基於MongodbDB的用戶認證-運維筆記
MongoDB默認是不認證的,默認沒有帳號,只要能鏈接上服務就能夠對數據庫進行各類操做,MongoDB認爲安全最好的方法就是在一個可信的環境中運行它,保證以後可信的機器才能訪問它,可能這些對一些要求高的環境,安全還不夠。MongoDB提供用戶認證,須要在啓動時加上--auth開啓認證。linux
1、MongoDB安裝git
Mongodb各版本下載地址:https://www.mongodb.org/dl/linux/x86_64-rhel62
本案例的Mongodbv3.2百度下載地址:https://pan.baidu.com/s/194ef261BpcypxzAl9aRaQg
提取密碼:tv8m
下載放到服務器的/usr/local/src目錄下
1.1)安裝MongoDB
[root@MongoDB-server ~]# cd /usr/local/src/
[root@MongoDB-server src]# ll mongodb-linux-x86_64-rhel62-v3.2-latest.tgz
-rw-r--r-- 1 root root 86699142 Nov 22 2017 mongodb-linux-x86_64-rhel62-v3.2-latest.tgz
[root@MongoDB-server src]# tar -zvxf mongodb-linux-x86_64-rhel62-v3.2-latest.tgz
[root@MongoDB-server src]# mv mongodb-linux-x86_64-rhel62-3.2.17-34-g4c1bae566c /usr/local/mongodb
[root@MongoDB-server src]# ll /usr/local/mongodb //Mongodb主目錄
total 100
drwxr-xr-x 2 root root 4096 Sep 20 22:33 bin
-rw-r--r-- 1 root root 34520 Nov 21 2017 GNU-AGPL-3.0
-rw-r--r-- 1 root root 16726 Nov 21 2017 MPL-2
-rw-r--r-- 1 root root 2262 Nov 21 2017 README
-rw-r--r-- 1 root root 35910 Nov 21 2017 THIRD-PARTY-NOTICES
[root@MongoDB-server src]# mkdir /usr/local/mongodb/data //Mongodb數據目錄,能夠存放在一個獨立的大分區上
[root@MongoDB-server src]# mkdir /usr/local/mongodb/log //Mongodb日誌目錄
1.2)啓動MongoDB
使用mongod命令創建一個mongodb數據庫連接,數據庫的路徑爲/usr/local/mongodb/data,日誌路徑爲/usr/local/mongodb/log/mongo.log
mongodb的啓動程序放在後臺執行,下面命令執行後,按ctrl+c。
[root@MongoDB-server src]# nohup /usr/local/mongodb/bin/mongod --dbpath=/usr/local/mongodb/data/ --logpath=/usr/local/mongodb/log/mongo.log &
==========================================
mongodb的參數說明:
--dbpath 數據庫路徑(數據文件)
--logpath 日誌文件路徑
--master 指定爲主機器
--slave 指定爲從機器
--source 指定主機器的IP地址
--pologSize 指定日誌文件大小不超過64M.由於resync是很是操做量大且耗時,最好經過設置一個足夠大的oplogSize來避免resync(默認的 oplog大小是空閒磁盤大小的5%)。
--logappend 日誌文件末尾添加
--port 啓用端口號
--fork 在後臺運行
--only 指定只複製哪個數據庫
--slavedelay 指從複製檢測的時間間隔
--auth 是否須要驗證權限登陸(用戶名和密碼)
==========================================
[root@MongoDB-server src]# ps -ef|grep mongodb
root 13216 10204 0 22:38 pts/1 00:00:00 /usr/local/mongodb/bin/mongod --dbpath=/usr/local/mongodb/data/ --logpath=/usr/local/mongodb/log/mongo.log
root 14185 10204 0 22:42 pts/1 00:00:00 grep mongodb
MongoDB默認端口是27017,啓動後,等一下子端口就會起來。若是啓動後,發現端口沒有起來,能夠查看日誌/usr/local/mongodb/log/mongo.log
[root@MongoDB-server src]# lsof -i:27017
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mongod 13216 root 6u IPv4 4260453 0t0 TCP *:27017 (LISTEN)
1.3)設置mongodb的環境變量
[root@MongoDB-server src]# vim /etc/profile
......
