MongoDB3.0.x user authorization configuration (standalone environment)

MongoDB3.0.x user authorization configuration (standalone environment)

By default, the MongoDB database does not have permission control. It can be accessed by connecting to the opened port and has root-level permissions; the production environment is extremely insecure. Therefore, users must be set up for authorization control.

• User authorization module configuration in a standalone environment:

MongoDB Community version has two modules that can control user access:

-- Auth: Add -- auth to the mongod startup Item. After mongodb is started, the authorization module can be enabled ); PS: although the local machine can log on to the database after the auth module is enabled, it does not have the permission to add, delete, modify, and query. Therefore, before starting the auth module, you should create a Super User.-- KeyFile <file>: used for authorization between the sharded cluster and replica set. In a single machine, you only need to use auth. If it is in a cluster (sharded + replica set) environment, this parameter must be used. security. authorization: Starting from MongoDB 2.6, The YAML format is added to the startup configuration file of mongod/mongos. The auth format is the same, and security is used in subsequent operations. keyFile: Format and security. the authorization is the same as -- keyFile.

• First, verify the access to the non-configuration authentication module:

[root@fo169 bin]# ./mongoMongoDB shell version: 3.0.7connecting to: testServer has startup warnings:2015-10-29T15:12:14.257+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.2015-10-29T15:12:14.257+0800 I CONTROL  [initandlisten]> show dbslocal  0.000GB

If no configuration is available, you can perform any operations after logging on to the database.

• Configure the authentication module and restart the service:

Write a STARTUP configuration file: mongodb. conf (the authentication module of auth is used in the red part of the file)

[root@fo169 bin]# cat mongodb.conf systemLog:   destination: file   path: "/data/auth/log/mongod.log"                                      logAppend: truestorage:   journal:                                                                    enabled: true   dbPath: "/data/auth/db"                                                      directoryPerDB: true                                                    engine: wiredTiger                                                              wiredTiger:                                                                    engineConfig:         cacheSizeGB: 4                                                                  directoryForIndexes: true                                                   journalCompressor: zlib      collectionConfig:                                                                blockCompressor: zlib      indexConfig:                                                                          prefixCompression: truenet:                                                                        port: 27017processManagement:                                                              fork: truesecurity:   authorization: enabled                                                      

• Create an authorized user (Super administrator ):

MongoDB has a built-in root role after V3.0, that is, it combines the readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase, and clusterAdmin4 role permissions, similar to the Oracle sysdba role, however, the username of the Super administrator of MongoDB can be defined as follows:

[root@fo169 bin]# ./mongoMongoDB shell version: 3.0.7connecting to: testServer has startup warnings: 2015-10-30T16:24:36.127+0800 I CONTROL  [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.2015-10-30T16:24:36.127+0800 I CONTROL  [initandlisten] > use adminswitched to db admin> db.createUser(...    {...      user: "ljaiadmin",...      pwd: "123456",...     roles: [ { role: "root", db: "admin" } ]...   }... )Successfully added user: {        "user" : "ljaiadmin",        "roles" : [                {                        "role" : "root",                        "db" : "admin"                }        ]}

In this way, you can create a super administrator user of ljaiadmin. To create a global user or a Super User, you must create the user in the admin database of MongoDB (other databases can also be created, but this role function is not available ), after the mongod process is restarted, verify the permissions:

[Root @ fo169 bin] #. /mongoMongoDB shell version: 3.0.7connecting to: test> show dbs (Note: The system prompts that the listDatabases command is not authorized to be executed.) 2015-10-30T16: 41: 31.131 + 0800 e query Error: listDatabases failed: {"OK": 0, "errmsg": "not authorized on admin to execute command {listDatabases: 1.0}", "code": 13} at Error (<anonymous>) at Mongo. getDBs (src/mongo/shell/mongo. js: 47: 15) at shellHelper. show (src/mongo/shell/utils. js: 630: 33) at shellHelper (src/mongo/shell/utils. js: 524: 36) at (shellhelp2): 1: 1 at src/mongo/shell/mongo. js: 47> use adminswitched to db admin> db. auth ('ljaiadmin', '123') (Note: switch to the admin user for authorization verification) 1> show dbs (Note: After verification is complete, read and write operations can be performed) admin 0.000 GBlocal 0.000GBtest100 0.000GBtest2 0.000 GB> use test2switched to db test2> show tablestesttest2> db. test2.find () {"_ id": ObjectId ("5632cf0000207909a76446af7"), "name": "1"}> db. test2.drop () true> db. dropDatabase () {"dropped": "test2", "OK": 1}> show dbsadmin 0.000 GBlocal 0.000GBtest100 0.000 GB> use test100switched to db test100> db. test111.insert ({"test": "test"}) WriteResult ({"nInserted": 1})> db. test111.find () {"_ id": ObjectId ("56332db373f771b3d95638bb"), "test": "test"}> use adminswitched to db admin> show users {"_ id ": "admin. ljaiadmin "," user ":" ljaiadmin "," db ":" admin "," roles ": [{" role ":" root "," db ": "admin"}]}>

• Create a common user

Take the rwtest123 user who can read and write the test123 database as an example:

> Use test123switched to db test123> db. createUser (... {... user: "rwtest123 ",... pwd: "123456 ",... roles: [{role: "readWrite", db: "test123"}]...}) successfully added user: {"user": "rwtest123", "roles": [{"role": "readWrite", "db": "test123"}]}
# The created rwtest123 user can perform addition, deletion, modification, and query operations in the test123 database, but other operations won't work> db. auth ('rwtest123 ', '123') switched to db test123> db. test123.insert ({"test": "test"}) WriteResult ({"nInserted": 1})> db. test123.find () {"_ id": ObjectId ("563332ebc8a59ae4fe96bbf5"), "test": "test"}> db. test123.drop () true> use test100switched to db test100> db. test100.find () Error: error: {"$ err": "not authorized for query on test100.test100", "code": 13}>

• Configuration reference:

The MongoDB database has a large number of user permission control permissions. The system has built-in permissions. You can also define roles and permissions by yourself. You need to assign permissions based on your business needs:

Description of built-in roles (generally, built-in roles can basically meet the needs of the production environment ):

Https://docs.mongodb.org/manual/core/security-built-in-roles/

Description of user-defined roles:

Https://docs.mongodb.org/manual/core/security-user-defined-roles/

User Management Configuration description

Https://docs.mongodb.org/manual/reference/method/#user-management-methods

For more information about MongoDB, see the following links:

MongoDB 3.0 official version released and downloaded

CentOS compilation and installation of MongoDB

CentOS compilation and installation of php extensions for MongoDB and mongoDB

CentOS 6 install MongoDB and server configuration using yum

Install MongoDB2.4.3 in Ubuntu 13.04

MongoDB beginners must read (both concepts and practices)

MongoDB Installation Guide for Ubunu 14.04

MongoDB authoritative Guide (The Definitive Guide) in English [PDF]

Nagios monitoring MongoDB sharded cluster service practice

Build MongoDB Service Based on CentOS 6.5 Operating System

MongoDB details: click here
MongoDB: click here

This article permanently updates the link address: