Mongodb Security Settings: Logon Setting and logon IP settings

When Mongodb is set up, it does not have any anti-DDoS protection. You can log on to Mongodb without any logon attempts. If you want to use it to program, it is very dangerous, therefore, in this article, I will teach you how to add Mongodb to zookeeper settings and change it to a password authentication before you can log on, in the future, we will also teach you how to set logon IP address restrictions. Official Tutorial: www. mongo

When Mongodb is set up, it does not have any anti-DDoS protection. You can log on to Mongodb without any logon attempts. If you want to use it to program, it is very dangerous, therefore, in this article, I will teach you how to add Mongodb to zookeeper settings and change it to a password authentication before you can log on, then we will also teach you to set the logon IP address limit official Tutorial: http://www.mongo

When Mongodb is set up, it does not have any anti-DDoS protection. You can log on to Mongodb without any logon attempts. If you want to use it to program, it is very dangerous, therefore, in this article, I will teach you how to add Mongodb to zookeeper settings and change it to a password authentication before you can log on, in the future, we will also teach you how to set logon IP address restrictions.

Education: http://www.mongodb.org/display/DOCS/Security+and+Authentication

Mongodb zookeeper settings

In Mongodb, Zookeeper settings are somewhat different from general settings. At the beginning, I learned it for a long time. In Mongodb, you must first set up a set of upper-right management regions for the entire Mongodb Server, once you log on to Mongodb, You need to encrypt the data to access the data. Next, you need to configure and use the data to make the data accessible. If you have not set the maximum permission for your website, you are not interested in setting the permission for other users. When a user logs in, you can access the data without the need to encrypt it.

Please refer to the following demo. The maximum privilege limit provided here is to help the admin resource to add new users. This group can be used to collect all the resources of the whole Mongo Server, it is not subject to the limit on the use of personal data. If this limit is not set, the dynamic scaling function is not provided.

If you have not set the maximum permission, importing show dbs will directly display the current resources:

After setting the maximum permission, a warning message is displayed if you have not logged on to the console. At this time, you can set a warning message for a specific resource:

However, if you do not set the maximum permission limit, you can directly add a new user quota for a specific resource, without any effect:

From the above demonstration, we can see one thing. When you set the admin resource to use, the system will assume that you want to use the "Administrative functions 」, that is to say, you must log in first to access the information, but if you have not set a user-defined token for the admin, system, because you do not need to use the "renewal feature". At this time, even if you add a renewal option for other data sources, it does not mean anything, because the metadata function is not available, even if the data source has a set user, it can directly access the data.

For details, the configuration steps are as follows: "Help admin users set user permissions-> logon permission-> help others Set User Permissions 」

※Before learning the following tutorial, please activate your notebook D and then add the-auth parameter number to the back of the notebook. This indicates the dynamic verification function, if you do not have this parameter, you will be able to trigger d, even if you have set the parameter value, it will not work.

Mongod-auth

Yan Xiaoming:

1. After logging on to the mongod server, you can import the admin information

Mongo

Use admin

2. added the highest permission limit

Db. addUser ('username', 'passwd', 'readonly ')

Description:

Db. the addUser command is used to increase user usage. The first parameter username is encrypted, the second parameter passwd is encrypted, and the third parameter is unique, he can determine whether the permission limit of this operator is only valid. If it is set to 1, it is only valid. If it is set to 0, it is not unique, that is, it can import data, non-unique

In addition, you need to pay attention to the difference in the size of the delimiter. In addition, the delimiter and password must be enclosed in a single-line string with the delimiter as the string.

Example:

Db. addUser ('root', '000000', 1 )? ? // Zookeeper root, password authentication 0000, and permission restriction (only allow, not allow)

3. Then, you can add a new user token for other data sources. For example, you can add a "root_test" User Token for the test data source.

ButBefore creating a user-defined resource for other resources, you must first log on to the User-Defined Resource (Not ReadOnly). Currently, only the maximum permission is available, therefore, you can log on to the top-Right region to create a quota for other resources.

Use admin? ? // To log on to the highest permission, you must switch to the admin resource.

Db. auth ('root', '123 ′)

Use test? ? ? // Switch slave to test db

Db. addUser ('root _ test', '000000 ′)

Description: db. auth is the LOGIN command. The first parameter is login, and the second parameter is password.

※Note that in Mongodb,The addition of tokens is "not globally available 」That is to say, you have added a root User Token In the testA database. You can also add a root User Token in testB, this means that when you log on to the maximum permission, you must first transfer the permission to the admin information, because the maximum permission is based on the admin information, the maximum permission is allowed only when the system sets the admin resource quota.

4. in this way, even if you are using the dynamic token service, you can configure the token for other resources, to see which resource you want to useSwitch to the Information Library first, and then log on again.

5. if you want to remove a user from a certain resource, first switch to the resource and then delete it. For example, except for root_test of test db, use metadata (You need to log on to metadata to modify the information)

Use test

Db. removeUser ('root _ test ')

If you want to collect the information about the existing quota, You can import the database. system. users. find ()

This is because all metadata resources exist in the Collection system. users.

Summary:Some of the above mentioned operations have been implemented. In this case, we need to enable Mongodb to have the function of continuous protection, you must first Add a new quota of the maximum permission, and the maximum permission, that is, the quota created in the admin resource is the maximum permission, after this organization is created, remember to log on to the upper right corner first, and then add a new user quota for a different resource, in addition, Mongodb does not provide global features. The use of A data warehouse is based on A, and the use of B Data Warehouse is based on B, therefore, when logging on to or using A temporary account, you must check the correct information. For example, A and B both have the root account, I want to delete the test of A resource, so I need to use A first, and then db. removeUser ('root') can be used. Otherwise, the user may attempt to access the data source, or I want to log on to the root of the data source B, first, I need to switch to B's data warehouse and log in. If I enter db in A's data warehouse. auth (), then what I log in to is actually the metadata of A resource, which cannot access the information of B resource!

For the first time, you need to log on to the admin data warehouse user (that is, the maximum permission) when creating a data warehouse (non-admin db ), after logging in, you can add the "First Region" resource. However, when the first region is used for data, you can directly log on to the primary account using the primary account, and then create a new user account without having to log on to the upper right corner. This is because when you create a user account for the first time, there is no access permission for the user in the resource, except for the maximum permission, however, addUser actually uses metadata to import data into the Collection object of a specified resource. Therefore, you must first log on to the upper right corner, and then obtain the obtained permission, to add a new deployment.

Logon IP settings

In Mongodb, you can set the whitelist of the region, that is, only the specified IP address can be transferred to Mongod Server.

The configuration is very simple. You only need to add the bind_ip address to the dynamic D instance. For example, I want to restrict that only the current host can log on to the instance, when the parameter D is triggered, the command is:

Mongod-bind_ip 127.0.0.1

However, we are still studying whether multiple IP addresses can be specified. Currently, only one IP address can be specified as a white list...

Original article address: Mongodb Security Settings: zookeeper settings, logon IP settings, thanks to the original author for sharing.