MongoDB:用户认证
MongoDB 安装后默认不启用认证,也就是说在本地可以通过 mongo 命令不输入用户名密码,
直接登陆到数据库,下面介绍下启用 mongodb 用户认证,详细如下:
启用 mongodb 认证只需要在启动 mongod 服务时配置 auth 参数成 'true'即可可 ,在配置
参数前先添加超级用户。
一 启用认证
--1.1 增加管理用户
> use admin;
switched to db admin
> db.addUser('root','123456');
{
"user" : "root",
"readOnly" : false,
"pwd" : "34e5772aa66b703a319641d42a47d696",
"_id" : ObjectId("50ad456a0b12589bdc45cf92")
}
> db.system.users.find();
{ "_id" : ObjectId("50ad6ecda579c47efacf811b"), "user" : "root", "readOnly" : false, "pwd" : "34e5772aa66b703a319641d42a47d696" }
备注:在 admin 库中增加的用户为超级用户,权限最大,可以访问所有库。
--1.2 增加普通用户
> use skytf;
switched to db skytf
> db.addUser('skytf','skytf');
{
"user" : "skytf",
"readOnly" : false,
"pwd" : "8c438fc9e2031577cea03806db0ee137",
"_id" : ObjectId("50ad45dd0b12589bdc45cf93")
}
> db.system.users.find();
{ "_id" : ObjectId("50ad6ef3a579c47efacf811c"), "user" : "skytf", "readOnly" : false, "pwd" : "8c438fc9e2031577cea03806db0ee137" }
--1.3 配置 auth 参数
vim /database/mongodb/data/mongodb_27017.conf,增加 " auth = true ” 参数
fork = true
bind_ip = 127.0.0.1
port = 27017
quiet = true
dbpath = /database/mongodb/data/
logpath = /var/applog/mongo_log/mongo.log
logappend = true
journal = true
auth = true
备注:增加 “auth = true” 配置。
--1.4 重启 mongodb
[mongo@redhatB data]$ ps -ef | grep mongo
root 10887 10859 0 04:47 pts/0 00:00:00 su - mongo
mongo 10889 10887 0 04:47 pts/0 00:00:00 -bash
root 10984 10964 0 04:53 pts/1 00:00:00 su - mongo
mongo 10986 10984 0 04:53 pts/1 00:00:00 -bash
mongo 12749 1 0 07:54 ? 00:00:01 mongod -f /database/mongodb/data/mongodb_27017.conf
mongo 13035 10986 13 08:21 pts/1 00:00:00 ps -ef
mongo 13036 10986 0 08:21 pts/1 00:00:00 grep mongo
[mongo@redhatB data]$ kill 12749
[mongo@redhatB data]$ mongod -f /database/mongodb/data/mongodb_27017.conf
forked process: 13042
all output going to: /var/applog/mongo_log/mongo.log
--1.5 测试 skytf 帐号
[mongo@redhatB data]$ mongo 127.0.0.1/skytf -u skytf -p
MongoDB shell version: 2.2.1
Enter password:
connecting to: 127.0.0.1/skytf
Error: { errmsg: "auth fails", ok: 0.0 }
Thu Nov 22 08:23:11 uncaught exception: login failed
exception: login failed
[mongo@redhatB data]$ mongo 127.0.0.1/skytf -u skytf -p
MongoDB shell version: 2.2.1
Enter password:
connecting to: 127.0.0.1/skytf
> show collections;
system.indexes
system.users
test_1
test_2
test_3
test_4
things
things_1
> db.test_5.find();
{ "_id" : ObjectId("50ad7177d114dcf18a8bb220"), "id" : 1 }
> show dbs;
Thu Nov 22 08:24:03 uncaught exception: listDatabases failed:{ "errmsg" : "need to login", "ok" : 0 }
> use test;
switched to db test
> show collections;
Thu Nov 22 09:01:32 uncaught exception: error: {
"$err" : "unauthorized db:test ns:test.system.namespaces lock type:0 client:127.0.0.1",
"code" : 10057
备注:从上看出, skytf 用户的认证已生效,并且能查看数据库 skytf 里的集合,但不能执行 “show dbs”
命令;并且能连接数据库 test ,但没有权限执行“show collections” 命令。
二 切换用户
--2.1 在普通库中切换成 root 用户
