Security of "Nine" MongoDB management

To ensure a secure MongoDB runtime environment, DBAs need to implement some control to ensure that users or applications simply access the data they need. These measures include, but are not limited to:

• Authentication mechanism
• Role-based access control
• Encryption
• Audit

First, the authentication mechanism

Authentication is the process of verifying the identity of a client user. When access control is turned on, MongoDB requires all clients to authenticate themselves to determine their access rights. Although authentication and authorization are similar, authentication is different from authorization, authentication is proof of identity, authorization is the resource and operation that determines their access.

1. Users

In order to authenticate the client, you have to add a corresponding user to MongoDB.

• User Management interface: the Db.createuser () method creates a user who can assign a role to a user after the addition is complete, and the first user must be an administrator to manage other users. You can also update the existing user, you must modify the password and permissions.
• Authentication database: When you add a user, you add the user to a specified database, and the database is an authentication database for that user. A user can have access to multiple databases, by assigning role permissions.
• Authenticated Users: In order to authenticate users, you can pass the Db.author () method.
• Shard Cluster User: Create a user for a shard cluster, which can be done through a MONGOs instance, and MongoDB stores the user information in the config server's admin library. However, some operations need to be directly connected to the Shard host, when these users are not, need to create shard local administrative users to the Shard host

2. Authentication mechanism

1) scram-sha-1

2) MONGODB-CR

3)

Second, role-based access control

MongoDB default is no open access control, you can turn on the--auth parameter restart Mongod service. Once turned on, the user connection Mongod must specify a user name and password.

1. Built-in role

MongoDB provides many built-in roles for different levels of access to database resources. Built-in database user role and database Administrator role exist in each database

1) Database User role

Each database contains the following roles:

• READ: Provides reading permissions, in addition to non-system collections
• ReadWrite: Providing read and write access

2) Database Administrator role

Each database contains the following roles:

• DbAdmin: Provides permissions for schema-related operations, indexing, gathering statistics, and cannot assign roles.
• Dbowner: This role includes permissions for ReadWrite, DbAdmin, and useradmin roles
• Useradmin: Provides permissions to modify and create roles and users. Because the role can assign permissions, including themselves, it indirectly provides Superuser permissions.

3) Cluster Management role

• Clusteradmin: Provides the highest permissions for cluster management, including Clustermanager, Clustermonitor, and hostmanager roles. There is also permission to delete the database
• Clustermanager: Permission to access config and local database
• Clustermonitor: Provides read-only permissions for monitoring tools
• Hostmanager: Provides permissions to monitor and manage hosts

4) Backup and restore roles

• Backup: In addition to the System.profile collection, this role provides sufficient permissions to back up all collections using tools such as MongoDB Cloud Manager, Ops Manager, Mongodump, and so on.
• Restore: Permissions to recover data

5) All database permissions

• Readanydatabase: Provides permission to read all databases
• Readwriteanydatabase: With ReadWrite, the scope is all databases.
• Useradminanydatabase: Same useradmin, scope is all database
• Dbadminanydatabase: With dbadmin, scope all databases

6) Super Character

• Root: Provide all permissions

7) Internal role

• __system: Provides permissions to maintain database objects and is generally not assigned to users.

2. Custom Roles

MongoDB provides many built-in roles, and of course you can create your own if you don't meet your needs

You can use the Db.createrole () method to create a role that is stored in the System.roles collection of the admin library.

3. Collection-level access control

Collection-level access control allows DBAs to assign permissions to users based on certain collections, that is, users can access only certain collections.

"Access level Control instance: stand-alone environment"

Step One: Create an administrator user before the access level is enabled, ( if not, once you have access control turned on, you can enter MONGOs, but do not have any additions or deletions to change permissions ):

Use Admindb.createuser (  {    "myuseradmin",    pwd " abc123 " ,     " Useradminanydatabase " " Admin "  } ]  })

Step Two: Restart the Mongod service with the --auth parameter (that is, turn on access level control)

Mongod--dbpath=/data/27019/db--fork--logpath=/data/27019 27019 --auth

Step three: Log in with an administrator and create a regular user

[[Email protected]27019]# MONGO--port27019-U"Myuseradmin"-P"abc123"--authenticationdatabase"Admin"#使用管理员登录use Testdb.createuser ( #在test库中创建所属用户testUser, although the user belongs to the test library, but through role assignment, it can also have operational rights to other databases {User:"TestUser",      pwd:"12345678", roles: [{role:"Read"Db:"Children"}, #对children库有只读权限 {role:"ReadWrite"Db:"Test"}, #对test库有读写权限{role:"ReadWrite"Db:"hashtest"} #对HashTest库有读写权限]})
#使用新用户testUser登录测试 [[Email protected]27019]# MONGO--port27019-U"TestUser"-P"12345678"MongoDB Shell version:3.2.0Connecting to:127.0.0.1:27019/Test> Db.user.insert ({"_id":1,"name":"Darren"}) #向test库中插入数据, you can successfully writeresult ({"ninserted":1 })>Use children #向children库中插入数据, failed because only read permissions switched to DB children> Db.user.insert ({"_id":1,"name":"Darren"}) Writeresult ({"Writeerror" : {        "Code": -,        "errmsg":"Not authorized on children to execute command {insert: \ "User\", documents: [{_id:1.0, name: \ "Darren\"}], Order Ed:true}"    }})
> Use Hashtest
Switched to DB Hashtest
> Db.user.insert ({"_id": 1, "name": "Darren"}) #向HashTest库中插入数据, success.
Writeresult ({"ninserted": 1})

Summary: MongoDB a database needs to belong to a user, when an identical user needs to access multiple databases, do not need to establish the same user in each database, can establish a special management user's library, through role assignment to achieve this purpose, easier to maintain and manage.

Third, encryption

1. Transmission encryption

You can use TLS/SSL to encrypt MongoDB network traffic, which ensures that network traffic is only read by the client that needs it.

2. Static encryption

There are two main ways to encrypt static data: Application layer encryption and storage layer encryption. You can use it together or independently. New encryption options are introduced for the Wiredtiger storage engine in V3.2, which allows you to encrypt data files so that only the part with the decryption key can decrypt and read the data.

Security of "Nine" MongoDB management