Mongodb security and verification study notes

Each MongoDB database can have many users. If security check is enabled, only database authenticated users can perform related operations. Admin users can perform read and write operations on any database. Users of other databases can only perform operations with relevant permissions.

Before enabling security check, create several users:

Because the new version of mongodb introduces the concept of role, you can directly create db. addUser ('XXX', 'XXX. Warning but still creates a user.

WARNING: The 'adduser' shell helper is DEPRECATED. Please use 'createuser' instead
Successfully added user: {"user": "test1", "roles": ["read"]}

We will only explain how to create a new user.

View roles

Show roles

There are many roles in the system.

 

 

 

Now I have not fully understood all of his role positioning. Let's take a closer look.

Let's take a look at it. There are no users in the system.

Let's create two new users.

Use admin
# Create a root user (super user, which can be verified in admin before being operated in other libraries)
Db. createUser ({user: 'root', pwd: 'xxxxxxxxxx', roles: [{role: 'root', db: 'admin'}]})
Use test
# Create a test user
Db. createUser ({user: 'test', pwd: 'xxxxxxxxxx', roles: [{role: 'downer', db: 'test'}]})
 
Use admin
Db. system. users. find ()

Restart mongodb and add the-auth option (note that the-auth option is also added to auto-start upon startup)

Pkill mongod
/Usr/local/mongodb/bin/mongod -- auth -- dbpath =/data2/mongodbData/-- logpath =/data2/mongodbLogs -- fork
 
# Modify the startup item of mongod in/etc/rc. local and add -- auth

Then, connect to the mongo client.

We can see that show tables cannot be seen without auth. However, after you use admin, you still cannot see the admin table.

If you log on with an admin user, the figure is as follows:

The user in the admin database is a global user.

The two deleted users are included. Note: they are only valid for current database users.

Delete the root user in the admin database

Use admin
Db. dropUser ("root", {w: "majority", wtimeout: 5000 })

Delete all users in the admin database

Use admin
Db. dropAllUsers ({w: "majority", wtimeout: 5000 })

To sum up, I still feel confused when authorizing mongodb. Maybe I am not very clear about the principle. Write it again later. Note that although the previous addUser and deleteUser are available in 2.6, they are not recommended. Therefore, the description in this article is based on createUser and dropUser.