MongoDB Learning: Security and authentication

MongoDB default is not authentication, default no account, as long as the service can be connected to the database for a variety of operations,MongoDB believes that the best way to security is in a trusted environment to run it, Ensure that the trusted machine can access it later . Therefore, user authentication is required at login time.

Create a database new user with the db.createuser () method and return a user repeat error if the user exists. Syntax:
Db.createuser (user, Writeconcern)
User This document creates identity authentication and access information about users;
Writeconcern This document describes a successful report that ensures that MongoDB provides write operations.

· The user document, which defines the following form of users:
{User: "",
PWD: "",
CustomData: {},
Roles: [
{role: "", DB: "} |",
...
]
}

User document field Description:
User field, the name of the new user;
PWD field, user's password;
Cusomdata field, for any content, for example, can be introduced to the user's full name;
Roles field, specify the user's role, you can use an empty array to set a null role for the new user;
In the roles field , You can specify built-in roles and user-defined roles.

There are several roles:

1. database User role:read,readWrite;

2. database Management role:dbAdmin,dbowner,useradmin;

3. Cluster Management role:clusteradmin,clustermanager,clustermonitor, hostmanager;

4. Backup Restore role: Backups,restore;

5. All database roles:readanydatabase,readwriteanydatabase, Useradminanydatabase,dbadminanydatabase

6. Super User role:root

There are also several roles that indirectly or directly provide access to the system's Superuser (dbowner ,useradmin, Useradminanydatabase)

7. internal role:__system

PS: You can click on the built-in role link above to view detailed information about the actions that each role has

When adding users, the following three points need to be noted:

· 1) Be sure to switch to the corresponding database to create the user , or in the authentication , you will be prompted to find the user

· 2) Be sure to go to the corresponding database to authenticate the user , Otherwise it will fail authentication authorization

· 3) Not everyone can operate the admin database , assigned to the user rights , must be cautious

Add a user with all permissions

> Db.createuser ({"User": "Root", "pwd": "Root", "roles": ["Root"]})

Successfully added User: {"user": "Root", "roles": ["Root"]

Add a user with read-only permission

> Db.createuser ({User: "Test", pwd: "Test", Roles:[{role: "read", DB: "admin"}])

Successfully added User: {

"User": "Test",

"Roles": [

{

"Role": "read",

"DB": "admin"

}

]

}

>

View all user information that the user can discover. Note that information for All users can be viewed only under the admin database

> Db.system.users.find ()

{"_id": "Admin.root", "User": "Root", "db": "admin", "credentials": {"Scram-sha-1": {"IterationCount": 10000, "SA LT ":" bpohthbxxgaf9xtuqzhirg== "," Storedkey ":"/bttbcshqqked8opncgogsy1tvk= "," Serverkey ":" rmkh2z/fxpbc+ Ubex4vmugapwlu= "}}," Roles ": [{" Role ":" Root "," db ":" Admin "}]}

{"_id": "Admin.test", "User": "Test", "DB": "admin", "credentials": {"Scram-sha-1": {"IterationCount": 10000, "SA LT ":" 8t74rwlbnhj56cdx89hucw== "," Storedkey ":" pbu0g4ia4f9lsxfmedm0ztxzry4= "," Serverkey ":" Yitp35i5wul1s6e2yapslqdvmze= "}}," Roles ": [{" Role ":" read "," DB ":" Admin "}]}

After adding the user, restart the server via mongod--auth .

This time if we do not use a user name and password, access to the database will be the following error: Prompt does not have permission to execute the command.

> Show DBS

2018-01-01t20:50:42.735+0800 E QUERY [thread1] error:listdatabases failed:{

"OK": 0,

"ErrMsg": "Not authorized in Admin to execute command {listdatabases:1.0}",

"Code": 13,

"codename": "Unauthorized"

} :

There are two ways to sign in with a user name and password:

The first way: When the client connects, specify the user name, password, anddb name. Same as MySQL

[Email protected]:/var/lib/mongodb# mongo-u "root"-P "root"--authenticationdatabase "admin"

This is the time to view the database to successfully access the

> Show DBS

Admin 0.000GB

Local 0.000GB

Maple 0.000GB

The second way: the client connects and then authenticates

> Use admin

Switched to DB admin

> Db.auth ("Test", "test")

1

Return 1 for verification Success

However, the following error is indicated when using the test user to query the user.

