By default, MongoDB is not enabled for authentication. Database-level permissions, either read-write or read-only. Mongod's authentication configuration is a little fucked up. In two cases: one is a single server, just add the –auth parameter when you start. The other is the replica set, the Shard Cluster Server, the KeyFile parameter must be specified, and communication between the other nodes is based on the keyfile. In this case, the –auth parameter is implicitly enabled and all MongoDB accesses must be validated.
security Permission validation in MongoDB is at the database level1, the rights created in the Admin account is global, you can access all db;2, the rights created in the non-admin account is a local account, only the local DB has Operation rights, 3, if you create a rights account in the non-admin data, you specify the permissions to the other db, corresponding to have their rights;
4, password can not have < > & "': @Db.createuser ({User: "Wenzhong", pwd: "[email protected]", roles:[" Root "]},{w:1,wtimeout:10000}"); ************************************************
First,Single-server mode adds an Admin user, the user under the Admin Library is a global user and can read and write to all databases. # ./mongo> Use admin> db.adduser ("root", "www.ttlsa.com") > Db.auth ("Root", "www.ttlsa.com") create a normal user, at the database level. > Use database_name> db.adduser (' guest ', ' www.ttlsa.com ') can read/write > Db.adduser (' Guest ', ' www.ttlsa.com ', true) Read-only View user > db.system.users.find () Delete user > Db.removeuser (username) or > db.system.users.remove ({user:username}) After the configuration file is added with the following parameters, restart the Mongod instance auth = ture
Second,Copy set and shard cluster mode 2.1 keyfile Rule 1. Communication between cluster servers is authenticated through keyfile. 2. The KeyFile file contents of each instance should be consistent. 3. keyfile file permissions are only readable by the current user. 4. Cluster members are required to specify the –keyfile parameter. 5. Each client must be authenticated before connecting to the database. 6. Key length must be between 6 and 1024 characters, otherwise it will error, Mongod cannot start. 7. Any spaces are ignored. 8. Preferably a multiple of 3. Key cannot contain illegal characters =, otherwise it will error, Mongod cannot start.
1, in the primary server production KeyFile file key (note must be 600 permissions, otherwise will be error)First create the Super account (primary) Replset:primary>use Adminreplset:primary>db.createuser ({User: "Wenzhong", pwd: "In the admin library" [ Email protected] ", roles:[" root "]},{w:1,wtimeout:10000}); 2, sheel> OpenSSL rand-base64 666 >/opt/mongo/conf/ Mongoreplset_keyfilesheel> chown mongod.mongod/opt/mongo/conf/mongoreplset_keyfilesheel> chmod 600/opt/mongo /conf/mongoreplset_keyfile3, copy the resulting keyfile files to other member server 4, modify the configuration file Keyfile=/opt/mongo/conf/mongoreplset_keyfile5, Restart Mongod Service (primary-secondary) Replset:primary>use Adminreplset:primary>rs.stepdown; replset:secondary >db.shutdownserver () Cat/etc/rc.localsudo runuser-c "/usr/local/mongo/bin/mongod-f/opt/mongo/conf/mongo.conf" Mongod Restart secondary members in turn
MongoDB Security Certification