mongodb:用户认证
mongodb 安装后默认不启用认证,也就是说在本地可以通过 mongo 命令不输入用户名密码,
直接登陆到数据库,下面介绍下启用 mongodb 用户认证,详细如下:
启用 mongodb 认证只需要在启动 mongod 服务时配置 auth 参数成 'true'即可可 ,在配置
参数前先添加超级用户。
一 启用认证
--1.1 增加管理用户
> use admin;
switched to db admin
> db.adduser('root','123456');
{
"user" : "root",
"readonly" : false,
"pwd" : "34e5772aa66b703a319641d42a47d696",
"_id" : objectid("50ad456a0b12589bdc45cf92")
}
> db.system.users.find();
{ "_id" : objectid("50ad6ecda579c47efacf811b"), "user" : "root", "readonly" : false, "pwd" : "34e5772aa66b703a319641d42a47d696" }
备注:在 admin 库中增加的用户为超级用户,权限最大,可以访问所有库。
--1.2 增加普通用户
> use skytf;
switched to db skytf
> db.adduser('skytf','skytf');
"user" : "skytf",
"pwd" : "8c438fc9e2031577cea03806db0ee137",
"_id" : objectid("50ad45dd0b12589bdc45cf93")
{ "_id" : objectid("50ad6ef3a579c47efacf811c"), "user" : "skytf", "readonly" : false, "pwd" : "8c438fc9e2031577cea03806db0ee137" }
--1.3 配置 auth 参数
vim /database/mongodb/data/mongodb_27017.conf,增加 " auth = true ” 参数
fork = true
bind_ip = 127.0.0.1
port = 27017
quiet = true
dbpath = /database/mongodb/data/
logpath = /var/applog/mongo_log/mongo.log
logappend = true
journal = true
auth = true
备注:增加 “auth = true” 配置。
--1.4 重启 mongodb
[mongo@redhatb data]$ ps -ef | grep mongo
root 10887 10859 0 04:47 pts/0 00:00:00 su - mongo
mongo 10889 10887 0 04:47 pts/0 00:00:00 -bash
root 10984 10964 0 04:53 pts/1 00:00:00 su - mongo
mongo 10986 10984 0 04:53 pts/1 00:00:00 -bash
mongo 12749 1 0 07:54 ? 00:00:01 mongod -f /database/mongodb/data/mongodb_27017.conf
mongo 13035 10986 13 08:21 pts/1 00:00:00 ps -ef
mongo 13036 10986 0 08:21 pts/1 00:00:00 grep mongo
[mongo@redhatb data]$ kill 12749
[mongo@redhatb data]$ mongod -f /database/mongodb/data/mongodb_27017.conf
forked process: 13042
all output going to: /var/applog/mongo_log/mongo.log
--1.5 测试 skytf 帐号
[mongo@redhatb data]$ mongo 127.0.0.1/skytf -u skytf -p
mongodb shell version: 2.2.1
enter password:
connecting to: 127.0.0.1/skytf
error: { errmsg: "auth fails", ok: 0.0 }
thu nov 22 08:23:11 uncaught exception: login failed
exception: login failed
> show collections;
system.indexes
system.users
test_1
test_2
test_3
test_4
things
things_1
> db.test_5.find();
{ "_id" : objectid("50ad7177d114dcf18a8bb220"), "id" : 1 }
> show dbs;
thu nov 22 08:24:03 uncaught exception: listdatabases failed:{ "errmsg" : "need to login", "ok" : 0 }
> use test;
switched to db test
thu nov 22 09:01:32 uncaught exception: error: {
"$err" : "unauthorized db:test ns:test.system.namespaces lock type:0 client:127.0.0.1",
"code" : 10057
备注:从上看出, skytf 用户的认证已生效,并且能查看数据库 skytf 里的集合,但不能执行 “show dbs”
命令;并且能连接数据库 test ,但没有权限执行“show collections” 命令。
二 切换用户
--2.1 在普通库中切换成 root 用户
> db.auth('root','123456');db.auth('root','123456');
备注:在普通库中切换成超级用户失败,超级用户需要在 admin 库中切换才能生效。
--2.2 在 admin 库中切换成 root 用户
> db.auth('root','123456');
1
备注:在 admin 库中切换成超级用户成功。
三 新增只读帐号
--3.1 增加只读帐号
> db.adduser('skytf_select','skytf_select',true);
"user" : "skytf_select",
"readonly" : true,
"pwd" : "e344f93a69f20ca9f3dfbc40da4a3082",
"_id" : objectid("50ad71c7d114dcf18a8bb221")
> db.system.users.find();db.system.users.find();
{ "_id" : objectid("50ad71c7d114dcf18a8bb221"), "user" : "skytf_select", "readonly" : true, "pwd" : "e344f93a69f20ca9f3dfbc40da4a3082" }
备注:只需在 adduser 命令中增加第三个参数,并指定为“true” ,即可创建只读帐号。
--3.2 测试
[mongo@redhatb data]$ mongo 127.0.0.1/skytf -u skytf_select -p
test_5
{ "_id" : objectid("50ad724ed114dcf18a8bb222"), "id" : 2 }