export PATH=$PATH:/usr/local/mongodb/bin/
[root@MongoDB-server src]# source /etc/profile
[root@MongoDB-server src]# mongod --version
db version v3.2.17-34-g4c1bae566c
git version: 4c1bae566c0c00f996a2feb16febf84936ecaf6f
OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
allocator: tcmalloc
modules: none
build environment:
distmod: rhel62
distarch: x86_64
target_arch: x86_64
1.4)爲了更方便的啓動和關閉MongoDB,可使用Shell寫腳本,固然也能夠加入到service中。更好的方式是採用配置文件,把MongoDB須要的參數寫入配置文件,
而後在腳本中引用;
[root@MongoDB-server src]# vim /usr/local/mongodb/mongodb.conf
#表明端口號,若是不指定則默認爲27017
port=27017
#綁定ip
bind_ip=0.0.0.0
#MongoDB數據文件目錄
dbpath=/usr/local/mongodb/data
#MongoDB日誌文件目錄
logpath=/usr/local/mongodb/log/mongo.log
#日誌文件自動累加
logappend=true
編寫MongoDB啓動腳本
[root@MongoDB-server src]# vim /etc/init.d/mongodb
#!/bin/bash
#
# mongod Start up the MongoDB server daemon
#
# source function library
. /etc/rc.d/init.d/functions
#定義命令
CMD=/usr/local/mongodb/bin/mongod
#定義配置文件路徑
INITFILE=/usr/local/mongodb/mongodb.conf
start()
{
#&表示後臺啓動,也可使用fork參數
$CMD -f $INITFILE &
echo "MongoDB is running background..."
}
stop()
{
pkill mongod
echo "MongoDB is stopped."
}
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo $"Usage: $0 {start|stop}"
esac
授予腳本可執行權限
[root@MongoDB-server src]# chmod 755 /etc/init.d/mongodb
[root@MongoDB-server src]# /etc/init.d/mongodb status
Usage: /etc/init.d/mongodb {start|stop}
[root@MongoDB-server src]# /etc/init.d/mongodb stop
Terminated
[root@MongoDB-server src]# lsof -i:27001
[1]+ Done nohup /usr/local/mongodb/bin/mongod --dbpath=/usr/local/mongodb/data/ --logpath=/usr/local/mongodb/log/mongo.log
[root@MongoDB-server src]# lsof -i:27001
[root@MongoDB-server src]# /etc/init.d/mongodb start
MongoDB is running background...
[root@MongoDB-server src]# ps -ef|grep mongodb
root 16060 1 2 22:49 pts/1 00:00:00 /usr/local/mongodb/bin/mongod -f /usr/local/mongodb/mongodb.conf
root 16205 10204 0 22:49 pts/1 00:00:00 grep mongodb
[root@MongoDB-server ~]# lsof -i:27001
[root@MongoDB-server ~]#
啓動後發現27017端口沒有起來,查看日誌:
[root@MongoDB-server src]# tail -f /usr/local/mongodb/log/mongo.log
......
2018-09-20T22:55:46.236+0800 I NETWORK [initandlisten] waiting for connections on port 27017
2018-09-20T22:55:46.290+0800 W NETWORK [HostnameCanonicalizationWorker] Failed to obtain address information for hostname MongoDB-server: Name or service not known
2018-09-20T22:55:47.014+0800 I FTDC [ftdc] Unclean full-time diagnostic data capture shutdown detected, found interim file, some metrics may have been lost. OK
緣由:獲取不到地址對應的主機名,這通常與HOSTS有關
解決辦法:
[root@MongoDB-server ~]# ifconfig|grep "inet addr"|grep Bcast|awk -F":" '{print $2}'|awk '{print $1}'
192.168.10.205
[root@MongoDB-server ~]# hostname
MongoDB-server
[root@MongoDB-server ~]# vim /etc/hosts
[root@MongoDB-server ~]# echo "192.168.10.205 MongoDB-server" >> /etc/hosts
[root@MongoDB-server ~]# cat /etc/hosts
......
