MongoDB是非关系型数据库,其数据库安全方面与mysql 5.7之前的版本很相似,刚安装完数据库
软件及实例初始化后,数据库没有安全可言。简言之,新初始化的mongodb没有安全限制,如果数据
库在公网上,任意机器可通过互联网通过mongo任意客户端连接到数据库。因此,在MongoDB投产
之前,需要对MongoDB进行安全方面的加固。这里,介绍一主一从一仲裁的Mongodb架构的用户密码
修改。
1、登陆mongodb数据库集群主库,创建超级管理用户
db.createUser(
{
user:”firstset”,
pwd:”firstset”,
roles:[{role:”userAdminAnyDatabase”,db:”admin”}]
}
);
2、修改zhul的密码,检查mogodb进程,注意端口号
ps -ef|grep mongod
mongo 10836 1 0 09:02 ? 00:00:03 mongod –dbpath /opt/mongo/data/dns_repset1 –port 10001 –replSet firstset –oplogSize 512 –rest –fork –logpath /opt/mongo/logs/firstset/firstset.log –logappend –nojournal –directoryperdb –keyFile /opt/mongo/keyfile/keyfile
mongo 10997 9767 0 09:09 pts/3 00:00:00 grep –color=auto mongod
3、 修改zhul的密码,检查当前数据库是否免密登陆
[mongo@mongo1 keyfile]$ mongo –port 10001
MongoDB shell version: 3.2.11-49-g52b68fa
connecting to: 127.0.0.1:10001/test
firstset:PRIMARY> show dbs
2019-10-24T09:09:31.298+0800 E QUERY [thread1] Error: listDatabases failed:{
“ok” : 0,
“errmsg” : ” not authorized on admin to execute command { listDatabases: 1.0 }”,
“code” : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:761:19
shellHelper@src/mongo/shell/utils.js:651:15
@(shellhelp2):1:1
firstset:PRIMARY> exit
bye
通过验证,当前数据库试用了keyfile安全认证校验,免密登陆会拒绝执行任何命令
4、 修改zhul的密码,如果知晓被修改用户的密码可以使用账号密码登录,也可以取消keyfile安全限制
免密登陆修改相关用户的密码后,再启用keyfile安全认证
[mongo@mongo1 keyfile]$ mongo -u firstset -p firstset –port 10001
MongoDB shell version: 3.2.11-49-g52b68fa
connecting to: 127.0.0.1:10001/test
Server has startup warnings:
2019-10-24T09:02:45.827+0800 I CONTROL [main] ** WARNING: –rest is specified without –httpinterface,
2019-10-24T09:02:45.827+0800 I CONTROL [main] ** enabling http interface
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** WARNING: The server is started with the web server interface and access control.
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** The web interfaces (rest, httpinterface and/or jsonp) are insecure
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** and should be disabled unless required for backward compatibility.
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is ‘always’.
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** We suggest setting it to ‘never’
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is ‘always’.
2019-10-24T09:02:46.024+0800 I CONTROL [initandlisten] ** We suggest setting it to ‘never’
2019-10-24T09:02:46.024+0800 I CONTROL [initandlisten]
firstset:PRIMARY> show dbs;
admin 0.000GB
dns_testdb 0.004GB
local 0.008GB
firstset:PRIMARY> db.updateUser(“firstset”,{pwd:”rootroot”});
firstset:PRIMARY> exit
bye
5、验证密码修改
–错误的用户名或者密码登录被拒绝
[mongo@mongo1 keyfile]$ mongo -u firstset -p firstset –port 10001
MongoDB shell version: 3.2.11-49-g52b68fa
connecting to: 127.0.0.1:10001/test
2019-10-24T09:11:35.167+0800 E QUERY [thread1] Error: Authentication failed. :
DB.prototype._authOrThrow@src/mongo/shell/db.js:1441:20
@(auth):6:1
@(auth):1:2
exception: login failed
–使用正确的用户名和密码登录后可以正常执行操作
[mongo@mongo1 keyfile]$ mongo -u firstset -p rootroot –port 10001
MongoDB shell version: 3.2.11-49-g52b68fa
connecting to: 127.0.0.1:10001/test
Server has startup warnings:
2019-10-24T09:02:45.827+0800 I CONTROL [main] ** WARNING: –rest is specified without –httpinterface,
2019-10-24T09:02:45.827+0800 I CONTROL [main] ** enabling http interface
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** WARNING: The server is started with the web server interface and access control.
