MongoDB的安全模式默認是關閉的,無需帳號密碼就能夠訪問數據庫,使用和開發時比較便利,這在一個可信任的網絡環境中還能夠接受。但若是未啓用安全模式的MongoDB暴露在外網環境下,數據就是在裸奔,風險極大。css
MongoDB內置了完善的安全機制,咱們能夠利用這些功能來提升MongoDB服務的安全性。mongodb
1.指定容許訪問的IP
MongoDB能夠經過在啓動參數或配置文件中添加--bind_ip來設置容許訪問的ipshell
- 啓動時指定ip
mongod --bind_ip 127.0.0.1,192.168.100.123
- 經過配置文件/etc/mongodb.conf指定ip
# network interfaces
net: port: 27017 bindIp: 127.0.0.1,192.168.100.123
這是官方文檔中給出的配置多個ip的方式,可是實際測試下來是不可行的,mongod會啓動失敗,查看/var/log/mongodb/mongod.log會發現以下SocketException: Cannot assign requested address的錯誤信息數據庫
2018-05-24T12:02:02.817+0800 I CONTROL [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "127.0.0.1,192.168.13.64", port: 27017 }, processManagement: { fork: false, pidFilePath: "/var/run/mongodb/mongod.pid", timeZoneInfo: "/usr/share/zoneinfo" }, storage: { dbPath: "/var/lib/mongo", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } } 2018-05-24T12:02:02.817+0800 E STORAGE [initandlisten] Failed to set up listener: SocketException: Cannot assign requested address
甚至僅僅配置一個另外的ip安全
# network interfaces
net: port: 27017 bindIp: 192.168.13.64
也一樣沒法啓動bash
2018-05-24T12:07:54.917+0800 I CONTROL [initandlisten] options: { config: "/etc/mongod.conf", net: { bindIp: "192.168.13.64", port: 27017 }, processManagement: { fork: false, pidFilePath: "/var/run/mongodb/mongod.pid", timeZoneInfo: "/usr/share/zoneinfo" }, storage: { dbPath: "/var/lib/mongo", journal: { enabled: true } }, systemLog: { destination: "file", logAppend: true, path: "/var/log/mongodb/mongod.log" } } 2018-05-24T12:07:54.917+0800 E STORAGE [initandlisten] Failed to set up listener: SocketException: Cannot assign requested address
測試結果:bindIp的值只能爲127.0.0.1或0.0.0.0以及當前主機的具體地址。
查找了國內外許多資料都沒有找到解決方案,那麼若是想要控制訪問的ip,就須要經過服務器自己的手段了,如firewalld等。服務器
- 啓動時指定配置文件
mongod --config /etc/mongod.conf
2.設置監聽端口
MongoDB默認監聽的端口爲27017,爲避免惡意的鏈接嘗試,能夠修改監聽的端口。網絡
- 啓動時指定端口
mongod --port 27017
- 配置文件(/etc/mongodb.conf)中指定端口
# network interfaces net: port: 27017
3.用戶認證
MongoDB還提供了用戶認證功能,若是開啓了用戶認證(默認未開啓),須要使用帳號密碼驗證才能訪問。測試
3.1 啓用用戶認證
- 經過啓動參數開啓
mongod --auth
- 經過配置文件(/etc/mongodb.conf)開啓
security: authorization: enabled
3.2 添加用戶
首先須要建立管理員帳戶spa
> use admin
switched to db admin
> db.createUser({user:"admin",pwd:"123456",roles:[{role:"userAdminAnyDatabase",db:"admin"}]})
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
建立普通帳戶
> use test
switched to db test
> db.createUser({user:"abc",pwd:"123",roles:[{role:"read",db:"test"}]})
Successfully added user: {
"user" : "abc",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
3.3 用戶權限控制
- 查看用戶權限
可使用show users查詢當前數據庫的所有用戶
> use test
switched to db test
> show users
{
"_id" : "test.abc",
"user" : "abc",
"db" : "test",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
還能夠查詢指定的用戶的權限
> db.getUser("abc")
{
"_id" : "test.abc",
"user" : "abc",
"db" : "test",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
- 查看權限能執行操做
> db.getRole("read",{showPrivileges:true})
- 受權(爲帳戶分配role)
> db.grantRolesToUser("abc",[{role:"readWrite",db:"test"}]) > show users { "_id" : "test.abc", "user" : "abc", "db" : "test", "roles" : [ { "role" : "readWrite", "db" : "test" }, { "role" : "read", "db" : "test" } ] }
- 取消權限
> db.revokeRolesFromUser("abc",[{role:"readWrite",db:"test"}]) > show users { "_id" : "test.abc", "user" : "abc", "db" : "abc", "roles" : [ { "role" : "read", "db" : "test" } ] }
3.4 用戶登陸
啓動mongo客戶端時登陸,其中 --authenticationDatabase "admin"表示用戶在admin數據庫中。
mongo --host 192.168.100.123 --port 27017 -u "user123" -p "123456" --authenticationDatabase "admin"
進入mongo客戶端後登陸
mongo --host 192.168.100.123 --port 27017
use admin
db.auth("user123","123456")
3.5 修改密碼(須要admin管理員權限)
db.changeUserPassword("user123","password456")
3.6 刪除用戶(須要admin管理員權限)
db.dropUser("user123")