一..验证介绍

mongodb支持针对连接的用户验证,使用参数auth打开验证功能:

[root@mongodb2 ~]# mongod -h |grep aut --keyFile arg private key for cluster authentication --noauth run without security authentication. Alternatives are  --auth run with security --autoresync automatically resync if slave data is

最好的策略是为每个人或者每个应用分配唯一的用户.为用户创建或者使用内建的指定角色,然后将角色赋予给用户授权,遵循的原则是最小权限原则.mongodb不能直接将权限赋予给用户.在打开auth之前需至少添加一个管理员用户,然后在添加其它的额外用户,否则mongodb将使用一个本地认证,以便让你可以创建一个管理员账户. mongodb认证方式有多种,如password认证,kerberos认证,ldap认证等等,这里主要讲的是密码认证,也是用的最多的.

二.管理用户和角色

1.创建一个管理员用户

在开启验证之前必须创建一个管理员用户,管理员用户拥有userAdminAnyDatabase角色.此角色拥有管理用户的权限,注意此角色并不是最大权限的角色. 我们使用db.createUser()来创建用户,下面例子我们创建一个管理员用户root,密码root:

>use admin
?db.createUser(
 {
 user: "root",
 pwd: "root",
 roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
 }
)
Successfully added user: {"user" : "root","roles" : [{"role" : "userAdminAnyDatabase","db" : "admin"}]}mongos>

使用root来登录mongodb:

[root@mongodb3 ~]# mongo --port 37017 -u root -p root --authenticationDatabase admin

userAdminAnyDatabase角色拥有如下权限:

changeCustomDatachangePasswordcreateRolecreateUserdropRoledropUsergrantRolerevokeRoleviewRoleviewUser

2.创建一个超级管理员用户

一些角色提供了间接的或者直接的超级管理员权限.如果一个用户拥有下面三个角色那么可以称之为超级管理员权限下列角色提供了在任何数据库中分配任何用户权限的能力,这就意味着他们可以分配给自己任何数据库任何权限:
1.dbOwner role, when scoped to the admin database2.userAdmin role, when scoped to the admin database3.userAdminAnyDatabase role 例如我们创建一个suq用户,拥有三个角色:

db.createUser( { user: "suq", pwd: "suq", roles: [ { role: "dbOwner", db: "admin" }, { role: "userAdmin", db: "admin" }, { role: "userAdminAnyDatabase", db: "admin" } ] })

mongodb还直接提供了一个超级管理员角色root,例如我们创建一个admin用户为超级管理员:

use admindb.createUser( { user: "admin", pwd: "admin", roles: [ { role: "root",db:"admin" }]  })

当你使用admin登录mongodb的时候会有提示,不建议用超级管理员登录:

[root@mongodb3 ~]# mongo --port 37017 -u admin -p admin --authenticationDatabase adminMongoDB shell version: 3.2.6connecting to: 127.0.0.1:37017/testServer has startup warnings: 2016-06-24T18:41:47.116+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.2016-06-24T18:41:47.116+0800 I CONTROL [initandlisten]

切换用户使用db.auth()方法:

> db.auth("admin","admin")

3.创建角色

角色用来授予给用户来控制用户使用mongodb的资源.mongdb提供了一套内置的角色,管理员可以直接使用这些角色来控制访问mongodb.然而如果这些内置的角色无法满足你的需求,你可以在单独的数据库里创建新的角色. 除了在admin数据库里创建的角色外,创建的的角色只能拥有此数据库内的权限. 在admin数据库内创建的角色,可以继承admin库,其他库,或者集群资源.也就是说在其它库里创建的角色只拥有此库的一些权限. 使用db.createRole()来创建角色. 创建角色你必须有如下两个条件: 1.在数据库有createRole权限 2.你需要有授予指定权限的权限内建角色userAdmin 和 userAdminAnyDatabase满足上述要求.因此一般以此管理员登录用户来执行.
createRole()的语法如下:

{ role: "<name>", privileges: [ { resource: { <resource> }, actions: [ "<action>", ... ] }, ... ], roles: [ { role: "<role>", db: "<database>" } | "<role>", ... ]}

