15.MongoDB 单实例安全认证

Posted on Edited on In

 

1.创建用户和角色

对单实例的 MongoDB 服务开启安全认证,这里的单实例指的是未开启副本集或分片的 MongoDB 实例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
// 切换到admin库
> use admin
> show collections
system.version
// 创建两个用户
> db.createUser({ user: "myroot", pwd: "123456", roles: ["root"]})
Successfully added user: { "user" : "myroot", "roles" : [ "root" ] }
> db.createUser({ user: "myadmin", pwd: "123456", roles: [{role: "userAdminAnyDatabase", db: "admin"}] })
Successfully added user: {
        "user" : "myadmin",
        "roles" : [
                {
                        "role" : "userAdminAnyDatabase",
                        "db" : "admin"
                }
        ]
}
> show collections
system.users
system.version
// 查看创建的两个用户信息
> db.system.users.find()
{ "_id" : "admin.myroot", "userId" : UUID("c8365246-4cf7-42f8-9314-ad1f631fd7ae"), "user" : "myroot", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "i17znsXFbvxDIAQUqrc/hQ==", "storedKey" : "IbJzJbI3A6LkDbMv2Jwjh20MZWI=", "serverKey" : "ruaTqiKVVI5Q7ynAEr2lELAJqE4=" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "HMwHwCWCJ60MA8ZfStsTtcqVBAzw5v/T2E1Lvg==", "storedKey" : "4JWWSKh3OUK+w3xob1zoPaIOlwf/oNzQ2OYEds1LgPQ=", "serverKey" : "pLEtZfd1rPS+nonvTTxTIk9tpIbXlDmrCbyzidennMw=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
{ "_id" : "admin.myadmin", "userId" : UUID("c2381b0a-51ca-48b9-9c8d-388eea823f16"), "user" : "myadmin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "XY9Cfm40eCBJeGCCME27iQ==", "storedKey" : "sZwkDmgynehLzYQGg0kM8eG02cw=", "serverKey" : "12bPEIwuAy8/PhCX6aHdtIcLpIs=" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "eFKxqF7f9KAg1A6HjvL4LFNfIk7qAf+blela8A==", "storedKey" : "dpJdR44or0iTQtQkJ1mJcvOhzXrb57hhvBf/hFjOnJs=", "serverKey" : "BrNyBkx6fZhhMPAhUTwvAfv6fdFLLC6W4AJBD7hXa+k=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
// 删除用户
> db.dropUser("myadmin")
true
> db.system.users.find()
{ "_id" : "admin.myroot", "userId" : UUID("c8365246-4cf7-42f8-9314-ad1f631fd7ae"), "user" : "myroot", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "i17znsXFbvxDIAQUqrc/hQ==", "storedKey" : "IbJzJbI3A6LkDbMv2Jwjh20MZWI=", "serverKey" : "ruaTqiKVVI5Q7ynAEr2lELAJqE4=" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "HMwHwCWCJ60MA8ZfStsTtcqVBAzw5v/T2E1Lvg==", "storedKey" : "4JWWSKh3OUK+w3xob1zoPaIOlwf/oNzQ2OYEds1LgPQ=", "serverKey" : "pLEtZfd1rPS+nonvTTxTIk9tpIbXlDmrCbyzidennMw=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
// 修改密码
> db.changeUserPassword("myroot", "123456")
> db.system.users.find()
{ "_id" : "admin.myroot", "userId" : UUID("c8365246-4cf7-42f8-9314-ad1f631fd7ae"), "user" : "myroot", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "Jkjum+zf3ZyqZmT0/UbJrg==", "storedKey" : "QVhBHcs29ZgHBb19okGUApJUgeY=", "serverKey" : "dSXKuwdM8TNv6VxmK6tnJEB1X+U=" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "64JxM8Cnjzmgtu1tzwTpGxA02ATrjahOjnJv5w==", "storedKey" : "OzFFQ9Is5N+vv4VDISii4ckGI+DB51Rl4vrAg2uZDAw=", "serverKey" : "iZm3CQwFAtvVHHL1H5liczL/Uo7Z4mUXP3APOrphYx0=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
// 认证测试
> db.auth("myadmin", "asdf")
Error: Authentication failed.
0
> db.auth("myroot", "abc")
Error: Authentication failed.
0
> db.auth("myroot", "123456")
1
// 创建普通角色
> use articledb
switched to db articledb
> db.createUser({user: "denial", pwd: "123456", roles: [{role: "readWrite", db: "articledb"}]})
Successfully added user: {
        "user" : "denial",
        "roles" : [
                {
                        "role" : "readWrite",
                        "db" : "articledb"
                }
        ]
}
> db.auth("denial", "123456")
1

Mongodb存储所有的用户信息在admin 数据库的集合system.users中,保存用户名、密码和数据库信息

创建普通用户可以在没有开启认证的时候添加,也可以在开启认证之后添加,但开启认证之后,必须使用有操作admin库的用户登录认证后才能操作。底层都是将用户信息保存在了admin数据库的集合system.users中

如果开启了认证后,登录的客户端的用户必须使用admin库的角色,再通过admin库的角色的用户去创建其他角色的用户

2.开启认证

(1) 开启认证服务的方式

  1. 添加启动命令参数
1
2
./mongod -f /mongodb/single/mongod.conf --auth

  1. 添加配置文件配置

在 mongod.conf 配置文件中加入配置: 

1
2
3
security:
    #开启授权认证
    authorization: enabled

(2) 管理用户登录

1
2
3
4
> use admin
switched to db admin
> db.auth("myroot", "123456")
1

(3) 登录普通用户

退出重新登录

1
2
3
4
> use articledb
switched to db articledb
> db.auth("denial", "123456")
1

3.SpringDataMongoDB 连接认证

application.yml

1
2
3
4
spring:
  data:
    mongodb:
      uri: mongodb://denial:123456@192.168.76.128:27017/articledb

4.Compass 连接认证