MongoDB 数据库安全之用户密码修改

    MongoDB是非关系型数据库,其数据库安全方面与mysql 5.7之前的版本很相似,刚安装完数据库

软件及实例初始化后,数据库没有安全可言。简言之,新初始化的mongodb没有安全限制,如果数据

库在公网上,任意机器可通过互联网通过mongo任意客户端连接到数据库。因此,在MongoDB投产

之前,需要对MongoDB进行安全方面的加固。这里,介绍一主一从一仲裁的Mongodb架构的用户密码

修改。

    1、登陆mongodb数据库集群主库,创建超级管理用户

db.createUser(  

{  

    user:”firstset”,   

    pwd:”firstset”,  

    roles:[{role:”userAdminAnyDatabase”,db:”admin”}]  

}  

);  

    2、修改zhul的密码,检查mogodb进程,注意端口号

ps -ef|grep mongod

mongo    10836     1  0 09:02 ?        00:00:03 mongod –dbpath /opt/mongo/data/dns_repset1 –port 10001 –replSet firstset –oplogSize 512 –rest –fork –logpath /opt/mongo/logs/firstset/firstset.log –logappend –nojournal –directoryperdb –keyFile /opt/mongo/keyfile/keyfile

mongo    10997  9767  0 09:09 pts/3    00:00:00 grep –color=auto mongod

    3、 修改zhul的密码,检查当前数据库是否免密登陆

[mongo@mongo1 keyfile]$ mongo  –port 10001 

MongoDB shell version: 3.2.11-49-g52b68fa

connecting to: 127.0.0.1:10001/test

firstset:PRIMARY> show dbs

2019-10-24T09:09:31.298+0800 E QUERY    [thread1] Error: listDatabases failed:{

“ok” : 0,

“errmsg” : ” not authorized on admin to execute command { listDatabases: 1.0 }”,

“code” : 13

} :

_getErrorWithCode@src/mongo/shell/utils.js:25:13

Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1

shellHelper.show@src/mongo/shell/utils.js:761:19

shellHelper@src/mongo/shell/utils.js:651:15

@(shellhelp2):1:1

firstset:PRIMARY> exit

bye

    通过验证,当前数据库试用了keyfile安全认证校验,免密登陆会拒绝执行任何命令

4、 修改zhul的密码,如果知晓被修改用户的密码可以使用账号密码登录,也可以取消keyfile安全限制

免密登陆修改相关用户的密码后,再启用keyfile安全认证

[mongo@mongo1 keyfile]$ mongo  -u firstset  -p firstset  –port 10001

MongoDB shell version: 3.2.11-49-g52b68fa

connecting to: 127.0.0.1:10001/test

Server has startup warnings: 

2019-10-24T09:02:45.827+0800 I CONTROL  [main] ** WARNING: –rest is specified without –httpinterface,

2019-10-24T09:02:45.827+0800 I CONTROL  [main] **          enabling http interface

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] ** WARNING: The server is started with the web server interface and access control.

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] **          The web interfaces (rest, httpinterface and/or jsonp) are insecure 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] **          and should be disabled unless required for backward compatibility.

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is ‘always’.

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] **        We suggest setting it to ‘never’

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is ‘always’.

2019-10-24T09:02:46.024+0800 I CONTROL  [initandlisten] **        We suggest setting it to ‘never’

2019-10-24T09:02:46.024+0800 I CONTROL  [initandlisten] 

firstset:PRIMARY> show dbs;

admin       0.000GB

dns_testdb  0.004GB

local       0.008GB

firstset:PRIMARY> db.updateUser(“firstset”,{pwd:”rootroot”});

firstset:PRIMARY> exit

bye

    5、验证密码修改

–错误的用户名或者密码登录被拒绝

[mongo@mongo1 keyfile]$ mongo  -u firstset  -p firstset  –port 10001 

MongoDB shell version: 3.2.11-49-g52b68fa

connecting to: 127.0.0.1:10001/test

2019-10-24T09:11:35.167+0800 E QUERY    [thread1] Error: Authentication failed. :

DB.prototype._authOrThrow@src/mongo/shell/db.js:1441:20

@(auth):6:1

@(auth):1:2

exception: login failed

–使用正确的用户名和密码登录后可以正常执行操作

[mongo@mongo1 keyfile]$ mongo  -u firstset  -p rootroot –port 10001

MongoDB shell version: 3.2.11-49-g52b68fa

connecting to: 127.0.0.1:10001/test

Server has startup warnings: 

2019-10-24T09:02:45.827+0800 I CONTROL  [main] ** WARNING: –rest is specified without –httpinterface,

2019-10-24T09:02:45.827+0800 I CONTROL  [main] **          enabling http interface

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] ** WARNING: The server is started with the web server interface and access control.