> db.test_5.save({id:3});
unauthorized
备注:以只读帐号 skytf_select 登陆库 skytf,有权限执行查询操作,没有权限执行插入操作;
四 附 命令参考
--4.1 db.adduser
parameters:
username (string) – specifies a new username.
password (string) – specifies the corresponding password.
readonly (boolean) – optional. restrict a user to read-privileges only. defaults to false.
use this function to create new database users, by specifying a username and password as arguments
to the command. if you want to restrict the user to have only read-only privileges, supply a true third
argument; however, this defaults to false。
--4.2 db.auth
username (string) – specifies an existing username with access privileges for this database.
allows a user to authenticate to the database from within the shell. alternatively use mongo
--username and --password to specify authentication credentials.
五 参考
http://docs.mongodb.org/manual/tutorial/control-access-to-mongodb-with-authentication/
http://docs.mongodb.org/manual/administration/security/
http://blog.163.com/dazuiba_008/blog/static/36334981201110311534143/
-----以上是单个mongodb的用户认证,下面是集群的
7、登录mongos添加用户:
use admin
db.adduser("<user>","<password>")
db.adduser("<user>","<password>",true) //添加只读用户
8、关闭三台机器的全部mongod,mongos:
sudo killall mongod
sudo killall mongos
9、生成keyfile:(每个进程的key file都保持一致)
openssl rand -base64 753 >keyfile
将生成的keyfile 拷贝到mongod/mongos 进程对应的文件夹
并执行语句更改权限:sudo chmod 600 keyfile
使用--keyfile参数指定前面生成的keyfile文件,重启三台机器全部mongod,mongos进程
在servera上:mongod --replset s1 --port 27020 --dbpath=/data/mongo/s1_1/db --logpath=/data/mongo/s1_1/log/mongo.log --logappend --fork --keyfile /data/mongo/s1_1/keyfile
在serverb上:mongod --replset s1 --port 27020 --dbpath=/data/mongo/s1_2/db --logpath=/data/mongo/s1_2/log/mongo.log --logappend --fork --keyfile /data/mongo/s1_2/keyfile
在serverc上:mongod --replset s1 --port 27020 --dbpath=/data/mongo/s1_3/db --logpath=/data/mongo/s1_3/log/mongo.log --logappend --fork --keyfile /data/mongo/s1_3/keyfile
在servera上:mongod --replset s2 --port 27021 --dbpath=/data/mongo/s2_1/db --logpath=/data/mongo/s2_1/log/mongo.log --logappend --fork --keyfile /data/mongo/s2_1/keyfile
在serverb上:mongod --replset s2 --port 27021 --dbpath=/data/mongo/s2_2/db --logpath=/data/mongo/s2_2/log/mongo.log --logappend --fork --keyfile /data/mongo/s2_2/keyfile
在serverc上:mongod --replset s2 --port 27021 --dbpath=/data/mongo/s2_3/db --logpath=/data/mongo/s2_3/log/mongo.log --logappend --fork --keyfile /data/mongo/s2_3/keyfile
在servera上:mongod -fork --configsvr --dbpath /data/mongo/config/db --port 27018 --logpath /data/mongo/config/log/mongo.log --fork --keyfile /data/mongo/config/keyfile
在serverb上:mongod -fork --configsvr --dbpath /data/mongo/config/db --port 27018 --logpath /data/mongo/config/log/mongo.log --fork --keyfile /data/mongo/config/keyfile
在serverc上:mongod -fork --configsvr --dbpath /data/mongo/config/db --port 27018 --logpath /data/mongo/config/log/mongo.log --fork --keyfile /data/mongo/config/keyfile
在servera上:mongos -fork --logpath /data/mongo/route/log/mongo.log --configdb servera:27018,serverb:27018,serverc:27018 --port 27017 --keyfile /data/mongo/route/keyfile
在serverb上:mongos -fork --logpath /data/mongo/route/log/mongo.log --configdb servera:27018,serverb:27018,serverc:27018 --port 27017 --keyfile /data/mongo/route/keyfile
在serverc上:mongos -fork --logpath /data/mongo/route/log/mongo.log --configdb servera:27018,serverb:27018,serverc:27018 --port 27017 --keyfile /data/mongo/route/keyfile
完毕!
