MongoDB是非關係型資料庫，其資料庫安全方面與mysql 5.7之前的版本很相似，剛安裝完資料庫

軟體及例項初始化後，資料庫沒有安全可言。簡言之，新初始化的mongodb沒有安全限制，如果資料

庫在公網上，任意機器可透過網際網路透過mongo任意客戶端連線到資料庫。因此，在MongoDB投產

之前，需要對MongoDB進行安全方面的加固。這裡，介紹一主一從一仲裁的Mongodb架構的使用者密碼

修改。

1、登陸mongodb資料庫叢集主庫，建立超級管理使用者

db.createUser(

{

user:"firstset",

pwd:"firstset",

roles:[{role:"userAdminAnyDatabase",db:"admin"}]

}

);

2、修改zhul的密碼，檢查mogodb程式，注意埠號

ps -ef|grep mongod

mongo 10836 1 0 09:02 ? 00:00:03 mongod --dbpath /opt/mongo/data/dns_repset1 --port 10001 --replSet firstset --oplogSize 512 --rest --fork --logpath /opt/mongo/logs/firstset/firstset.log --logappend --nojournal --directoryperdb --keyFile /opt/mongo/keyfile/keyfile

mongo 10997 9767 0 09:09 pts/3 00:00:00 grep --color=auto mongod

3、修改zhul的密碼，檢查當前資料庫是否免密登陸

[mongo@mongo1 keyfile]$ mongo --port 10001

MongoDB shell version: 3.2.11-49-g52b68fa

connecting to: 127.0.0.1:10001/test

firstset:PRIMARY> show dbs

2019-10-24T09:09:31.298+0800 E QUERY [thread1] Error: listDatabases failed:{

"ok" : 0,

"errmsg" : " not authorized on admin to execute command { listDatabases: 1.0 }",

"code" : 13

} :

_getErrorWithCode@src/mongo/shell/utils.js:25:13

Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1

shellHelper.show@src/mongo/shell/utils.js:761:19

shellHelper@src/mongo/shell/utils.js:651:15

@(shellhelp2):1:1

firstset:PRIMARY> exit

bye

透過驗證，當前資料庫試用了keyfile安全認證校驗，免密登陸會拒絕執行任何命令

4、修改zhul的密碼，如果知曉被修改使用者的密碼可以使用賬號密碼登入，也可以取消keyfile安全限制

免密登陸修改相關使用者的密碼後，再啟用keyfile安全認證

[mongo@mongo1 keyfile]$ mongo -u firstset -p firstset --port 10001

MongoDB shell version: 3.2.11-49-g52b68fa

connecting to: 127.0.0.1:10001/test

Server has startup warnings:

2019-10-24T09:02:45.827+0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,

2019-10-24T09:02:45.827+0800 I CONTROL [main] ** enabling http interface

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** WARNING: The server is started with the web server interface and access control.

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** The web interfaces (rest, httpinterface and/or jsonp) are insecure

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** and should be disabled unless required for backward compatibility.

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.

2019-10-24T09:02:46.024+0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'

2019-10-24T09:02:46.024+0800 I CONTROL [initandlisten]

firstset:PRIMARY> show dbs;

admin 0.000GB

dns_testdb 0.004GB

local 0.008GB

firstset:PRIMARY> db.updateUser("firstset",{pwd:"rootroot"});

firstset:PRIMARY> exit

bye

5、驗證密碼修改

--錯誤的使用者名稱或者密碼登入被拒絕

[mongo@mongo1 keyfile]$ mongo -u firstset -p firstset --port 10001

MongoDB shell version: 3.2.11-49-g52b68fa

connecting to: 127.0.0.1:10001/test

2019-10-24T09:11:35.167+0800 E QUERY [thread1] Error: Authentication failed. :

DB.prototype._authOrThrow@src/mongo/shell/db.js:1441:20

@(auth):6:1

@(auth):1:2

exception: login failed

--使用正確的使用者名稱和密碼登入後可以正常執行操作

[mongo@mongo1 keyfile]$ mongo -u firstset -p rootroot --port 10001

MongoDB shell version: 3.2.11-49-g52b68fa

connecting to: 127.0.0.1:10001/test

Server has startup warnings:

2019-10-24T09:02:45.827+0800 I CONTROL [main] ** WARNING: --rest is specified without --httpinterface,

2019-10-24T09:02:45.827+0800 I CONTROL [main] ** enabling http interface

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** WARNING: The server is started with the web server interface and access control.

