实就是权限的集合,和其他数据库的role基本意思一样
比如系统自带的role,可以通过show roles;
具体解释https://docs.mongodb.com/manual/core/security-built-in-roles/
以下为具体分类:
Database User Roles:read,readWrite
Database Administration Roles:dbAdmin,dbOwner,userAdmin
Cluster Administration Roles:clusterAdmin,clusterManager,clusterMonitor,hostManager
Backup and Restoration Roles:backup,restore
All-Database Roles:readAnyDatabase,readWriteAnyDatabase,userAdminAnyDatabase,dbAdminAnyDatabase
Superuser Roles:root
Internal Role:__system
比如以下,一般数据库下有这些roles,admin下面的role会更多一些
hank:PRIMARY> show roles;
{
"role" : "dbAdmin",
"db" : "test",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "dbOwner",
"db" : "test",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "enableSharding",
"db" : "test",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "read",
"db" : "test",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "readWrite",
"db" : "test",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "userAdmin",
"db" : "test",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
如果知道具体role的权限呢,利用以下命令可以看到,这里我选择了权限较小的enableSharding,其他权限大家可以自行查阅
hank:PRIMARY> db.getRole("enableSharding",{showPrivileges: true});
{
"role" : "enableSharding",
"db" : "local",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"enableSharding"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"enableSharding"
]
}
]
}
切换至admin,用户创建一个role是root的用户hank,密码也是hank
db.createUser(
{
user:"hank",
pwd:"hank",
roles:
[
{
role:"root",
db:"admin"
}
]
}
);
本环境是replica sets,要启用验证,需要keyfile
生成keyfile,并把keyfile复制到各节点
openssl rand -base64 600 > mongodb_keyfile
chmod 600 mongodb_keyfile
添加至配置文件
keyFile = /home/mongo/mongodb_keyfile
重新启动mongodb即可
需要注意的是,之前在那个db下建立的用户,那么就需要在那个db下进行验证登陆
如以下验证失败
mongo 127.0.0.1:5888/test
MongoDB shell version: 3.2.8
connecting to: 127.0.0.1:5888/test
hank:PRIMARY> db.auth('hank','hank');
Error: Authentication failed.
0
必须切换至admin
hank:PRIMARY> use admin
switched to db admin
hank:PRIMARY> db.auth('hank','hank');
1
切换到数据库建立普通操作用户,一般dbOwner角色即可,dbOwner包含了readWrite,dbAdmin,userAdmin的权限
use test
db.createUser(
{
user:"test",
pwd:"test",
roles:
[
{
role:"dbOwner",
db:"test"
}
]
}
);
如果需要具体到表的读写权限,可以建立相应role,然后赋予用户或者创建用户的时候指定role
use admin
db.createRole(
{
role: "myadminuser",
privileges: [
{ resource: { db: "test", collection: "tb1" }, actions: [ "find"] },
{ resource: { db: "hank", collection: "" }, actions: [ "find" ] }
],
roles: [
{ role: "read", db: "admin" }
]
},
{ w: "majority" , wtimeout: 5000 }
)
db.createUser(
{
user: "user1",
pwd: "user1",
roles: [ {role:"myadminuser",db:"test"}]
}
)
具体例子:
建角色:
db.createRole(
{
role: "rotb1",
privileges: [
{ resource: { db: "test", collection: "tb1" }, actions: [ "find"] },
{ resource: { db: "test", collection: "hank" }, actions: [ "remove"] }
],
roles: []
}
)
这里roles:[]表示不继承任何role权限
建用户:
db.createUser(
{
user: "testuser",
pwd: "user",
roles:[{role:"rotb1",db:"test"}]
}
)
或者建立用户后,再通过以下语句赋予权限
db.grantRolesToUser( "testuser", [ "rotb1" ] )
这里resource里面有几种情况:
{ db: "test", collection: "" } 表示拥有test数据库下所有非系统表的相关权限
{ db: "", collection: "tb1" } 表示拥有每个数据库下,表名为tb1的相关权限
{ db: "", collection: "" } 表示在所有数据库,非系统表的相关权限
测试权限:
mongo 127.0.0.1:5888/test
db.auth('testuser','user');
hank:PRIMARY> db.hank.find();
Error: error: {
"ok" : 0,
"errmsg" : "not authorized on test to execute command { find: \"hank\", filter: {} }",
"code" : 13
}
hank:PRIMARY> db.tb1.insert({name:"hank"})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on test to execute command { insert: \"tb1\", documents: [ { _id: ObjectId('58f45d4dc98d40d1b53fbe6f'), name: \"hank\" } ], ordered: true }"
}
})
可以见以上操作均失败
hank:PRIMARY> db.tb1.find(); //只有find权限
{ "_id" : ObjectId("58f4496d48b14a04810f5491"), "a" : "dazuiba" }
{ "_id" : ObjectId("58f44a5048b14a04810f5495"), "a" : "dazuiba" }
{ "_id" : ObjectId("58f44aa948b14a04810f5496"), "a" : "dazuiba" }
{ "_id" : ObjectId("58f45aaa48b14a04810f5497"), "a" : "hank" }
{ "_id" : ObjectId("58f45aac48b14a04810f5498"), "a" : "hank" }
{ "_id" : ObjectId("58f45aac48b14a04810f5499"), "a" : "hank" }
{ "_id" : ObjectId("58f45b8c48b14a04810f549a"), "a" : "hank" }
{ "_id" : ObjectId("58f45ba248b14a04810f549b"), "a" : "hank" }
hank:PRIMARY> db.hank.remove(''); //只有remove权限
WriteResult({ "nRemoved" : 4 })
可以通过show users,show roles查看相关用户以及角色
参考:
https://docs.mongodb.com/manual/reference/method/js-user-management/
https://docs.mongodb.com/manual/reference/method/js-role-management/