MongoDB Study Notes (7)-Access Control

The MongoDB service is started in the official manual without any parameters. Once the client connects, it can perform any operations on the database and remotely access the database. Therefore, we recommend that you do not set any parameters in the development phase, however, you need to carefully consider the security factors in the production environment, and there are several aspects to improve MongoDB database security: bind an IP Intranet address to access the MongoDB service, set the listening port, and use the username and password to log on.

Bind an IP address to access the MongoDB Service

MongoDB can only allow access from a specific IP address. You only need to add the bind_ip parameter at startup, as shown below: only the IP address 192.168.1.103 on the server can access the MongoDB service.

[Root @ localhost bin] #./mongod -- bind_ip 192.168.1.103

 

Set listening port

The official default listening port is 27017. For security reasons, this listening port is generally modified to avoid malicious connection attempts, as shown below: Change the listening port of the server to 28018

[Root @ localhost bin] #./mongod -- bind_ip 192.168.1.103 -- Port 28018

 

Log On with the user name and password

By default, MongoDB does not verify the user name and password. After MongoDB is started, it can be connected directly with MongoDB to have root permissions for all databases. Therefore, you can specify parameters at startup to prevent client access and connection.

To enable the system login verification module, you only need to specify the auth parameter at startup, as shown in figure

[Root @ localhost bin] #./mongod -- auth

 

Create a system root account

Add a new user root in the admin database:

[Root @ localhost bin] #./Mongo

MongoDB shell version: 1.8.1 connecting to: Test> dB. adduser ("root", "111") {"user": "root", "readonly": false, "PWD": "e54950178e2fa777b1d174e9b450b6ab"}> dB. auth ("root", "111 ")

Connect to the local client and specify the user. The result is as follows:

[Root @ localhost bin] #./mongo-u root-P

MongoDB shell version: 1.8.1 enter password: connecting to: Test> show collections; system. Indexes System. Users

Create a user with the specified permission

MongoDB also supports setting users for a specific database. For example, we set a read-only user user_reader for the Test Database: [root @ localhost bin] #. /mongo-u root-P MongoDB shell version: 1.8.1 enter password: connecting to: Test> show collections; system. indexes System. users> use test switched to DB test> dB. adduser ("user_reader", "user_pwd", true) {"user": "user_reader", "readonly": True, "PWD": "0809760bb61ee027199e513c5ecdedc6"

}