其中: role是创建的role的名字. resource是你想授权所对应的对象,例如resource: { db: "users", collection: "usersCollection" }表示你想把users.userscollection的资源授予给此角色.这里是官网对resource的介绍:https://docs.mongodb.com/manual/reference/resource-document/#resource-document actions是你想授予的动作,例如actions: [ "update", "insert", "remove" ],这里有官网对action的介绍:https://docs.mongodb.com/manual/reference/privilege-actions/#security-user-actions roles是表示你想把某个角色授予给此角色. 下面一个实例:

use admindb.createRole( { role: "myClusterwideAdmin", privileges: [ { resource: { cluster: true }, actions: [ "addShard" ] }, { resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert", "remove" ] }, { resource: { db: "users", collection: "usersCollection" }, actions: [ "update", "insert", "remove" ] }, { resource: { db: "", collection: "" }, actions: [ "find" ] } ], roles: [ { role: "read", db: "admin" } ] }, { w: "majority" , wtimeout: 5000 })

下面介绍几个创建角色的例子: 创建一个角色管理当前操作
这个角色可以kill任何操作.以上面的root用户登录mongod:

[root@mongodb3 ~]# mongo --port 37017 -u root -p root --authenticationDatabase adminuse admindb.createRole( { role: "manageOpRole", privileges:     [ {         resource: { cluster: true },         actions: [ "killop", "inprog" ]         }, {         resource: { db: "", collection: "" },         actions: [ "killCursors" ]         } ], roles: [] })

创建一个角色可以运行mongostat

use admindb.createRole( { role: "mongostatRole", privileges: [ {        resource: { cluster: true },         actions: [ "serverStatus" ]         } ], roles: [] })

4.查看角色权限

使用db.getRole()方法来获得角色的权限:

> db.getRole("mongostatRole"){"role" : "mongostatRole","db" : "admin","isBuiltin" : false,"roles" : [ ],"inheritedRoles" : [ ]}

查看详细的角色:

> db.getRole("mongostatRole",{showPrivileges: true}){"role" : "mongostatRole","db" : "admin","isBuiltin" : false,"roles" : [ ],"inheritedRoles" : [ ],"privileges" : [{"resource" : {"cluster" : true},"actions" : ["serverStatus"]}],"inheritedPrivileges" : [{"resource" : {"cluster" : true},"actions" : ["serverStatus"]}]}

还可以使用db.getRoles()查看所有的非内建的角色:

> db.getRoles()[{"role" : "manageOpRole","db" : "admin","isBuiltin" : false,"roles" : [ ],"inheritedRoles" : [ ]},{"role" : "mongostatRole","db" : "admin","isBuiltin" : false,"roles" : [ ],"inheritedRoles" : [ ]}]

> db.getRoles({showPrivileges: true})[{"role" : "manageOpRole","db" : "admin","isBuiltin" : false,"roles" : [ ],"inheritedRoles" : [ ],"privileges" : [{"resource" : {"cluster" : true},"actions" : ["inprog","killop"]},{"resource" : {"db" : "","collection" : ""},"actions" : ["killCursors"]}],"inheritedPrivileges" : [{"resource" : {"cluster" : true},"actions" : ["inprog","killop"]},{"resource" : {"db" : "","collection" : ""},"actions" : ["killCursors"]}]},{"role" : "mongostatRole","db" : "admin","isBuiltin" : false,"roles" : [ ],"inheritedRoles" : [ ],"privileges" : [{"resource" : {"cluster" : true},"actions" : ["serverStatus"]}],"inheritedPrivileges" : [{"resource" : {"cluster" : true},"actions" : ["serverStatus"]}]}]

5.查看用户角色

使用db.getUser()方法来查看用户的所赋予的角色:

> db.getUser("suq"){"_id" : "admin.suq","user" : "suq","db" : "admin","roles" : [{"role" : "dbOwner","db" : "admin"},{"role" : "userAdmin","db" : "admin"},{"role" : "userAdminAnyDatabase","db" : "admin"}]}

