MongoDB has been used in production for some time, but the data store for MongoDB has not been used to access permissions (MongoDB defaults to No access restrictions), and recently saw a technical article in the Cool shell net (https://coolshell.cn/?s = from +mongodb+ "Ransom event" + See Security issue &from=timeline&isappinstalled=0) introduced MONGODB does not open permission authentication leads to data stolen by hackers, to Bitcoin redemption events, Taking into account the reasons for data security It took a little time to study, I now use the version is MongoDB3.4.2, on the Linux system verification, I also on the WIN8 is similar operation mode.
As with other databases, permissions are managed almost the same.
But the difference is that MongoDB users are associated with the database, the specific database, or need to have a corresponding user, that is, even the Super administrator can not operate other databases.
MongoDB stores all user information in the collection System.users of the admin database, saving the user name, password, and database information.
MongoDB does not enable authentication by default, as long as it can connect to the server, it can connect to Mongod. To enable security authentication, you need to change the configuration file parameter--auth.
Below are the steps to turn on permission authentication.
One, non-authorized way to create users
1, first in the non-authorized mode (that is, without the--auth parameter) login to create a system administrator user
2. Enter the installation bin directory of MongoDB
3. Client Login
4. Switch to the admin database
5. Create user for Admin database
6. View Users
Use the Db.system.users.find () command to view the user we just created.
Finally, the MONGODB process will be killed and launched in an authoritative manner
Second, the mode of authorization to start
1. Add--auth parameter Authorization start
2. Log in and switch to the admin database
3, re-view the database, you will find no permissions
This is where Auth authentication is enabled using Db.auth (' Hehaitao ', ' Hehaitao ')
You will see that the value returned is 1, which means that the boot was successful, and then we use the command to view the database
Discovery can be used to view the
Reference article:
See security issues from MongoDB "ransom event" MongoDB Authority authentication
MONGDB Open access authentication