Operation of user name and password for MongoDB Rights Management

Mongodb Enable authentication

MongoDB default direct connection, without authentication, if the current machine can be public access, and do not pay attention to the MongoDB port (default 27017) open state, then MongoDB will create a security risk, is exploited this configuration vulnerability, intrusion database.

An environment susceptible to intrusion

• Use the default Mongod command to start Mongodb
• The machine can be accessed by the public network
• Mongodb ports are open on the public web

Security risks

• Database privacy breaches
• Database is emptied
• Database runs slowly

Solution 1. Prohibit public network access to MONGODB Port 1.1 network configuration

Because the network configuration varies from person to person, it needs to be configured according to its actual environment, without making redundant statement. Can generally be banned from the following areas.

• Turn off port forwarding in the router
• Firewall iptables Disable Access

1.2 Verify that the port can be accessed

Run on the external network machine command line

telnet your.machine.open.ip 27017

2. Enable authentication 2.1 Create user admin Account

Current database version: Mongodb 3.4

Starting a database with Mongod
New terminal

mongod --port 27017 --dbpath /data/db1

Parameters can not be added by default, if there are custom parameters, you should add, the same.

Another terminal, run the following command

mongo --port 27017use admindb.createUser( { user: "adminUser", pwd: "adminPass", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] })

Administrator created successfully and now has a user administrator
User name: AdminUser
Password: adminpass
Then, disconnect the MongoDB connection and close the database
Under two terminals <C-c>

2.2 Mongodb user Authentication Login

To start Mongodb with access control
New terminal

mongod --auth --port 27017 --dbpath /data/db1

There are now two ways to authenticate user identities
First type (MYSQL-like)
When the client connects, specify the user name, password, DB name

"adminUser" -p "adminPass" --authenticationDatabase "admin"

The second Kind
After the client is connected, verify

27017use admindb.auth("adminUser", "adminPass")// 输出 1 表示验证成功

2.3 Creating a normal user

The process is similar to creating an administrator account, just different role

use foodb.createUser(  {    user: "simpleUser", pwd: "simplePass", roles: [ { role: "readWrite", db: "foo" }, { role: "read", db: "bar" } ] })

Now we have a normal user.
User name: Simpleuser
Password: simplepass
Permissions: Read and write database foo, reading database bar.

Attention
NOTE
WARN
use fooIndicates that the user is created in the Foo library, it must be the Foo library to verify the identity, that is, the user's information follows the database. For example, although the above Simpleuser has the bar library Read permission, but must first authenticate in the Foo Library, direct access will prompt the verification failure.

use foodb.auth("simpleUser", "simplePass")use barshow collections

It is also important to note that if the Admin library does not have any users, even if users are created in other databases, authentication is enabled, the default connection mode will still have super privileges

2.4 Built-in roles

• READ: Allows the user to read the specified database
• ReadWrite: Allows the user to read and write to the specified database
• DbAdmin: Allows the user to perform administrative functions in the specified database, such as index creation, deletion, viewing statistics, or accessing System.profile
• Useradmin: Allows the user to write to the System.users collection to create, delete, and manage users in the specified database
• Clusteradmin: Available only in the admin database, giving the user administrative privileges on all shards and replica set related functions.
• Readanydatabase: Only available in the Admin database, giving users read access to all databases
• Readwriteanydatabase: Only available in the Admin database, giving users read and write access to all databases
• Useradminanydatabase: Only available in the Admin database, giving the user useradmin permissions for all databases
• Dbadminanydatabase: Only available in the Admin database, giving the user dbadmin permissions for all databases.
• Root: Available only in the admin database. Super account, Super privilege

2.5 Access in URI form

Use URI form to connect database in production

mongodb://your.db.ip.address:27017/foo

Add User name Password Authentication

mongodb://simpleUser:[email protected]:27017/foo

Operation of user name and password for MongoDB Rights Management