> Db.system.users.find ()

Error:error: {

"OK": 0,

"ErrMsg": "Not authorized on Admin to execute command {find: \" System.users\ ", Filter: {}}",

"Code": 13,

"codename": "Unauthorized"

}

The reason is that when we created the test user before, the permission was readonly. If you give useradminanydatabase permission, you can access and modify all of the user information

Db.updateuser ("Test", {roles:[{role: "Useradminanydatabase", DB: "Admin"}]})

> Db.system.users.find ()

{  "_id"  :  "Admin.root",  "user"  :  "root",  "db"  :  "admin",  "Credentials"  : {  "Scram-sha-1"  : {  "IterationCount"  : 10000,  " Salt " : " bpohthbxxgaf9xtuqzhirg== ", " Storedkey " : "/bttbcshqqked8opncgogsy1tvk= ",   "Serverkey"  :  "rmkh2z/fxpbc+ubex4vmugapwlu="  } },  "Roles"  : [ {   "Role"  :  "root",  "db"  :  "admin"  } ] }

{"_id": "Admin.test", "User": "Test", "DB": "admin", "credentials": {"Scram-sha-1": {"IterationCount": 10000, "SA LT ":" 8t74rwlbnhj56cdx89hucw== "," Storedkey ":" pbu0g4ia4f9lsxfmedm0ztxzry4= "," Serverkey ":" Yitp35i5wul1s6e2yapslqdvmze= "}}," Roles ": [{" Role ":" Useradminanydatabase "," db ":" Admin "}]}

If you want to delete a user, use dropuser to do it.

> Db.dropuser ("Test")

True

> Db.auth ("Root", "root")

1

> Db.system.users.find ()

{"_id": "Admin.root", "User": "Root", "db": "admin", "credentials": {"Scram-sha-1": {"IterationCount": 10000, "SA LT ":" bpohthbxxgaf9xtuqzhirg== "," Storedkey ":"/bttbcshqqked8opncgogsy1tvk= "," Serverkey ":" rmkh2z/fxpbc+ Ubex4vmugapwlu= "}}," Roles ": [{" Role ":" Root "," db ":" Admin "}]}

Let's take a look at the operation of the normal database. First Create a user test under the Maple database with read permission only

> Use Maple

Switched to DB Maple

> Db.createuser ({User: "Test", pwd: "Test", Roles:[{role: "read", DB: "Maple"}])

Successfully added User: {

"User": "Test",

"Roles": [

{

"Role": "read",

"DB": "Maple"

}

]

}

> Db.auth ("Test", "test")

1

After creation is complete, the re-login is rolled out and the document is inserted in the maple collection. The prompt failed because the not authorized on Maple to execute command. This is due to Test The user's permissions are only Read , no permission to write

> Use Maple

Switched to DB Maple

> Db.auth ("Test", "test")

1

> Db.maple.insert ({"Name": "ABC"})

Writeresult ({

"Writeerror": {

"Code": 13,

"ErrMsg": "Not authorized on Maple to execute command {insert: \" Maple\ ", documents: [{_id:objectid (' 5a4a3bbc7e7e6dd2 B17893d9 '), name: \ "Abc\"}], Ordered:true} "

}

})

Change the user's permissions to readWrite. You can insert a document successfully

> Db.updateuser ("Test", {roles:[{role: "ReadWrite", DB: "Maple"}]})

> Show Collections

Fixedcollection

Maple

Student_infor

> Db.maple.insert ({"Name", "123"})

2018-01-01t21:49:57.536+0800 E QUERY [Thread1] SyntaxError:missing:after Property ID @ (Shell): 1:23

> Db.maple.insert ({"name": "123"})

Writeresult ({"ninserted": 1})

MongoDB Learning: Security and authentication