OK, look at this title, I don't know if you have a subconscious, if there is, yes, that's it, MongoDB finally open I think for a database security, it is more important to a module---IP white list.
As we all know, MySQL, Oracle, SQL Server, and other well-known databases are in security to make considerable protection.
IP White List
Permission discrimination for libraries and tables
For different additions and deletions, transaction, admin and other rights assignment
Even Oracle provides a logical role for different permissions, and MySQL has made the appropriate adjustments in this regard.
But looking back at MongoDB, from the very beginning of the most simple user name + password way, to the introduction of bult-in role, Custom role, privilege and other concepts launched, and then to the forthcoming 3.6, it is clear that will be bind_ip adjusted to localhost, which is also affected by the bitcoin case .
This time, in 3.6, the new addition authenticationRestrictions , is used to solve the IP white list defects.
So let's take a look at how this very attractive feature is implemented.
ReasoningFirst, let's take a look at MongoDB's official documentation. https://docs.mongodb.com/master/reference/method/db.createUser/#authentication-restrictions
| Field Name | Value | Description |
|---|---|---|
| Clientsource | Array of IP addresses and/or CIDR ranges | If present, when authenticating a user, the server verifies that the client's IP address is either in the given list or be Longs to a CIDR range in the list. If the client ' s IP address is not present, the server does not authenticate the user. |
| ServerAddress | Array of IP addresses and/or CIDR ranges | A List of IP addresses or CIDR ranges to which the client can connect. If present, the server would verify that the client ' s connection is accepted via an IP address in the given list. If the connection is accepted via an unrecognized IP address, the server does not authenticate the user. |
Simply put, Clientsource is the white list control for the client's IP. ServerAddress is the white list control for the IP of the server.
Then here is the problem, the client IP good understanding, is no more than where to connect to, this and we understand the same, then the server IP? What do you mean? Here, the server IP refers to the client at the time of connection to the specified host address, such as: mongo --host=192.168.56.101 , then the serveraddress must be included 192.168.56.101 , what is the meaning of the inclusion here? Like MySQL, you can also specify B, c network segment, to reach multiple addresses open, just a little bit out of the way, MySQL is: 192.168.56.* , MongoDB is: 192.168.56.0/24 . Then if the use of the driver, it is the same, in the host parameter to specify the corresponding IP.
So let's get to the next one.
Pendulum facts1. Create an App account miracle
Use Admindb.createuser ({User "root", pwd: "root", roles: [{role: ' root ', DB: ' admin '}]}) Db.createuser ({user: "miracle" , pwd: "Young", roles: [{role: ' ReadWrite ', db: authenticationrestrictions: [{clientsource: [ "192.168.31.246"], serveraddress: [ " 192.168.31.246 "]}]}) 2. Restart the database to enable authorization
3. Enter the Miracle database and verify
4. Reconnect the database with the required format
5. The reason for the error in the fourth step is because the default 3.6 is turned on bind_ip=localhost , and it has been a long time since I first ignored the problem. Restart the database Plus--bind_ip_all
6. Reconnect
At this point, MongoDB IP Whitelist function verification is complete, hoping to help everyone in the actual maintenance more secure control of the developer's rights.
I am Shanghai chubby [Miracleyoung], dedicated to MongoDB, MySQL, Redis and other open source database DevOps, embrace open source, accept fees.
Shanghai Chubby [Miracleyoung] Original address: Https://segmentfault.com/u/shanghaixiaopang/articles
Contact information: [Email protected]
Welcome to the Great God to come to comment.
Every Friday, please look forward to, Shanghai Chubby [Miracleyoung] alone more.
If Shahuho still waiting for me at Daming Lake, I will not be more.
MongoDB 3.6 Authentication IP Restrictions
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
