Mongodb 建立用户以及开启验证

2016年12月14日

搭建好mongodb 后我就可以启动mongodb了,此时的mongodb只能在本地登陆因为 bindIp:127.0.0.1

不过使用mongodb 怎么能不使用其强大的复制集的功能呢, 用到这个肯定不能只监控本地的,不然其他机器怎么访问呢

故而  bindIp: 需要改成  0.0.0.0 , 或者 在127.0.0.1 后面添加逗号本机IP ;但是这样任意知晓我们服务器的IP的,在我们没有更改mongodb 默认端口的或者破解猜到使用端口的情况下就可以直接链接到我们的mongodb 。所以我们需要做安全控制  分为两种方式 防火墙和mongodb 自带的验证

1 防火墙
添加允许的IP通过27017 端口
iptables -A INPUT -s 221.226.186.102 -p tcp -m tcp --dport 27017 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 27017 -j ACCEPT
iptables -A INPUT -s 192.168.11.12 -p tcp -m tcp --dport 27017 -j ACCEPT
iptables -A INPUT -s 192.168.11.12 -p tcp -m tcp --dport 27017 -j ACCEPT
拒绝所有未经授权的IP通过27017 端口
iptables -A INPUT -p tcp -m tcp --dport 27017 -j DROP

2 mongodb security
在使用这个之前 先设定mongodb的用户
1)启动mongod或者集群

通过mongo shell创建首个用户:

此处需要注意,需要遵守“localhost exception”的限制,对于单点部署,需要使用mongod节点的mongo shell,对于replica set需要使用primary节点的shell,对于sharding cluster则需要使用mongos节点的shell。否则将无法添加首个用户。第一个user必须具有“创建其他user”的权限。

> use admin;
> db.createUser({user:"admin",pwd:"admin",roles:["userAdminAnyDatabase","clusterAdmin"]})

为了方便,也可以直接创建一个root权限的最高级用户:

> db.createUser({user:"root",pwd:"root",roles:["root"]})

2)认证:

创建一个user之后,我们再次访问其他数据库或者执行操作时,需要首先认证。

> use admin;
> db.auth("admin","admin");

2.使用keyFile进行授权连接replica sets

#随机生成keyFile或者手动写入,key的长度必须是6-1024的base64字符,unix下必须相同组权限,windows下不需要
语法: openssl rand[-out file] [-randfile(s)] [-base64] [-hex]num
openssl rand -base64 256 -out /var/lib/mongodb/keyfile
openssl rand -base64 256 > /var/lib/mongodb/keyfile
chmod 600 /var/lib/mongodb/keyfile
chown mongodb:mongodb /var/lib/mongodb/keyfile
在 mongo.conf 中添加设置
# mongod.conf, Percona Server for MongoDB
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/

# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine: mmapv1
# engine: PerconaFT
# engine: rocksdb
# engine: wiredTiger
# engine: inMemory

# Storage engine various options
# More info for mmapv1: https://docs.mongodb.com/v3.2/reference/configuration-options/#storage-mmapv1-options
# mmapv1:
# preallocDataFiles: true
# nsSize: 16
# quota:
# enforced: false
# maxFilesPerDB: 8
# smallFiles: false

# More info for wiredTiger: https://docs.mongodb.com/v3.2/reference/configuration-options/#storage-wiredtiger-options
wiredTiger:
engineConfig:
cacheSizeGB: 1
statisticsLogDelaySecs: 0
journalCompressor: snappy
directoryForIndexes: false
collectionConfig:
blockCompressor: snappy
indexConfig:
prefixCompression: true

# More info for rocksdb: https://github.com/mongodb-partners/mongo-rocks/wiki#configuration
# rocksdb:
# cacheSizeGB: 1
# compression: snappy
# maxWriteMBPerSec: 1024
# crashSafeCounters: false
# counters: false
# singleDeleteIndex: false

# More info for inMemory: https://www.percona.com/doc/percona-server-for-mongodb/3.2/inmemory.html#configuring-percona-memory-engine
# inMemory:
# engineConfig:
# inMemorySizeGB: 1
# statisticsLogDelaySecs: 0

# More info for PerconaFT: https://www.percona.com/doc/percona-server-for-mongodb/3.2/perconaft.html#configuring-perconaft
# PerconaFT:
# engineOptions:
# cacheSize: 0
# cleanerIterations: 5
# cleanerPeriod: 2
# directio: false
# fsRedzone: 5
# journalCommitInterval: 100
# lockTimeout: 100
# locktreeMaxMemory: 0
# compressBuffersBeforeEviction: false
# numCachetableBucketMutexes: 1048576
# collectionOptions:
# pageSize: 4194304
# readPageSize: 65536
# compression: zlib
# fanout: 16
# indexOptions:
# pageSize: 4194304
# readPageSize: 65536
# compression: zlib
# fanout: 16

# Two options below can be used for wiredTiger and inMemory storage engines
#setParameter:
# wiredTigerConcurrentReadTransactions: 128
# wiredTigerConcurrentWriteTransactions: 128

# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log

processManagement:
fork: true
pidFilePath: /var/run/mongod.pid

# network interfaces
net:
port: 27017
bindIp: 0.0.0.0
# ssl:
# mode: requireSSL
# PEMKeyFile: /etc/ssl/mongodb.pem

replication:
oplogSizeMB: 1024
#replSetName: "mongo_zzz"
#secondaryIndexPrefetch: "all"
## replSetName 用于复制集 初次启动设置用户是不要添加该选项

security:
authorization: enabled
clusterAuthMode: keyFile
keyFile: /var/lib/mongodb/keyfile

setParameter:
authenticationMechanisms: SCRAM-SHA-1
enableLocalhostAuthBypass: false

### 注意一定要添加验证方式 authenticationMechanisms: SCRAM-SHA-1 不然启动不了

#operationProfiling:

#replication:

#sharding:

## Enterprise-Only Options:

#auditLog:

#snmp:

 

参考

http://blog.csdn.net/boby16/article/details/51330074

 

没有评论

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注