Mongodb 权限控制以及角色使用

来源：互联网发布：手机淘宝怎么评价卖家编辑：程序博客网时间：2024/05/18 19:22

1.访问控制，从来源IP以及端口进行限制

2.用户权限划分，数据库内部进行权限划分，不让权限放大

1.访问控制

通过iptables控制访问来源IP，以及端口

vim /etc/sysconfig/iptables

加入以下规则：

#app servers

-A INPUT -m iprange --src-range 192.168.xxx.xxx -p tcp -m multiport --destination-ports xxxx -j ACCEPT

-A INPUT -m state --state NEW -p tcp -m multiport --destination-ports 5888 -j REJECT

mongo 192.168.101.115:5888/admin

MongoDB shell version: 3.2.8

connecting to: 192.168.101.115:5888/admin

2017-04-14T14:13:25.551+0800 W NETWORK [thread1] Failed to connect to 192.168.101.115:5888, reason: errno:111 Connection refused

2017-04-14T14:13:25.598+0800 E QUERY [thread1] Error: couldn't connect to server 192.168.101.115:5888, connection attempt failed :

connect@src/mongo/shell/mongo.js:231:14

打开访问端口和访问IP

修改

-A INPUT -m iprange --src-range 192.168.xxx.xxx -p tcp -m multiport --destination-ports 5888 -j ACCEPT

为

-A INPUT -m iprange --src-range 192.168.8.88 -p tcp -m multiport --destination-ports 5888 -j ACCEPT

重启iptables

service iptables restart

那么在192.168.8.88上就可以连接过来了

mongo 192.168.101.115:5888/admin

MongoDB shell version: 3.2.8

connecting to: 192.168.101.115:5888/admin

hank:PRIMARY>

2.用户权限划分

这里mongodb用role划分权限，然后把role赋予user

这里先介绍下role的概念，role实就是权限的集合，和其他数据库的role基本意思一样

比如系统自带的role，可以通过show roles；

具体解释https://docs.mongodb.com/manual/core/security-built-in-roles/

以下为具体分类：

Database User Roles：read，readWrite

Database Administration Roles：dbAdmin，dbOwner，userAdmin

Cluster Administration Roles：clusterAdmin，clusterManager，clusterMonitor，hostManager

Backup and Restoration Roles：backup，restore

All-Database Roles：readAnyDatabase，readWriteAnyDatabase,userAdminAnyDatabase,dbAdminAnyDatabase

Superuser Roles：root

Internal Role:__system

比如以下，一般数据库下有这些roles，admin下面的role会更多一些

hank:PRIMARY> show roles;

{

"role" : "dbAdmin",

"db" : "test",

"isBuiltin" : true,

"roles" : [ ],

"inheritedRoles" : [ ]

}

{

"role" : "dbOwner",

"db" : "test",

"isBuiltin" : true,

"roles" : [ ],

"inheritedRoles" : [ ]

}

{

"role" : "enableSharding",

"db" : "test",

"isBuiltin" : true,

"roles" : [ ],

"inheritedRoles" : [ ]

}

{

"role" : "read",

"db" : "test",

"isBuiltin" : true,

"roles" : [ ],

"inheritedRoles" : [ ]

}

{

"role" : "readWrite",

"db" : "test",

"isBuiltin" : true,

"roles" : [ ],

"inheritedRoles" : [ ]

}

{

"role" : "userAdmin",

"db" : "test",

"isBuiltin" : true,

"roles" : [ ],

"inheritedRoles" : [ ]

}

如果知道具体role的权限呢，利用以下命令可以看到,这里我选择了权限较小的enableSharding，其他权限大家可以自行查阅

hank:PRIMARY> db.getRole("enableSharding",{showPrivileges: true});

{

"role" : "enableSharding",

"db" : "local",

"isBuiltin" : true,

"roles" : [ ],

"inheritedRoles" : [ ],

"privileges" : [

{

"resource" : {

"db" : "",

"collection" : ""

"actions" : [

"enableSharding"

]

}

"inheritedPrivileges" : [

{

"resource" : {

"db" : "",

"collection" : ""

"actions" : [

"enableSharding"

]

}

]

}

切换至admin，用户创建一个role是root的用户hank，密码也是hank

db.createUser(

{

user:"hank",

pwd:"hank",

roles:

[

{

role:"root",

db:"admin"

}

]

}

);

本环境是replica sets，要启用验证，需要keyfile

生成keyfile，并把keyfile复制到各节点

openssl rand -base64 600 > mongodb_keyfile

chmod 600 mongodb_keyfile

添加至配置文件

keyFile = /home/mongo/mongodb_keyfile

重新启动mongodb即可

需要注意的是，之前在那个db下建立的用户，那么就需要在那个db下进行验证登陆

如以下验证失败

mongo 127.0.0.1:5888/test

MongoDB shell version: 3.2.8

connecting to: 127.0.0.1:5888/test

hank:PRIMARY> db.auth('hank','hank');

Error: Authentication failed.

