MongoDB User/Authentication/role/Rights Management

Objective

User Rights management is important to give only the permissions that are needed to prevent application vulnerabilities leading to de-Library

Certifications and authorizations

Authentication

Authentication identification, resolving who I am

Authorization

Operation authorization, what can I do

Authentication mechanism

Mongodb-cr

Official custom implementation authentication mechanism, through the user name and password, through the Challenge-response way, to identify and verify authorization. The SCRAM-SHA-1 authentication mechanism has better security, and the new version uses Scram-sha-1 by default. Using MONGODB-CR mode is not recommended.

Scram-sha-1

3.0 version new Add feature, MongoDB default authentication mode, through username and password authentication, IETF standard: RFC 5802

Certificates

2.6 Version of the new Add feature, public key certificate structure standard, defined by the International Telecommunication Union (ITU). Authentication authorization requires an encrypted connection via TLS/SSL, which means that the MongoDB service needs to support cryptographic protocol access. Configuration is cumbersome and recommended not to use >_<

Judging the process, guessing according to public data

Ldap

Enterprise Edition only support

Kerberos

Enterprise Edition only support

User Management

Add user

By MONGO the shell terminal operation, the user persists in the admin database System.user Collection

Add a regular user

Switch to DB where you want to add a user
Use xxxx

Perform the Add

Db.createuser ({User: "username", pwd: "Password", Roles:[{role: "read", DB: "XXXX"},{role: "ReadWrite", DB: "Test"}]})

　　

Add Super User

Switch to the admin database
Use admin

Perform the Add

Db.createuser ({User: "username", pwd: "Password", Roles:[{role: "Root", DB: "admin"}])

　　

Delete User

Switch to user-authorized DB
Use XX

Perform a delete operation
Db.dropuser ("username")

Update user

Switch to user-authorized DB
Use XX

Perform the update
The field overwrites the original content

Db.updateuser ("username", {pwd: "New password", customdata:{"title": "PHP Developer"}})

　　

Update user Password

Use XX
Db.changeuserpassword ("username", "NewPassword")

View user Information

Use admin
Db.getuser ("username")

Remove a user Role

Use XX

Db.revokerolesfromuser (    "Usename",    [      {role: "ReadWrite", DB: "Accounts"}    ])

　　

To add a user role

Use XX

Db.grantrolestouser (    "Reportsuser",    [      {role: "read", DB: "Accounts"}    ])

　　

Role management

Custom roles

The custom role is saved in the admin database System.roles Collection

Switch to the admin database
Use admin

Perform the Add

Db.createrole (   {     role: "Manageoprole",     privileges: [       {resource: {cluster:true}, actions: ["Killop", "InProg"]},       {resource: {db: "", Collection: "}, Actions: [" Killcursors "]}     ],     roles: []   })

　　

View role Information

Use admin
Db.getrole ("RoleName", {showprivileges:true})

Remove a role

Use admin
Db.droprole ("RoleName")

System built-in user roles

Most of the built-in roles are common to all databases, and a few are only valid for admin

Database User Class

Read
Non-system collection has query permissions

ReadWrite
Non-system collections have query and modify permissions

Database Management Classes

DbAdmin
Database management related, such as index management, schema management, statistical collection, etc., excluding user and role management

Dbowner
Provides database management, read/write permissions, user and role management related functions

Useradmin
Provides database user and role management related functions

Cluster Management class

Clusteradmin
Provide maximum cluster administrative privileges

Clustermanager
Provides cluster management and monitoring permissions

Clustermonitor
Provides read-only access to the monitoring tool

Hostmanager
Provides monitoring and management severs permissions

Backup and Recovery classes

Backup
Provide database backup permissions
Restore
Provide data recovery permissions

All-database class

Readanydatabase
Provides permissions to read all databases in addition to the local and config databases

Readwriteanydatabase
As with readanydatabase, except for increased write access

Useradminanydatabase
Manage user all database permissions, single database permissions and useradmin roles

Dbadminanydatabase
Provides all user administrative privileges, except Local,config

Super User Class

Root
Database all Permissions

Internal role

__system
Provides permissions for any operation of all objects in the database and cannot be assigned to users, very dangerous

Resources

"1" Authentication identification
https://docs.mongodb.com/manual/core/authentication/

"2" OpenSSL Certificate action command
http://blog.csdn.net/madding/article/details/26717963

"3" Wikipedia introduction
https://en.wikipedia.org/wiki/X.509

"4" mongodb-security-x.509
https://docs.mongodb.com/manual/core/security-x.509/

"5" Use of certificates to authenticate clients
https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/

"6" Enterprise authentication mechanisms-ldap and Kerberos
https://docs.mongodb.com/manual/core/authentication-mechanisms-enterprise/

"7" MongoDB Add user
https://docs.mongodb.com/manual/tutorial/create-users/

"8" Change MongoDB user password and custom data
https://docs.mongodb.com/manual/tutorial/change-own-password-and-custom-data/

"9" MongoDB array
Http://www.cnblogs.com/ljhdo/p/5428037.html

"10" Manage MongoDB users and roles
https://docs.mongodb.com/manual/tutorial/manage-users-and-roles/

"11" Security-users
https://docs.mongodb.com/manual/core/security-users/

"12" Internal authentication
https://docs.mongodb.com/manual/core/security-internal-authentication/

"13" Built-in Roles
https://docs.mongodb.com/manual/core/security-built-in-roles/

"14" Reference:built-in-roles and Built-in-actions
https://docs.mongodb.com/manual/reference/built-in-roles/

Introduction of "15" SCRAM-SHA1 certification method
https://docs.mongodb.com/manual/core/security-scram-sha-1/#authentication-scram-sha-1

MongoDB User/Authentication/role/Rights Management