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** The web interfaces (rest, httpinterface and/or jsonp) are insecure
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** and should be disabled unless required for backward compatibility.
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is ‘always’.
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** We suggest setting it to ‘never’
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]
2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is ‘always’.
2019-10-24T09:02:46.024+0800 I CONTROL [initandlisten] ** We suggest setting it to ‘never’
2019-10-24T09:02:46.024+0800 I CONTROL [initandlisten]
firstset:PRIMARY> show dbs;
admin 0.000GB
dns_testdb 0.004GB
local 0.008GB
firstset:PRIMARY> use admin
switched to db admin
firstset:PRIMARY> show collections;
system.users
system.version
firstset:PRIMARY> db.system.users.find();
{ “_id” : “test.firstset”, “user” : “firstset”, “db” : “test”, “credentials” : { “SCRAM-SHA-1” : { “iterationCount” : 10000, “salt” : “ISdrb4a3Cc0A59vXEUxjOg==”, “storedKey” : “qPn44VuZrJ6QwWzOMBq90vZ5eAo=”, “serverKey” : “rz+CDSlpXHKvUDGg0PCnG2GZCjk=” } }, “roles” : [ { “role” : “root”, “db” : “admin” } ] }
firstset:PRIMARY> use dns_testdbuse dns_testdb
switched to db dns_testdb
firstset:PRIMARY> show collections;
test_collection
firstset:PRIMARY> db.test_collection.findOne();
{
“_id” : ObjectId(“5d8434a5b138ddafc446e13b”),
“name” : “cow”,
“user_id” : 48149,
“boolean” : false,
“added_at” : ISODate(“2019-09-20T02:08:37.116Z”),
“number” : 1743
}
firstset:PRIMARY>
firstset:PRIMARY> rs.status();
{
“set” : “firstset”,
“date” : ISODate(“2019-10-24T01:13:15.006Z”),
“myState” : 1,
“term” : NumberLong(7),
“heartbeatIntervalMillis” : NumberLong(2000),
“members” : [
{
“_id” : 0,
“name” : “192.168.192.251:10001”,
“health” : 1,
“state” : 1,
“stateStr” : “PRIMARY”,
“uptime” : 630,
“optime” : {
“ts” : Timestamp(1571879490, 1),
“t” : NumberLong(7)
},
“optimeDate” : ISODate(“2019-10-24T01:11:30Z”),
“electionTime” : Timestamp(1571879010, 1),
“electionDate” : ISODate(“2019-10-24T01:03:30Z”),
“configVersion” : 1,
“self” : true
},
{
“_id” : 1,
“name” : “192.168.192.252:10001”,
“health” : 1,
“state” : 2,
“stateStr” : “SECONDARY”,
“uptime” : 566,
“optime” : {
“ts” : Timestamp(1571879490, 1),
“t” : NumberLong(7)
},
“optimeDate” : ISODate(“2019-10-24T01:11:30Z”),
“lastHeartbeat” : ISODate(“2019-10-24T01:13:13.320Z”),
“lastHeartbeatRecv” : ISODate(“2019-10-24T01:13:13.259Z”),
“pingMs” : NumberLong(0),
“syncingTo” : “192.168.192.251:10001”,
“configVersion” : 1
},
{
“_id” : 2,
“name” : “192.168.192.250:10001”,
“health” : 1,
“state” : 7,
“stateStr” : “ARBITER”,
“uptime” : 593,
“lastHeartbeat” : ISODate(“2019-10-24T01:13:13.301Z”),
“lastHeartbeatRecv” : ISODate(“2019-10-24T01:13:13.185Z”),
“pingMs” : NumberLong(0),
“configVersion” : 1
}
],
“ok” : 1
}
firstset:PRIMARY>
MongoDB的keyFile认证设置,可以参考:
http://blog.itpub.net/29357786/viewspace-2130594/