------------------------
安全与认证
如果开启了安全性检查,则只有数据库认证用户才能执行读或写操作。
mongodb会将普通的数据作为admin数据库处理,admin数据库中的用户被视为超级用户。
认证之后,管理员可以读写所有数据库,执行特定的管理命令,如listdatabase和shutdown
mongos> use admin
mongos> db.adduser("root","abc")
"user" : "root",
"readonly" : false,
"pwd" : "9ebcc685b65db596c75fd6128803440f",
"_id" : objectid("54213c293a41399ef4a3d60e")
use test
mongos> db.adduser("test_user","def");
"user" : "test_user",
"pwd" : "2d7ad5ae62d41e5253c32831a63079b1",
"_id" : objectid("54213c5f3a41399ef4a3d60f")
mongos> db.adduser("read_only","ghi",true);
"user" : "read_only",
"readonly" : true,
"pwd" : "67e8e24078ad4a487c54cb16527af13a",
"_id" : objectid("54213c7d3a41399ef4a3d610")
mongos> db.system.users.find();
{ "_id" : objectid("54213c293a41399ef4a3d60e"), "user" : "root", "readonly" : false, "pwd" : "9ebcc685b65db596c75fd6128803440f" }
{ "_id" : objectid("54213c5f3a41399ef4a3d60f"), "user" : "test_user", "readonly" : false, "pwd" : "2d7ad5ae62d41e5253c32831a63079b1" }
{ "_id" : objectid("54213c7d3a41399ef4a3d610"), "user" : "read_only", "readonly" : true, "pwd" : "67e8e24078ad4a487c54cb16527af13a" }
上面添加了管理员root,在test数据库添加了两个普通账号,其中一个有只读权限,不能对数据库写入
调用adduser必须有相应数据库的写权限。
adduser不仅能添加用户,还能修改用户口令或者只读窗台。
重启服务器,加入--auth命令行选项,开启安全检查。跟刚刚一样的,需要
[root@viptest2 ~]# openssl rand
usage: rand [options] num
where options are
-out file - write to file
-engine e - use engine e, possibly a hardware device.