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** The web interfaces (rest, httpinterface and/or jsonp) are insecure

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** and should be disabled unless required for backward compatibility.

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten]

2019-10-24T09:02:46.023+0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.

2019-10-24T09:02:46.024+0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'

2019-10-24T09:02:46.024+0800 I CONTROL [initandlisten]

firstset:PRIMARY> show dbs;

admin 0.000GB

dns_testdb 0.004GB

local 0.008GB

firstset:PRIMARY> use admin

switched to db admin

firstset:PRIMARY> show collections;

system.users

system.version

firstset:PRIMARY> db.system.users.find();

{ "_id" : "test.firstset", "user" : "firstset", "db" : "test", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "ISdrb4a3Cc0A59vXEUxjOg==", "storedKey" : "qPn44VuZrJ6QwWzOMBq90vZ5eAo=", "serverKey" : "rz+CDSlpXHKvUDGg0PCnG2GZCjk=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }

firstset:PRIMARY> use dns_testdbuse dns_testdb

switched to db dns_testdb

firstset:PRIMARY> show collections;

test_collection

firstset:PRIMARY> db.test_collection.findOne();

{

"_id" : ObjectId("5d8434a5b138ddafc446e13b"),

"name" : "cow",

"user_id" : 48149,

"boolean" : false,

"added_at" : ISODate("2019-09-20T02:08:37.116Z"),

"number" : 1743

}

firstset:PRIMARY>

firstset:PRIMARY> rs.status();

{

"set" : "firstset",

"date" : ISODate("2019-10-24T01:13:15.006Z"),

"myState" : 1,

"term" : NumberLong(7),

"heartbeatIntervalMillis" : NumberLong(2000),

"members" : [

{

"_id" : 0,

"name" : "192.168.192.251:10001",

"health" : 1,

"state" : 1,

"stateStr" : "PRIMARY",

"uptime" : 630,

"optime" : {

"ts" : Timestamp(1571879490, 1),

"t" : NumberLong(7)

},

"optimeDate" : ISODate("2019-10-24T01:11:30Z"),

"electionTime" : Timestamp(1571879010, 1),

"electionDate" : ISODate("2019-10-24T01:03:30Z"),

"configVersion" : 1,

"self" : true

},

{

"_id" : 1,

"name" : "192.168.192.252:10001",

"health" : 1,

"state" : 2,

"stateStr" : "SECONDARY",

"uptime" : 566,

"optime" : {

"ts" : Timestamp(1571879490, 1),

"t" : NumberLong(7)

},

"optimeDate" : ISODate("2019-10-24T01:11:30Z"),

"lastHeartbeat" : ISODate("2019-10-24T01:13:13.320Z"),

"lastHeartbeatRecv" : ISODate("2019-10-24T01:13:13.259Z"),

"pingMs" : NumberLong(0),

"syncingTo" : "192.168.192.251:10001",

"configVersion" : 1

},

{

"_id" : 2,

"name" : "192.168.192.250:10001",

"health" : 1,

"state" : 7,

"stateStr" : "ARBITER",

"uptime" : 593,

"lastHeartbeat" : ISODate("2019-10-24T01:13:13.301Z"),

"lastHeartbeatRecv" : ISODate("2019-10-24T01:13:13.185Z"),

"pingMs" : NumberLong(0),

"configVersion" : 1

}

],

"ok" : 1

}

firstset:PRIMARY>

MongoDB的keyFile認證設定，可以參考：

http://blog.itpub.net/29357786/viewspace-2130594/

MongoDB 資料庫安全之使用者密碼修改

相關文章