MongoDB Security and identity authentication

Previous words

This article will cover MongoDB security-related content in detail

Overview

MongoDB security mainly includes the following 4 aspects

1. Physical Isolation

No matter how perfect the system design, in the implementation process, there will always be some loopholes. It is the safest protection to be able to physically isolate the insecure user from the MongoDB database, which means that it cannot be connected to the database. But, usually this is unrealistic. Some important data may be saved and placed in a physically isolated room

2. Network isolation

Many of the company's development machines are in an intranet environment. Even if there is a vulnerability in the database, the external environment will not be exploited because the intranet is not accessible at all

3. Firewall isolation

Firewall can be used to configure the IP whitelist, only some IP access to the database, but also to some extent to increase the security of MongoDB

4. User name password Authentication

Compared with the above 3 ways, the user name password authentication mechanism is the most common MongoDB security measures. If the password setting is simple, or the connection environment is not an encrypted environment, it is likely that the user name and password will be obtained by a third party, thus causing the risk of the MongoDB database.

Authority authentication

MongoDB stores all user information in the collection System.users of the admin database, saving the user name, password, and database information. MongoDB does not enable permission authentication by default, as long as it can connect to the server, it can connect to Mongod. To enable security authentication, you need to change the configuration file parameter authorization, or you can abbreviate it to auth.

Then, restart Mongod. View log files and discover that permission authentication is turned on

However, you can still connect to the database without using a user name and password. This is because we have not created the user yet. If user name and password are not used, you will not be able to connect to the database after users have created and turned on permission authentication

Role management

Before user management, you should first understand the role management

MongoDB supports role-based access control (RBAC) to manage access to MONGODB systems. One user can be authorized one or more: Ref: role <roles> to determine the user's access to database resources and operations. In addition to the permissions, the user is unable to access the system

The database role is set in the role parameter in the Create user. Roles are divided into built-in roles and custom roles

"Built-in role"

MongoDB built-in roles include the following categories

1. Database User Role

READ: Allows the user to read the specified database ReadWrite: Allows the user to read and write to the specified database

2. Database Administrator Role

DbAdmin: Allows users to create, delete, view statistics or access system.profile, but without roles and user-managed permissions Useradmin: Provides the ability to create and modify roles and users in the current database
Dbowner: Provides the ability to perform any administrative operation on the database. This role combines the privileges granted by the ReadWrite, Dbadmin, and useradmin roles.

3. Cluster Management Role

provides management and monitoring operations on the cluster. Access to the configuration and local databases, respectively, for sharding and replication  Clustermonitor: Provides read-only access to monitoring tools, such as the MongoDB Cloud Manager and the OPS Manager monitoring agent. Hostmanager: Provides the ability to monitor and manage servers.

4. Backup Recovery Role

Backup: Provides the capabilities required to back up data using the MongoDB Cloud Manager backup agent, OPS Manager backup agent, or using Mongodumprestore: Provides the capabilities needed to recover data using Mongorestore

5. All database Roles

6. Super User Role

Root: Provides access to all resources for Readwriteanydatabase, Dbadminanydatabase, Useradminanydatabase, clusteradmin, restore, and backup

7. Internal role

__system: Provides privileges for any operation of any object in the database

"Custom Roles"

In addition to using built-in roles, MongoDB also supports using the Db.createrole () method to customize roles

[note] The role can only be created in the admin database, otherwise it will fail

Role: Name of the custom role

Privileges: Permission action

Roles: the inherited role. If you do not have an inherited role, you can set it to an empty array

Use admindb.createrole ({role:"Myclusterwideadmin", privileges: [{resource: {cluster:true}, Actions: ["Addshard"]}, {resource: {db:"Config", collection:""}, Actions: ["Find","Update","Insert","Remove"]}, {resource: {db:"Users", collection:"userscollection"}, Actions: ["Update","Insert","Remove"]}, {resource: {db:"", collection:""}, Actions: ["Find"]}], roles: [{role:"Read"Db:"Admin"}]}, {w:"Majority", Wtimeout: the })

User Management

"Create User"

Use the CreateUser command to create a user

User: username pwd: password

CustomData: Description of the user name password (optional)

Roles: {Role: Inherited from what type, DB: Database name}

" ... " " ... ", CustomDate:" ... " " ... " " ... "}]})

1. Create an administrator user

MongoDB does not have a default administrator account, so add an administrator account first. Switch to admin database, add account is Admin account

In the admin database, add a user and give the userAdminAnyDatabase role

" Admin " " 123456 " " Useradminanydatabase " " Admin " } ]})

2. Re-login to the database and verify permissions

If the Auth () method returns 0 on behalf of authorization failure, return 1 for authorization success

Db.auth ()

3, add ordinary users

Once a certified User administrator, you can use db.createUser() to create additional users. You can assign MongoDB built-in roles or user-defined roles to users

[note] requires authentication under the Admin database, otherwise the authentication is unsuccessful

Failed to write data because the user only has Read permission

4. Create super users

"View Users"

Db.system.users.find ()

"Delete User"

Db.dropuser ()

"Add User Rights"

Db.grantrolestouser ()

Add Write permission to the read-only x user in the DB1 database

"Change Password"

Db.changeuserpassword ()

MongoDB Security and identity authentication