MongoDB的安全模式默认是关闭的,无需帐号密码就能够访问数据库,使用和开发时比较便利,这在一个可信任的网络环境中还能够接受。但若是未启用安全模式的MongoDB暴露在外网环境下,数据就是在裸奔,风险极大。css
MongoDB内置了完善的安全机制,咱们能够利用这些功能来提升MongoDB服务的安全性。mongodb
1.指定容许访问的IP
MongoDB能够经过在启动参数或配置文件中添加--bind_ip来设置容许访问的ipshell
- 启动时指定ip
mongod --bind_ip 127.0.0.1,192.168.100.123
- 经过配置文件/etc/mongodb.conf指定ip
# network interfaces
net: port: 27017 bindIp: 127.0.0.1,192.168.100.123
这是官方文档中给出的配置多个ip的方式,可是实际测试下来是不可行的,mongod会启动失败,查看/var/log/mongodb/mongod.log会发现以下SocketException: Cannot assign requested address的错误信息数据库
2018-05-24T12:02:02.817+0800 I CONTROL [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "127.0.0.1,192.168.13.64", port: 27017 }, processManagement: { fork: false, pidFilePath: "/var/run/mongodb/mongod.pid", timeZoneInfo: "/usr/share/zoneinfo" }, storage: { dbPath: "/var/lib/mongo", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } } 2018-05-24T12:02:02.817+0800 E STORAGE [initandlisten] Failed to set up listener: SocketException: Cannot assign requested address
甚至仅仅配置一个另外的ip安全
# network interfaces
net: port: 27017 bindIp: 192.168.13.64
也一样没法启动bash
2018-05-24T12:07:54.917+0800 I CONTROL [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "192.168.13.64", port: 27017 }, processManagement: { fork: false, pidFilePath: "/var/run/mongodb/mongod.pid", timeZoneInfo: "/usr/share/zoneinfo" }, storage: { dbPath: "/var/lib/mongo", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } } 2018-05-24T12:07:54.917+0800 E STORAGE [initandlisten] Failed to set up listener: SocketException: Cannot assign requested address
测试结果:bindIp的值只能为127.0.0.1或0.0.0.0以及当前主机的具体地址。
查找了国内外许多资料都没有找到解决方案,那么若是想要控制访问的ip,就须要经过服务器自己的手段了,如firewalld等。服务器
- 启动时指定配置文件
mongod --config /etc/mongod.conf
2.设置监听端口
MongoDB默认监听的端口为27017,为避免恶意的链接尝试,能够修改监听的端口。网络
- 启动时指定端口
mongod --port 27017
- 配置文件(/etc/mongodb.conf)中指定端口
# network interfaces net: port: 27017
3.用户认证
MongoDB还提供了用户认证功能,若是开启了用户认证(默认未开启),须要使用帐号密码验证才能访问。测试
3.1 启用用户认证
- 经过启动参数开启
mongod --auth
- 经过配置文件(/etc/mongodb.conf)开启
security: authorization: enabled
3.2 添加用户
首先须要建立管理员帐户spa
> use admin
switched to db admin
> db.createUser({user:"admin",pwd:"123456",roles:[{role:"userAdminAnyDatabase",db:"admin"}]})
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
建立普通帐户
> use test
switched to db test
> db.createUser({user:"abc",pwd:"123",roles:[{role:"read",db:"test"}]})
Successfully added user: {
"user" : "abc",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
3.3 用户权限控制
- 查看用户权限
可使用show users查询当前数据库的所有用户
> use test
switched to db test
> show users
{
"_id" : "test.abc",
"user" : "abc",
"db" : "test",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
还能够查询指定的用户的权限
> db.getUser("abc")
{
"_id" : "test.abc",
"user" : "abc",
"db" : "test",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
- 查看权限能执行操做
> db.getRole("read",{showPrivileges:true})
- 受权(为帐户分配role)
> db.grantRolesToUser("abc",[{role:"readWrite",db:"test"}]) > show users { "_id" : "test.abc", "user" : "abc", "db" : "test", "roles" : [ { "role" : "readWrite", "db" : "test" }, { "role" : "read", "db" : "test" } ] }
- 取消权限
> db.revokeRolesFromUser("abc",[{role:"readWrite",db:"test"}]) > show users { "_id" : "test.abc", "user" : "abc", "db" : "abc", "roles" : [ { "role" : "read", "db" : "test" } ] }
3.4 用户登陆
启动mongo客户端时登陆,其中 --authenticationDatabase "admin"表示用户在admin数据库中。
mongo --host 192.168.100.123 --port 27017 -u "user123" -p "123456" --authenticationDatabase "admin"
进入mongo客户端后登陆
mongo --host 192.168.100.123 --port 27017
use admin
db.auth("user123","123456")
3.5 修改密码(须要admin管理员权限)
db.changeUserPassword("user123","password456")
3.6 删除用户(须要admin管理员权限)
db.dropUser("user123")