MongoDB 資料庫安全之使用者密碼修改

清風艾艾發表於2019-10-29

    MongoDB是非關係型資料庫,其資料庫安全方面與mysql 5.7之前的版本很相似,剛安裝完資料庫

軟體及例項初始化後,資料庫沒有安全可言。簡言之,新初始化的mongodb沒有安全限制,如果資料

庫在公網上,任意機器可透過網際網路透過mongo任意客戶端連線到資料庫。因此,在MongoDB投產

之前,需要對MongoDB進行安全方面的加固。這裡,介紹一主一從一仲裁的Mongodb架構的使用者密碼

修改。

    1、登陸mongodb資料庫叢集主庫,建立超級管理使用者

db.createUser(  

{  

    user:"firstset",   

    pwd:"firstset",  

    roles:[{role:"userAdminAnyDatabase",db:"admin"}]  

}  

);  

    2、修改zhul的密碼,檢查mogodb程式,注意埠號

ps -ef|grep mongod

mongo    10836     1  0 09:02 ?        00:00:03 mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile

mongo    10997  9767  0 09:09 pts/3    00:00:00 grep --color=auto mongod

    3、 修改zhul的密碼,檢查當前資料庫是否免密登陸

[mongo@mongo1 keyfile]$ mongo  --port 10001 

MongoDB shell version: 3.2.11-49-g52b68fa

connecting to: 127.0.0.1:10001/test

firstset:PRIMARY> show dbs

2019-10-24T09:09:31.298+0800 E QUERY    [thread1] Error: listDatabases failed:{

"ok" : 0,

"errmsg" : " not authorized on admin to execute command { listDatabases: 1.0 }",

"code" : 13

} :

_getErrorWithCode@src/mongo/shell/utils.js:25:13

Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1

shellHelper.show@src/mongo/shell/utils.js:761:19

shellHelper@src/mongo/shell/utils.js:651:15

@(shellhelp2):1:1

firstset:PRIMARY> exit

bye

    透過驗證,當前資料庫試用了keyfile安全認證校驗,免密登陸會拒絕執行任何命令

4、 修改zhul的密碼,如果知曉被修改使用者的密碼可以使用賬號密碼登入,也可以取消keyfile安全限制

免密登陸修改相關使用者的密碼後,再啟用keyfile安全認證

[mongo@mongo1 keyfile]$ mongo  -u firstset  -p firstset  --port 10001

MongoDB shell version: 3.2.11-49-g52b68fa

connecting to: 127.0.0.1:10001/test

Server has startup warnings: 

2019-10-24T09:02:45.827+0800 I CONTROL  [main] ** WARNING: --rest is specified without --httpinterface,

2019-10-24T09:02:45.827+0800 I CONTROL  [main] **          enabling http interface

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] ** WARNING: The server is started with the web server interface and access control.

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] **          The web interfaces (rest, httpinterface and/or jsonp) are insecure 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] **          and should be disabled unless required for backward compatibility.

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] **        We suggest setting it to 'never'

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.

2019-10-24T09:02:46.024+0800 I CONTROL  [initandlisten] **        We suggest setting it to 'never'

2019-10-24T09:02:46.024+0800 I CONTROL  [initandlisten] 

firstset:PRIMARY> show dbs;

admin       0.000GB

dns_testdb  0.004GB

local       0.008GB

firstset:PRIMARY> db.updateUser("firstset",{pwd:"rootroot"});

firstset:PRIMARY> exit

bye

    5、驗證密碼修改

--錯誤的使用者名稱或者密碼登入被拒絕

[mongo@mongo1 keyfile]$ mongo  -u firstset  -p firstset  --port 10001 

MongoDB shell version: 3.2.11-49-g52b68fa

connecting to: 127.0.0.1:10001/test

2019-10-24T09:11:35.167+0800 E QUERY    [thread1] Error: Authentication failed. :

DB.prototype._authOrThrow@src/mongo/shell/db.js:1441:20

@(auth):6:1

@(auth):1:2

exception: login failed

--使用正確的使用者名稱和密碼登入後可以正常執行操作

[mongo@mongo1 keyfile]$ mongo  -u firstset  -p rootroot --port 10001

MongoDB shell version: 3.2.11-49-g52b68fa

connecting to: 127.0.0.1:10001/test

Server has startup warnings: 

2019-10-24T09:02:45.827+0800 I CONTROL  [main] ** WARNING: --rest is specified without --httpinterface,

2019-10-24T09:02:45.827+0800 I CONTROL  [main] **          enabling http interface

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] ** WARNING: The server is started with the web server interface and access control.