必须切换至admin

hank:PRIMARY> use admin

switched to db admin

hank:PRIMARY> db.auth('hank','hank');

切换到数据库建立普通操作用户，一般dbOwner角色即可,dbOwner包含了readWrite，dbAdmin,userAdmin的权限

use test

db.createUser(

{

user:"test",

pwd:"test",

roles:

[

{

role:"dbOwner",

db:"test"

}

]

}

);

如果需要具体到表的读写权限，可以建立相应role,然后赋予用户或者创建用户的时候指定role

use admin

db.createRole(

{

role: "myadminuser",

privileges: [

{ resource: { db: "test", collection: "tb1" }, actions: [ "find"] },

{ resource: { db: "hank", collection: "" }, actions: [ "find" ] }

roles: [

{ role: "read", db: "admin" }

]

{ w: "majority" , wtimeout: 5000 }

)

db.createUser(

{

user: "user1",

pwd: "user1",

roles: [ {role:"myadminuser",db:"test"}]

}

)

具体例子：

建角色：

db.createRole(

{

role: "rotb1",

privileges: [

{ resource: { db: "test", collection: "tb1" }, actions: [ "find"] },

{ resource: { db: "test", collection: "hank" }, actions: [ "remove"] }

roles: []

}

)

这里roles:[]表示不继承任何role权限

建用户：

db.createUser(

{

user: "testuser",

pwd: "user",

roles:[{role:"rotb1",db:"test"}]

}

)

或者建立用户后，再通过以下语句赋予权限

db.grantRolesToUser( "testuser", [ "rotb1" ] )

这里resource里面有几种情况：

{ db: "test", collection: "" } 表示拥有test数据库下所有非系统表的相关权限

{ db: "", collection: "tb1" } 表示拥有每个数据库下，表名为tb1的相关权限

{ db: "", collection: "" } 表示在所有数据库，非系统表的相关权限

测试权限：

mongo 127.0.0.1:5888/test

db.auth('testuser','user');

hank:PRIMARY> db.hank.find();

Error: error: {

"ok" : 0,

"errmsg" : "not authorized on test to execute command { find: \"hank\", filter: {} }",

"code" : 13

}

hank:PRIMARY> db.tb1.insert({name:"hank"})

WriteResult({

"writeError" : {

"code" : 13,

"errmsg" : "not authorized on test to execute command { insert: \"tb1\", documents: [ { _id: ObjectId('58f45d4dc98d40d1b53fbe6f'), name: \"hank\" } ], ordered: true }"

}

})

可以见以上操作均失败

hank:PRIMARY> db.tb1.find(); //只有find权限

{ "_id" : ObjectId("58f4496d48b14a04810f5491"), "a" : "dazuiba" }

{ "_id" : ObjectId("58f44a5048b14a04810f5495"), "a" : "dazuiba" }

{ "_id" : ObjectId("58f44aa948b14a04810f5496"), "a" : "dazuiba" }

{ "_id" : ObjectId("58f45aaa48b14a04810f5497"), "a" : "hank" }

{ "_id" : ObjectId("58f45aac48b14a04810f5498"), "a" : "hank" }

{ "_id" : ObjectId("58f45aac48b14a04810f5499"), "a" : "hank" }

{ "_id" : ObjectId("58f45b8c48b14a04810f549a"), "a" : "hank" }

{ "_id" : ObjectId("58f45ba248b14a04810f549b"), "a" : "hank" }

hank:PRIMARY> db.hank.remove(''); //只有remove权限

WriteResult({ "nRemoved" : 4 })

可以通过show users,show roles查看相关用户以及角色

参考：

https://docs.mongodb.com/manual/reference/method/js-user-management/

https://docs.mongodb.com/manual/reference/method/js-role-management/

0 0