-rand file:file:... - seed prng from files
-base64 - base64 encode output
-hex - hex encode output
[root@viptest2 ~]# openssl rand -base64 753
wypee/+hqzz+sljuttupyklsjrgws0sh7yz1qxsa9erbsriyhrsakvckn7ngu/bs
b0d1qkybgz3a+jxuglu+n7d319akwqkx+6sbff1ks4kwl6biax9ouruqmgb6huty
e6ep4kfqpt2zke6sqy8rg7cuouhs/cqsrgpu7af5cfslxmbged284wkae+wh7yls
qvznzcoijr2mrb68p0r4bgivynryrq49tgdxmiqmxcxkxnnyvpg8mjzwtjatazr6
/lvsfdwqk+vdc0b97mfedpesqilna6eav8xqn9aycajh+bqantysala0wxsqdv8q
yut9emntjm6f5l3z8pk7ezktsolxnjaex2jvlfwpynth4nhhkqv9kzjxd6lgx7wn
ifnqil3pvyxdbgde9pbmgeh0+sgak8jhp386h4gu5mkx/behdv8tl60ku+carj0c
xehny8iqer1c9e5n1d6it9jqdidsgfkwoygb7l937htjdvqg9ektxggm39y04obv
fpb87qzfovhoobb/ttbv5tl64rmjbln0bhh0kdmbvivft3gftyya92+1qxaaxc4k
3ge0fdkoocxw0lmqdjpe7n6zn8hbzc20ezxj4yqcmy1kfhrjs1x6zmk1xi2nooiy
mygqevkrkwybbwh83wsslhmtbgvfzgo8rnt+ru/r3bafxkrrm1dx1cvw5g9+qg8i
7avjdyzpheqlr71gfjzc+psribd+pklkzjjye8fjm9vxo/zzgcshasrr+a3rhlb8
j92amlbiu8nzww54gcs8lzc0uforhauxnhcay7k8yxhxqr/+3hqvah8ozywrzfdg
gxmo0fok8hsmuahmn9u3tiamboh6mhohygefjf8o7g6ip0tkqxwwdqluuqwjznzu
llwk8na4b7gnohlrt7lwbyluum1ptckf7rtvuarkvlme6fsrripc5rl8k25ed67h
nsz7ppp2xlmhvc27cbcw5a9gux3r
在testdb中创建一个普通用户
mongos> use testdb
switched to db testdb
mongos> db.adduser('putong','putong');
"user" : "putong",
"pwd" : "9bef249456e43c9b819a4ff08f66c744",
"_id" : objectid("542142ea2f4e2dc152cf19c0")
{ "_id" : objectid("542142ea2f4e2dc152cf19c0"), "user" : "putong", "readonly" : false, "pwd" : "9bef249456e43c9b819a4ff08f66c744" }
[root@testvip1 ~]# openssl rand -base64 753 >keyfile1
[root@testvip1 ~]# chmod 600 keyfile1
[root@testvip1 ~]# scp keyfile1 192.168.12.107:/root
keyfile1 100% 1020 1.0kb/s 00:00
[root@testvip1 ~]# mongod --dbpath=/mongo1 --port 27017 --rest --keyfile=/root/keyfile1 --分配和config每个都这么启动
[root@viptest2 ~]# mongos --port 27021 --configdb=192.168.12.107:27018 --keyfile=/root/keyfile1 --mongos这么启动
使用mongo 192.168.12.107:27021/admin 登录进来后,可以看到,权限已经变更,需要认证才能进行操作。
> db.usr.find().limit(10);
error: { "$err" : "not authorized for query on testdb.usr", "code" : 16549 }
[root@viptest2 ~]# mongo 192.168.12.107:27021/admin -u root -p 使用用户root 密码abc进来
mongodb shell version: 2.4.6
connecting to: 192.168.12.107:27021/admin
mongos>
use testdb
> db.auth('putong','putong');
address
blog
games
people
testa
usr
> use admin
> show dbs
tue sep 23 18:19:10.744 listdatabases failed:{
"note" : "not authorized for command: listdatabases on database admin",
"ok" : 0,
"errmsg" : "unauthorized"
} at src/mongo/shell/mongo.js:46
> db.auth('root','abc');
---只有在admin中定义的用户,才能在admin中认证通过,在testdb中都不行
备注:在普通库中切换成超级用户失败,超级用户需要在 admin 库中切换才能生效
mongos> db.adduser('putong','putong',true); --这里是进的admin,是超级用户,将putong用户改成readonly
"_id" : objectid("542142ea2f4e2dc152cf19c0"),
"pwd" : "9bef249456e43c9b819a4ff08f66c744"
只读用户的登录
[root@viptest2 ~]# mongo 192.168.12.107:27021/testdb -u putong -p
connecting to: 192.168.12.107:27021/testdb
>
> db.testa.insert({"name":"haha"});
not authorized for insert on testdb.testa --putong用户只有只读权限
------------------------------------------------
![ACS基本配置-权限等级管理[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)