MongoDB的安全配置文档

1.修改配置文件以支持密码登录

[root@localhost ~]# sed -n "32,33p" /etc/mongod.conf

security:

  authorization: enabled

[root@localhost ~]# systemctl restart mongod

2.创建超级用户

[root@localhost ~]# mongo

MongoDB shell version v4.2.1

connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb

Implicit session: session { "id" : UUID("8aa45dbf-8271-4a44-98f7-2d6e8f05ebff") }

MongoDB server version: 4.2.1

Welcome to the MongoDB shell.

For interactive help, type "help".

For more comprehensive documentation, see

        http://docs.mongodb.org/

Questions? Try the support group

        http://groups.google.com/group/mongodb-user

> show dbs;

> show tables;

Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus

> show dbs

> use test;

switched to db test

> db.test.insert({"a":1})

WriteCommandError({

        "ok" : 0,

        "errmsg" : "not authorized on test to execute command { insert: \"test\", ordered: true, lsid: { id: UUID(\"8aa45dbf-8271-4a44-98f7-2d6e8f05ebff\") }, $db: \"test\" }",

        "code" : 13,

        "codeName" : "Unauthorized"

})

> use admin

switched to db admin

> db.createUser({user:"superuser",pwd:"Hjian209",roles:[{role:"root",db:"admin"}]})

Successfully added user: {

        "user" : "superuser",

        "roles" : [

                {

                        "role" : "root",

                        "db" : "admin"

                }

        ]

}

> exit

bye

3.测试超级用户的权限

[root@localhost ~]# mongo -u superuser -p Hjian209 --authenticationDatabase admin

MongoDB shell version v4.2.1

connecting to: mongodb://127.0.0.1:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb

Implicit session: session { "id" : UUID("5efc26c1-3a04-409c-b60f-bf0f5cdd4356") }

MongoDB server version: 4.2.1

> show dbs

admin  0.000GB

config  0.000GB

local  0.000GB

> use test

switched to db test

> db.test.insert({"a":1})

WriteResult({ "nInserted" : 1 })

> db.test.find()

{ "_id" : ObjectId("5f4909ee35eddd74a508fa9f"), "a" : 1 }

>

4.创建读写权限的用户到指定库

[root@localhost ~]# mongo -u superuser -p Hjian209 --authenticationDatabase admin

MongoDB shell version v4.2.1

connecting to: mongodb://127.0.0.1:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb

Implicit session: session { "id" : UUID("5efc26c1-3a04-409c-b60f-bf0f5cdd4356") }

MongoDB server version: 4.2.1

> use admin

switched to db admin

> db.createUser({user:"test",pwd:"test",roles:[{role:"readWrite",db:"acme"}]})

Successfully added user: {

        "user" : "test",

        "roles" : [

                {

                        "role" : "readWrite",

                        "db" : "acme"

                }

        ]

}

[root@localhost ~]# mongo -u test -p test --authenticationDatabase admin

MongoDB shell version v4.2.1

connecting to: mongodb://127.0.0.1:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb

Implicit session: session { "id" : UUID("207b9736-b8ad-4394-9da9-4d4d1f3cbfb0") }

MongoDB server version: 4.2.1

> use acme

switched to db acme

> db.test.insert({"test":"A"})

WriteResult({ "nInserted" : 1 })

> db.test.find()

{ "_id" : ObjectId("5f490b19c51b3e964868b041"), "test" : "A" }

> use test

switched to db test

> show tables;

Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus

> show collections

Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus

> db.test.find()

Error: error: {

        "ok" : 0,

        "errmsg" : "not authorized on test to execute command { find: \"test\", filter: {}, lsid: { id: UUID(\"207b9736-b8ad-4394-9da9-4d4d1f3cbfb0\") }, $db: \"test\" }",

        "code" : 13,

        "codeName" : "Unauthorized"

}

> exit

bye

5.创建读权限的用户到指定库

> db.createUser({user:"reader",pwd:"test",roles:[{role:"read",db:"acme"}]})

Successfully added user: {

        "user" : "reader",

        "roles" : [

                {

                        "role" : "read",

                        "db" : "acme"

                }

        ]

}

> exit

bye

[root@localhost ~]# mongo -u reader -p test --authenticationDatabase admin

MongoDB shell version v4.2.1

connecting to: mongodb://127.0.0.1:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb

Implicit session: session { "id" : UUID("c8357538-252f-4bb6-8e41-ce7014625d7e") }

MongoDB server version: 4.2.1

> use acme

switched to db acme

> show tables

test

> db.test.find()

{ "_id" : ObjectId("5f490b19c51b3e964868b041"), "test" : "A" }

> db.test.insert({"t":"BB"})

WriteCommandError({

        "ok" : 0,

        "errmsg" : "not authorized on acme to execute command { insert: \"test\", ordered: true, lsid: { id: UUID(\"c8357538-252f-4bb6-8e41-ce7014625d7e\") }, $db: \"acme\" }",

        "code" : 13,

        "codeName" : "Unauthorized"

})

>