192.168.10.205 MongoDB-server
再次啓動
[root@MongoDB-server ~]# ps -ef|grep mongodb
root 17789 1 0 22:55 pts/0 00:00:01 /usr/local/mongodb/bin/mongod -f /usr/local/mongodb/mongodb.conf
root 18933 16606 0 23:00 pts/0 00:00:00 grep mongodb
[root@MongoDB-server ~]# kill -9 16890
[root@MongoDB-server ~]# ps -ef|grep mongodb
root 18979 16606 0 23:00 pts/0 00:00:00 grep mongodb
[root@MongoDB-server ~]# /etc/init.d/mongodb start
MongoDB is running background...
[root@MongoDB-server ~]# ps -ef|grep mongodb
root 17789 1 0 22:55 pts/0 00:00:01 /usr/local/mongodb/bin/mongod -f /usr/local/mongodb/mongodb.conf
root 19132 16606 0 23:00 pts/0 00:00:00 grep mongodb
[root@MongoDB-server ~]# lsof -i:27017
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mongod 17789 root 6u IPv4 4289555 0t0 TCP *:27017 (LISTEN)
鏈接MongoDB服務
[root@MongoDB-server src]# mongo 127.0.0.1:27017 或者直接使用mongo命令進行鏈接,默認鏈接的就是127.0.0.1:27017
MongoDB shell version: 3.2.17-34-g4c1bae566c
connecting to: 127.0.0.1:27017/test
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
Server has startup warnings:
2018-09-20T22:55:46.232+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten]
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten]
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten]
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten]
> help
db.help() help on db methods
db.mycoll.help() help on collection methods
sh.help() sharding helpers
rs.help() replica set helpers
help admin administrative help
help connect connecting to a db help
help keys key shortcuts
help misc misc things to know
help mr mapreduce
show dbs show database names
show collections show collections in current database
show users show users in current database
show profile show most recent system.profile entries with time >= 1ms
show logs show the accessible logger names
show log [name] prints out the last segment of log in memory, 'global' is default
use <db_name> set current database
db.foo.find() list objects in collection foo
db.foo.find( { a : 1 } ) list objects in foo where a == 1
it result of the last line evaluated; use to further iterate
DBQuery.shellBatchSize = x set default number of items to display on shell
exit quit the mongo shell
> show dbs
local 0.000GB
>
2、MongoDB認證mongodb
MongoDB Roles(內置角色)
- 數據庫用戶角色:read、readWrite;
- 數據庫管理角色:dbAdmin、dbOwner、userAdmin;
- 集羣管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager;
- 備份恢復角色:backup、restore;
- 全部數據庫角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase
- 超級用戶角色:root
- 這裏還有幾個角色間接或直接提供了系統超級用戶的訪問(dbOwner 、userAdmin、userAdminAnyDatabase)
- 內部角色:__systemshell
具體角色
- Read:容許用戶讀取指定數據庫
- readWrite:容許用戶讀寫指定數據庫
- dbAdmin:容許用戶在指定數據庫中執行管理函數,如索引建立、刪除,查看統計或訪問system.profile
- userAdmin:容許用戶向system.users集合寫入,能夠找指定數據庫裏建立、刪除和管理用戶
- clusterAdmin:只在admin數據庫中可用,賦予用戶全部分片和複製集相關函數的管理權限。
- readAnyDatabase:只在admin數據庫中可用,賦予用戶全部數據庫的讀權限
- readWriteAnyDatabase:只在admin數據庫中可用,賦予用戶全部數據庫的讀寫權限
- userAdminAnyDatabase:只在admin數據庫中可用,賦予用戶全部數據庫的userAdmin權限
- dbAdminAnyDatabase:只在admin數據庫中可用,賦予用戶全部數據庫的dbAdmin權限。
- root:只在admin數據庫中可用。超級帳號,超級權限數據庫
認證操做實例以下
初始化數據庫的時候,必定要先禁止用戶驗證功能,而後在建立管理用戶,以後就能夠開啓驗證,操做數據庫了。vim
MongoDB認證前須要添加帳號,添加管理員帳號(默認狀況下系統中沒有用戶)
謹記:先在不開啓認證的狀況下,建立用戶,以後關閉服務,而後再開啓認證,才生效!!!!
[root@MongoDB-server src]# mongo 127.0.0.1:27017
......
