MongoDB Security: Create a 1th, 2nd, 3rd user

Windows 10 Home Chinese version, MongoDB3.6.3,

Objective

When you start a MongoDB server based on a blank folder (holding data) using the Mongod command, if you do not use the--auth option, any client can connect to the MONGODB server without authentication .

For example, after the MongoDB server is started, enter the MONGO command at the terminal of this computer to connect to the MongoDB service.

No authentication, no security, after the release of the MongoDB server, this is never allowed!

Therefore, when you start the MongoDB server with the Mongod command, you need to add the--auth option to increase the security authentication feature.

Attention

MongoDB does not add users by default, based on ease of use considerations;

It is also possible to turn on the--auth option when there are no users by default, because MongoDB provides a localhost exception feature that allows the user to create a user administrator in the admin database Administrator), This user is also the 1th user created by the next SectionTo.

Description

MongoDB's security system supports the following three authentication mechanisms:

-Scram (default)

-MongoDB Challenge and Response (MONGODB-CR) ( discarded at 3.6)

-Certificate identification (Certificate authentication, lonely unfamiliar, not ready to learn in a short time)

Create a 1th User: must

The 1th user must be a user administrator whose role is Useradmin or useradminanydatabase, a user who can manage users in the following ways:

-Create User

-Grant (Grant) or cancel (revoke) a role to the user

-Create or modify custom roles

In summary, creating the first user to use the Useradmin or useradminanydatabase role is right!

Orphan operation (Mongod configuration parameters please refer to their help information):

Use the Mongod command to start the MongoDB server in an empty folder: The--auth option is used

Mongod--dbpath d:\p\mdb018--logpath d:\p\mdb018\log--logappend --auth --directoryperdb

Create a role-based useradminanydatabase, user admin for the admin database :

-Write the script in notepad++ first (JavaScript?). ), as follows:

1 Db.createuser (2  {3     User: "admin",4     pwd: " 111111 ",5     roles: [{role:" Useradminanydatabase ", DB:" admin " }]6   }7 )

-Use the MONGO command to connect to the MONGODB server and switch to the admin database

-Copy the previous script to the command line and execute: Add user admin successfully, use db.auth (' admin ', ' 111111 ') to verify, return 1, Success!

-Check user admin and its role information: Using Db.getuser (...) and Db.getrole (...) Command

Disconnect, use the option--authenticationdatabase "admin" Login: After the connection is established, DB is not admin, still test (inconsistent with the expected!). ), it is unclear what is going on!

Anyway, the 1th user was established, the role was useradminanydatabase, and the official said that, in addition to local and config , users of this role could perform operations on other databases that their roles allowed-simply, user management.

Create a 2nd User: built-in role

MongoDB 3.6 has a total of 7 categories of 17 built-in roles, where database User Roles, database administration Roles are roles for all databases, and other categories of roles are unique to the admin database.

Currently there are only built-in databases in the MongoDB server, then add a database named test0709-using use, then scripting, creating User admin0709, password 111111, using the built-in role ReadWrite, DbAdmin, the script is as follows:

1 Db.createuser (  2  {  3     User: "admin0709",  4     pwd: " 111111 ",  5    roles: [  6         {role:" ReadWrite ", DB:" test0709 " } ,  7         {role: "DbAdmin", DB: "test0709" }  8    ]  9   })

Script copy to terminal execution: User added success!

Test:

-Switch to admin, use admin0709 authentication;

-Switch back to test0709, using admin0709 authentication;

-View databases, collections, user information;

-User admin0709 has been added to the database test0709, but the database test0709 is not seen in show DBS, why? So, after disconnecting, connecting to the MongoDB server again, is there a database test0709 and user admin0709 on it? Test!

The results show that the show DBS cannot see the database, but the user admin0709 information is still there.

One of the roles of-admin0709 is ReadWrite, then the test adds, deletes the document--in the new dataset fruit;

-dbadmin roles have the ability to create collections, you can use the Db.createcollection (name, options) function to create collections;

A. General collection

B. Fixed size collection (capped)

-Other tests

...

Note: User admin0709 cannot perform show dbs! under test0709

Description, solitary on these operations are not skilled enough, need more practice is AH!

Create a 3rd User: custom Role

In addition to the built-in roles, MongoDB also provides mechanisms to build roles to meet a wide variety of needs, using the Db.createrole () function.

The Db.createrole () function syntax is as follows:

Db.createrole (role, Writeconcern)

Parameters role, Wrieconcern are documents, this article only focus on the role document, the following is the official example: specific information, please refer to the official website

Create a new role Myrole: You can add a document--insert action in the collection in the previous test0709 database.

Similarly, the script that will add the role ( what is the script's writing rule?). Where's frustration? ) is written to a text file and then copied to the terminal execution-this role can be added with admin (admin0709 does not have this permission):

The role Myrole added successfully, now, based on this role add user insertuser (or Admin user), the script is as follows:

1 Db.createuser (2    {3         User: "Insertuser",4         pwd: " 111111 ",5        roles: [6             {role:" Myrole ", DB:" test0709 " }  7        ]8    }9 )

An error occurred while copying to the terminal, unable to establish user Insertuser because the previously established role could not be found myrole! Do I need to do a flush-like operation? But the afternoon to add another role did not find an exception Ah!

Unexpectedly shut down the terminal, again into the terminal, at this time into the database test0709, check and found the role myrole, and successfully added the user insertuser:

Why is this so?! The log information of the MongoDB server is checked, and the related failure actions are not found, how to find the cause of the problem at this time? Which tools are available?

Test Insertuser User: Insert document in fruit Data set, success! However, you cannot use Insertuser users to view the documentation for the fruit dataset because it does not have the Find permission! Switch to admin0709 View results, add success!

Postscript

Finally finished, today the fourth article, are very basic, but really hard!

Before looking at the Rookie tutorial (Runoob), but because there is no actual operation, the results have all forgotten, after this time, much better, but, there are many need to practice!

Update ah, delete Ah ... Various! Both the role and the user!

Incredibly can directly save Chinese, very good, to less now not for the character set bother, then, and Web applications to combine it? I'll see you in two days!

That's it!

You can create the first user, you can create a role, the user can be created, then, the basic security of a single example MongoDB should be guaranteed! Do not worry about being destroyed by the bad guys in the public network! There is no Bitcoin orphan! None of the one out of 10,000 pieces!

In a doubt, can you create roles and users for databases, datasets, and databases before creating a database? This problem stems from the previous role creation of the test0709, which can show DBS not seeing the database.

There are some problems, one solution, this time solved a lot of problems, back, should be more! (This blue is not clear, editor's Problem bar)

MongoDB Security: Create a 1th, 2nd, 3rd user