MongoDB Security Certification

Source: Internet
Author: User

By default, MongoDB is not enabled for authentication. Database-level permissions, either read-write or read-only. Mongod's authentication configuration is a little fucked up. In two cases: one is a single server, just add the –auth parameter when you start. The other is the replica set, the Shard Cluster Server, the KeyFile parameter must be specified, and communication between the other nodes is based on the keyfile. In this case, the –auth parameter is implicitly enabled and all MongoDB accesses must be validated. security Permission validation in MongoDB is at the database level1, the rights created in the Admin account is global, you can access all db;2, the rights created in the non-admin account is a local account, only the local DB has Operation rights, 3, if you create a rights account in the non-admin data, you specify the permissions to the other db, corresponding to have their rights; 4, password can not have < > & "': @Db.createuser ({User: "Wenzhong", pwd: "[email protected]", roles:[" Root "]},{w:1,wtimeout:10000}"); ************************************************ First,Single-server mode adds an Admin user, the user under the Admin Library is a global user and can read and write to all databases. # ./mongo> Use admin> db.adduser ("root", "www.ttlsa.com") > Db.auth ("Root", "www.ttlsa.com") create a normal user, at the database level. > Use database_name> db.adduser (' guest ', ' www.ttlsa.com ') can read/write > Db.adduser (' Guest ', ' www.ttlsa.com ', true) Read-only View user > db.system.users.find () Delete user > Db.removeuser (username) or > db.system.users.remove ({user:username}) After the configuration file is added with the following parameters, restart the Mongod instance auth = ture Second,Copy set and shard cluster mode 2.1 keyfile Rule 1. Communication between cluster servers is authenticated through keyfile. 2. The KeyFile file contents of each instance should be consistent. 3. keyfile file permissions are only readable by the current user. 4. Cluster members are required to specify the –keyfile parameter. 5. Each client must be authenticated before connecting to the database. 6. Key length must be between 6 and 1024 characters, otherwise it will error, Mongod cannot start. 7. Any spaces are ignored. 8. Preferably a multiple of 3. Key cannot contain illegal characters =, otherwise it will error, Mongod cannot start. 1, in the primary server production KeyFile file key (note must be 600 permissions, otherwise will be error)First create the Super account (primary) Replset:primary>use Adminreplset:primary>db.createuser ({User: "Wenzhong", pwd: "In the admin library" [ Email protected] ", roles:[" root "]},{w:1,wtimeout:10000}); 2, sheel> OpenSSL rand-base64 666 >/opt/mongo/conf/ Mongoreplset_keyfilesheel> chown mongod.mongod/opt/mongo/conf/mongoreplset_keyfilesheel> chmod 600/opt/mongo /conf/mongoreplset_keyfile3, copy the resulting keyfile files to other member server 4, modify the configuration file Keyfile=/opt/mongo/conf/mongoreplset_keyfile5, Restart Mongod Service (primary-secondary) Replset:primary>use Adminreplset:primary>rs.stepdown; replset:secondary >db.shutdownserver () Cat/etc/rc.localsudo runuser-c "/usr/local/mongo/bin/mongod-f/opt/mongo/conf/mongo.conf" Mongod Restart secondary members in turn

MongoDB Security Certification

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.