切換到admin庫
> use admin
switched to db admin
添加超級用戶
> use admin
switched to db admin
> db.system.users.find();
> db.addUser("admin","1234!@#$qwer");
2018-09-21T09:59:56.125+0800 E QUERY [thread1] TypeError: db.addUser is not a function :
@(shell):1:1
如上建立用戶報錯:報錯addUser is not a function
通過排查緣由,因爲MongDB3.x版本已經再也不支持addUser()方法,用createUser()方法取而代之。
特別注意的是:建立用戶以及設置密碼時,role角色裏面必定要跟role、db參數,認證時對應的庫必定要搞清楚!
admin管理員受權時,role角色最好設置成root,不然認證後可能會有些命令執行不了。
> db.createUser({user: "admin",pwd: "1234!@#$qwer",roles:[{"role":"root","db":"admin"}]});
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
>
查詢添加的用戶(必需要先切換到admin庫下進行查看)
> db.system.users.find();
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" :
"tnnpiLjweUJWR1mQzC/cuw==", "storedKey" : "Q7G7KqfYQa3eKcHOSsSkxGs2Ci0=", "serverKey" : "GKOG66hhf6DkXNrTmHWGoFHxXFo=" } }, "roles"
: [ { "role" : "root", "db" : "admin" } ] }
添加普通帳號
切換到kevin庫添加普通用戶(readWrite有讀寫權限;read有讀權限)
> use kevin;
switched to db kevin
> db.createUser({user: "kevin",pwd: "kevin@123456",roles:[{"role":"readWrite","db":"kevin"}]});
Successfully added user: {
"user" : "kevin",
"roles" : [
{
"role" : "readWrite",
"db" : "kevin"
}
]
}
> use grace;
switched to db grace
> db.createUser({user: "grace",pwd: "grace@123",roles:[{"role":"read","db":"grace"}]});
Successfully added user: {
"user" : "grace",
"roles" : [
{
"role" : "read",
"db" : "grace"
}
]
}
查詢添加的用戶(必需要先切換到admin庫下進行查看)
> use admin;
switched to db admin
> db.system.users.find();
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "tnnpiLjweUJWR1mQzC/cuw==", "storedKey" : "Q7G7KqfYQa3eKcHOSsSkxGs2Ci0=", "serverKey" : "GKOG66hhf6DkXNrTmHWGoFHxXFo=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
{ "_id" : "kevin.kevin", "user" : "kevin", "db" : "kevin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "u3RgCHmt3AfigOIVNKy7OA==", "storedKey" : "Je7SP6SohGPZSb3VBXOJkNlXz20=", "serverKey" : "5laXjac6NfpYuivcmK3SK0GohRo=" } }, "roles" : [ { "role" : "readWrite", "db" : "kevin" } ] }
{ "_id" : "grace.grace", "user" : "grace", "db" : "grace", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "9xLjmg7Q8YsZ1Y9vF71P6g==", "storedKey" : "tID4qA9AaJ4IIOgbC1oHZZYqVdg=", "serverKey" : "ayvaN6QkDUOz1KUs+SG3S8IyvAo=" } }, "roles" : [ { "role" : "read", "db" : "grace" } ] }
>
刪除用戶
> use admin;
switched to db admin
> db.system.users.remove({user:"admin"})
WriteResult({ "nRemoved" : 1 })
> db.system.users.remove({user:"kevin"})
WriteResult({ "nRemoved" : 1 })
> db.system.users.remove({user:"grace"})
WriteResult({ "nRemoved" : 1 })
> db.system.users.find();
>
修改用戶密碼,能夠利用db.changeUserPassword進行密碼重置!!!!!
> use grace;
switched to db grace
> db.changeUserPassword("grace","grace@1986");
>
以--auth啓動mongodb開啓認證(或者在配置文件中添加"auth=true")
[root@MongoDB-server ~]# vim /usr/local/mongodb/mongodb.conf
#表明端口號,若是不指定則默認爲27017
port=27017
#綁定ip
bind_ip=0.0.0.0
#MongoDB數據文件目錄
dbpath=/usr/local/mongodb/data
#MongoDB日誌文件目錄
logpath=/usr/local/mongodb/log/mongo.log
#日誌文件自動累加
logappend=true
#開啓MongoDB認證
auth=true
[root@MongoDB-server ~]# cat /etc/init.d/mongodb
......