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] **          The web interfaces (rest, httpinterface and/or jsonp) are insecure 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] **          and should be disabled unless required for backward compatibility.

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] **        We suggest setting it to 'never'

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] 

2019-10-24T09:02:46.023+0800 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.

2019-10-24T09:02:46.024+0800 I CONTROL  [initandlisten] **        We suggest setting it to 'never'

2019-10-24T09:02:46.024+0800 I CONTROL  [initandlisten] 

firstset:PRIMARY> show dbs;

admin       0.000GB

dns_testdb  0.004GB

local       0.008GB

firstset:PRIMARY> use admin

switched to db admin

firstset:PRIMARY> show collections;

system.users

system.version

firstset:PRIMARY> db.system.users.find();

{ "_id" : "test.firstset", "user" : "firstset", "db" : "test", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "ISdrb4a3Cc0A59vXEUxjOg==", "storedKey" : "qPn44VuZrJ6QwWzOMBq90vZ5eAo=", "serverKey" : "rz+CDSlpXHKvUDGg0PCnG2GZCjk=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }

firstset:PRIMARY> use dns_testdbuse dns_testdb

switched to db dns_testdb

firstset:PRIMARY> show collections;

test_collection

firstset:PRIMARY> db.test_collection.findOne();

{

"_id" : ObjectId("5d8434a5b138ddafc446e13b"),

"name" : "cow",

"user_id" : 48149,

"boolean" : false,

"added_at" : ISODate("2019-09-20T02:08:37.116Z"),

"number" : 1743

}

firstset:PRIMARY> 

firstset:PRIMARY> rs.status();

{

"set" : "firstset",

"date" : ISODate("2019-10-24T01:13:15.006Z"),

"myState" : 1,

"term" : NumberLong(7),

"heartbeatIntervalMillis" : NumberLong(2000),

"members" : [

{

"_id" : 0,

"name" : "192.168.192.251:10001",

"health" : 1,

"state" : 1,

"stateStr" : "PRIMARY",

"uptime" : 630,

"optime" : {

"ts" : Timestamp(1571879490, 1),

"t" : NumberLong(7)

},

"optimeDate" : ISODate("2019-10-24T01:11:30Z"),

"electionTime" : Timestamp(1571879010, 1),

"electionDate" : ISODate("2019-10-24T01:03:30Z"),

"configVersion" : 1,

"self" : true

},

{

"_id" : 1,

"name" : "192.168.192.252:10001",

"health" : 1,

"state" : 2,

"stateStr" : "SECONDARY",

"uptime" : 566,

"optime" : {

"ts" : Timestamp(1571879490, 1),

"t" : NumberLong(7)

},

"optimeDate" : ISODate("2019-10-24T01:11:30Z"),

"lastHeartbeat" : ISODate("2019-10-24T01:13:13.320Z"),

"lastHeartbeatRecv" : ISODate("2019-10-24T01:13:13.259Z"),

"pingMs" : NumberLong(0),

"syncingTo" : "192.168.192.251:10001",

"configVersion" : 1

},

{

"_id" : 2,

"name" : "192.168.192.250:10001",

"health" : 1,

"state" : 7,

"stateStr" : "ARBITER",

"uptime" : 593,

"lastHeartbeat" : ISODate("2019-10-24T01:13:13.301Z"),

"lastHeartbeatRecv" : ISODate("2019-10-24T01:13:13.185Z"),

"pingMs" : NumberLong(0),

"configVersion" : 1

}

],

"ok" : 1

}

firstset:PRIMARY> 


  MongoDB的keyFile認證設定,可以參考:

http://blog.itpub.net/29357786/viewspace-2130594/


來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/29357786/viewspace-2661742/,如需轉載,請註明出處,否則將追究法律責任。

相關文章