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] **          The web interfaces (rest, httpinterface and/or jsonp) are insecure 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] **          and should be disabled unless required for backward compatibility.

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is ‘always’.

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] **        We suggest setting it to ‘never’

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is ‘always’.

2019-10-24T09:02:46.024+0800 I CONTROL  [initandlisten] **        We suggest setting it to ‘never’

2019-10-24T09:02:46.024+0800 I CONTROL  [initandlisten] 

firstset:PRIMARY> show dbs;

admin       0.000GB

dns_testdb  0.004GB

local       0.008GB

firstset:PRIMARY> use admin

switched to db admin

firstset:PRIMARY> show collections;

system.users

system.version

firstset:PRIMARY> db.system.users.find();

{ “_id” : “test.firstset”, “user” : “firstset”, “db” : “test”, “credentials” : { “SCRAM-SHA-1” : { “iterationCount” : 10000, “salt” : “ISdrb4a3Cc0A59vXEUxjOg==”, “storedKey” : “qPn44VuZrJ6QwWzOMBq90vZ5eAo=”, “serverKey” : “rz+CDSlpXHKvUDGg0PCnG2GZCjk=” } }, “roles” : [ { “role” : “root”, “db” : “admin” } ] }

firstset:PRIMARY> use dns_testdbuse dns_testdb

switched to db dns_testdb

firstset:PRIMARY> show collections;

test_collection

firstset:PRIMARY> db.test_collection.findOne();

{

“_id” : ObjectId(“5d8434a5b138ddafc446e13b”),

“name” : “cow”,

“user_id” : 48149,

“boolean” : false,

“added_at” : ISODate(“2019-09-20T02:08:37.116Z”),

“number” : 1743

}

firstset:PRIMARY> 

firstset:PRIMARY> rs.status();

{

“set” : “firstset”,

“date” : ISODate(“2019-10-24T01:13:15.006Z”),

“myState” : 1,

“term” : NumberLong(7),

“heartbeatIntervalMillis” : NumberLong(2000),

“members” : [

{

“_id” : 0,

“name” : “192.168.192.251:10001”,

“health” : 1,

“state” : 1,

“stateStr” : “PRIMARY”,

“uptime” : 630,

“optime” : {

“ts” : Timestamp(1571879490, 1),

“t” : NumberLong(7)

},

“optimeDate” : ISODate(“2019-10-24T01:11:30Z”),

“electionTime” : Timestamp(1571879010, 1),

“electionDate” : ISODate(“2019-10-24T01:03:30Z”),

“configVersion” : 1,

“self” : true

},

{

“_id” : 1,

“name” : “192.168.192.252:10001”,

“health” : 1,

“state” : 2,

“stateStr” : “SECONDARY”,

“uptime” : 566,

“optime” : {

“ts” : Timestamp(1571879490, 1),

“t” : NumberLong(7)

},

“optimeDate” : ISODate(“2019-10-24T01:11:30Z”),

“lastHeartbeat” : ISODate(“2019-10-24T01:13:13.320Z”),

“lastHeartbeatRecv” : ISODate(“2019-10-24T01:13:13.259Z”),

“pingMs” : NumberLong(0),

“syncingTo” : “192.168.192.251:10001”,

“configVersion” : 1

},

{

“_id” : 2,

“name” : “192.168.192.250:10001”,

“health” : 1,

“state” : 7,

“stateStr” : “ARBITER”,

“uptime” : 593,

“lastHeartbeat” : ISODate(“2019-10-24T01:13:13.301Z”),

“lastHeartbeatRecv” : ISODate(“2019-10-24T01:13:13.185Z”),

“pingMs” : NumberLong(0),

“configVersion” : 1

}

],

“ok” : 1

}

firstset:PRIMARY> 


  MongoDB的keyFile认证设置,可以参考:

http://blog.itpub.net/29357786/viewspace-2130594/

    原文作者:清风艾艾
    原文地址: http://blog.itpub.net/29357786/viewspace-2661742/
    本文转自网络文章,转载此文章仅为分享知识,如有侵权,请联系博主进行删除。
点赞