$CMD -f $INITFILE --auth &
......
重啓mongodb
[root@MongoDB-server ~]# ps -ef|grep mongodb
root 17789 1 0 22:55 pts/0 00:00:06 /usr/local/mongodb/bin/mongod -f /usr/local/mongodb/mongodb.conf
root 25161 16606 0 23:24 pts/0 00:00:00 grep mongodb
[root@MongoDB-server ~]# kill -9 17789
[root@MongoDB-server ~]# ps -ef|grep mongodb
root 25190 16606 0 23:24 pts/0 00:00:00 grep mongodb
[root@MongoDB-server ~]# /etc/init.d/mongodb start
MongoDB is running background...
[root@MongoDB-server ~]# ps -ef|grep mongodb
root 1687 1 12 23:58 pts/0 00:00:00 /usr/local/mongodb/bin/mongod -f /usr/local/mongodb/mongodb.conf --auth
root 1713 16606 0 23:58 pts/0 00:00:00 grep mongodb
[root@MongoDB-server ~]# lsof -i:27017
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mongod 25342 root 6u IPv4 4330699 0t0 TCP *:27017 (LISTEN)
驗證安全認證:
[root@MongoDB-server ~]# mongo 127.0.0.1:27017
MongoDB shell version: 3.2.17-34-g4c1bae566c
connecting to: 127.0.0.1:27017/test
> use admin;
switched to db admin
> show dbs
2018-09-21T10:11:46.582+0800 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:781:19
shellHelper@src/mongo/shell/utils.js:671:15
@(shellhelp2):1:1
>
如上因爲沒有認證,因此查看不到。須要認證後再次查看才能夠。須要注意:認證時括號裏面的用戶名和密碼用雙引號,不然可能會認證失敗!!
> db.auth("admin","1234!@#$qwer");
1
> show dbs
admin 0.000GB
local 0.000GB
>
普通用戶認證也是同樣
> use grace;
switched to db grace
> db.stats();
{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { serverStatus: 1.0 }",
"code" : 13
}
> db.auth("grace","grace@1986");
1
> db.stats();
{
"db" : "grace",
"collections" : 0,
"objects" : 0,
"avgObjSize" : 0,
"dataSize" : 0,
"storageSize" : 0,
"numExtents" : 0,
"indexes" : 0,
"indexSize" : 0,
"fileSize" : 0,
"ok" : 1
}
>
以上就代表了該mongodb啓用了認證功能,而且認證成功了!
相關文章
- 1. 基於 django 自帶的用戶認證進行用戶認證
- 2. 基於jwt的用戶登陸認證
- 3. 基於 Token 的用戶認證
- 4. 【laravel】基於jwt實現用戶認證
- 5. Linux基於LDAP進行用戶認證
- 6. vsftpd基於mysql實現用戶認證
- 7. RailsTutorial-筆記6-用戶認證
- 8. 《圖解HTTP》筆記-確認訪問用戶身份的認證
- 9. 基於Ajax與用戶認證系統的登陸驗證
- 10. 基於Ajax與用戶認證系統的登錄驗證
- 更多相關文章...
- • Spring使用AspectJ開發AOP:基於XML和基於Annotation - Spring教程
- • R 基礎運算 - R 語言教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • ☆基於Java Instrument的Agent實現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. js中 charCodeAt
- 2. Android中通過ViewHelper.setTranslationY實現View移動控制(NineOldAndroids開源項目)
- 3. 【Android】日常記錄:BottomNavigationView自定義樣式,修改點擊後圖片
- 4. maya 文件檢查 ui和數據分離 (一)
- 5. eclipse 修改項目的jdk版本
- 6. Android InputMethod設置
- 7. Simulink中Bus Selector出現很多? ? ?
- 8. 【Openfire筆記】啓動Mac版Openfire時提示「系統偏好設置錯誤」
- 9. AutoPLP在偏好標籤中的生產與應用
- 10. 數據庫關閉的四種方式
歡迎關注本站公眾號,獲取更多信息