还可以使用db.getUsers()获取全部的用户信息:

> db.getUsers()[{"_id" : "admin.root","user" : "root","db" : "admin","roles" : [{"role" : "userAdminAnyDatabase","db" : "admin"}]},{"_id" : "admin.admin","user" : "admin","db" : "admin","roles" : [{"role" : "root","db" : "admin"}]},{"_id" : "admin.suq","user" : "suq","db" : "admin","roles" : [{"role" : "dbOwner","db" : "admin"},{"role" : "userAdminAnyDatabase","db" : "admin"}]}]

6.授予/收回角色权限

使用db.revokePrivilegesFromRole()和db.grantPrivilegesToRole()方法收回和赋予角色权限

db.revokePrivilegesFromRole( "manageOpRole", [ { resource: {"cluster" : true}, actions: ["inprog","killop"] } ])

db.grantPrivilegesToRole( "manageOpRole", [ {  resource: {"cluster" : true},  actions: ["inprog","killop"]  } ])

7.授予/收回用户角色

使用db.revokeRolesFromUser()来收回用户所赋予的角色

db.revokeRolesFromUser(
 "suq",
 [
 { role: "userAdmin", db: "admin" }
 ]
)

使用db.grantRolesToUser()来给用户授予角色:

db.grantRolesToUser( "reportsUser", [ { role: "userAdmin", db: "admin" } ])

8.修改用户密码

使用db.changeUserPassword()方法来给用户修改密码:

> db.changeUserPassword("suq", "111111")

三.内置角色和内置权限

内置的角色,查看官方文档: https://docs.mongodb.com/manual/reference/built-in-roles

四.用户和角色方法

详细参见官方文档: https://docs.mongodb.com/manual/reference/method/#role-management

Role Management

Name	Description
`db.createRole()`	Creates a role and specifies its privileges.
`db.updateRole()`	Updates a user-defined role.
`db.dropRole()`	Deletes a user-defined role.
`db.dropAllRoles()`	Deletes all user-defined roles associated with a database.
`db.grantPrivilegesToRole()`	Assigns privileges to a user-defined role.
`db.revokePrivilegesFromRole()`	Removes the specified privileges from a user-defined role.
`db.grantRolesToRole()`	Specifies roles from which a user-defined role inherits privileges.
`db.revokeRolesFromRole()`	Removes inherited roles from a role.
`db.getRole()`	Returns information for the specified role.
`db.getRoles()`	Returns information for all the user-defined roles in a database.

User Management

Name	Description
`db.auth()`	Authenticates a user to a database.
`db.createUser()`	Creates a new user.
`db.updateUser()`	Updates user data.
`db.changeUserPassword()`	Changes an existing user’s password.
`db.removeUser()`	Deprecated. Removes a user from a database.
`db.dropAllUsers()`	Deletes all users associated with a database.
`db.dropUser()`	Removes a single user.
`db.grantRolesToUser()`	Grants a role and its privileges to a user.
`db.revokeRolesFromUser()`	Removes a role from a user.
`db.getUser()`	Returns information about the specified user.
`db.getUsers()`	Returns information about all users associated with a database.

五.用户角色权限集合

mongodb的用户和角色信息存放在admin数据库下的system.users和system.roles集合中. mongodb建议修改用户和角色使用上面的用户和角色的方法,不要直接修改集合的数据. system.roles集合数据大致如下:

{ _id: <system-defined id>, role: "<role name>", db: "<database>", privileges: [ { resource: { <resource> }, actions: [ "<action>", ... ] }, ... ], roles: [ { role: "<role name>", db: "<database>" }, ... ]}

system.users集合数据大致如下:

{ _id: <system defined id>, user: "<name>", db: "<database>", credentials: { <authentication credentials> }, roles: [ { role: "<role name>", db: "<database>" }, ... ], customData: <custom information> }

具体的说明几乎和上面的一致,就不赘述了,有兴趣的话可以查看官方文档: https://docs.mongodb.com/manual/reference/system-users-collection/ https://docs.mongodb.com/manual/reference/system-roles-collection/

秒客网

mongodb用户安全认证详解