笔记-security

笔记-security

 

1.      enable access control开启访问控制

Enabling access control on a MongoDB deployment enforces authentication, requiring users to identify themselves. When accessing a MongoDB deployment that has access control enabled, users can only perform actions as determined by their roles.

mongodb开启访问控制会要求用户验证。当访问已开启访问控制的mongodb服务时,用户只能执行角色限定的动作。

 

User Administrator

With access control enabled, ensure you have a user with userAdmin or userAdminAnyDatabase role in theadmin database. This user can administrate user and roles such as: create users, grant or revoke roles from users, and create or modify customs roles.

简单来说,要有超级管理员的权限。

 

1.1.    操作过程

启动一个无访问控制的monodb

mongod --port 27017 --dbpath /var/lib/mongodb

 

连接

mongo –port 27017

 

创建管理员用户

use admin

db.createUser(

  {

    user: "***",

    pwd: "***",

    roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]

  }

)

 

重启实例

  1. db.adminCommand( { shutdown: 1 } )
  2. 退出shell:Exit the mongo shell.
  3. From the terminal, re-start the mongod instance with the --auth command line option or, if using a configuration file, the security.authorization setting.
  4. mongod --auth --port 27017 --dbpath /var/lib/mongodb

因为实验环境在win8下

mongod --auth --port 27017 --logpath="d:\Program File*********db.log" --dbpath="d:\。。。。。"

 

登录

mongo --port 27017 -u **** --authenticationDatabase admin –p

注意:在windows下用户名不要加引号,官网给出的例子是加了引号的。

也可以连接合使用db.auh()方法验证

use test

db.auth("mytester", "xyz123" )

 

创建新用户:

use db_spider

db.createUser(

  {

    user: "mytester",

    pwd: "xyz123",

    roles: [ { role: "readWrite", db: "test" },

             { role: "read", db: "reporting" } ]

  }

)

 

登录新用户并验证

mongo

use test

db.auth("mytester", "xyz123" )

db.foo.insert( { x: 1, y: 1 } )

插入成功

use db_spider

db.foo.insert( { x: 1, y: 1 } )

插入失败,报错no authorized on db_spider to execute command (……)

 

2.      Security Reference

The following lists the security related methods available in the mongo shell as well as additional security reference material.

Security Methods in the mongo Shell

User Management and Authentication Methods

Name

Description

db.auth()

Authenticates a user to a database.

db.changeUserPassword()

Changes an existing user’s password.

db.createUser()

Creates a new user.

db.dropUser()

Removes a single user.

db.dropAllUsers()

Deletes all users associated with a database.

db.getUser()

Returns information about the specified user.

db.getUsers()

Returns information about all users associated with a database.

db.grantRolesToUser()

Grants a role and its privileges to a user.

db.removeUser()

Deprecated. Removes a user from a database.

db.revokeRolesFromUser()

Removes a role from a user.

db.updateUser()

Updates user data.

 

Role Management Methods

Name

Description

db.createRole()

Creates a role and specifies its privileges.

db.dropRole()

Deletes a user-defined role.

db.dropAllRoles()

Deletes all user-defined roles associated with a database.

db.getRole()

Returns information for the specified role.

db.getRoles()

Returns information for all the user-defined roles in a database.

db.grantPrivilegesToRole()

Assigns privileges to a user-defined role.

db.revokePrivilegesFromRole()

Removes the specified privileges from a user-defined role.

db.grantRolesToRole()

Specifies roles from which a user-defined role inherits privileges.

db.revokeRolesFromRole()

Removes inherited roles from a role.

db.updateRole()

Updates a user-defined role.

 

Security Reference Documentation

system.roles Collection

Describes the content of the collection that stores user-defined roles.

system.users Collection

Describes the content of the collection that stores users’ credentials and role assignments.

Resource Document

Describes the resource document for roles.

Privilege Actions

List of the actions available for privileges.

 

上一篇:Spring安全角色层次结构问题


下一篇:Ansible playbooks常用模块案例操作