> use test;
switched to db test
> db.auth('root','123456');db.auth('root','123456');
Error: { errmsg: "auth fails", ok: 0.0 }
0
备注:在普通库中切换成超级用户失败,超级用户需要在 admin 库中切换才能生效。
--2.2 在 admin 库中切换成 root 用户
> use admin;
switched to db admin
> db.auth('root','123456');
1
备注:在 admin 库中切换成超级用户成功。
三 新增只读帐号
--3.1 增加只读帐号
> db.addUser('skytf_select','skytf_select',true);
{
"user" : "skytf_select",
"readOnly" : true,
"pwd" : "e344f93a69f20ca9f3dfbc40da4a3082",
"_id" : ObjectId("50ad71c7d114dcf18a8bb221")
}
> db.system.users.find();db.system.users.find();
{ "_id" : ObjectId("50ad6ef3a579c47efacf811c"), "user" : "skytf", "readOnly" : false, "pwd" : "8c438fc9e2031577cea03806db0ee137" }
{ "_id" : ObjectId("50ad71c7d114dcf18a8bb221"), "user" : "skytf_select", "readOnly" : true, "pwd" : "e344f93a69f20ca9f3dfbc40da4a3082" }
备注:只需在 addUser 命令中增加第三个参数,并指定为“true” ,即可创建只读帐号。
--3.2 测试
[mongo@redhatB data]$ mongo 127.0.0.1/skytf -u skytf_select -p
MongoDB shell version: 2.2.1
Enter password:
connecting to: 127.0.0.1/skytf
> show collections;
system.indexes
system.users
test_1
test_2
test_3
test_4
test_5
things
things_1
> db.test_5.find();
{ "_id" : ObjectId("50ad7177d114dcf18a8bb220"), "id" : 1 }
{ "_id" : ObjectId("50ad724ed114dcf18a8bb222"), "id" : 2 }
> db.test_5.save({id:3});
unauthorized
备注:以只读帐号 skytf_select 登陆库 skytf,有权限执行查询操作,没有权限执行插入操作;
四 附 命令参考
--4.1 db.addUser
Parameters:
username (string) – Specifies a new username.
password (string) – Specifies the corresponding password.
readOnly (boolean) – Optional. Restrict a user to read-privileges only. Defaults to false.
Use this function to create new database users, by specifying a username and password as arguments
to the command. If you want to restrict the user to have only read-only privileges, supply a true third
argument; however, this defaults to false。
--4.2 db.auth
Parameters:
username (string) – Specifies an existing username with access privileges for this database.
password (string) – Specifies the corresponding password.
Allows a user to authenticate to the database from within the shell. Alternatively use mongo
--username and --password to specify authentication credentials.
五 参考
http://docs.mongodb.org/manual/tutorial/control-access-to-mongodb-with-authentication/
http://docs.mongodb.org/manual/administration/security/
http://blog.163.com/dazuiba_008/blog/static/36334981201110311534143/
-----以上是单个mongodb的用户认证,下面是集群的
7、登录mongos添加用户:
use admin
db.addUser("<user>","<password>")
db.addUser("<user>","<password>",true) //添加只读用户
8、关闭三台机器的全部mongod,mongos:
sudo killall mongod
sudo killall mongos
9、生成keyfile:(每个进程的key file都保持一致)
openssl rand -base64 753 >keyfile
将生成的keyfile 拷贝到mongod/mongos 进程对应的文件夹
并执行语句更改权限:sudo chmod 600 keyfile
使用--keyFile参数指定前面生成的keyfile文件,重启三台机器全部mongod,mongos进程
在serverA上:mongod --replSet s1 --port 27020 --dbpath=/data/mongo/s1_1/db --logpath=/data/mongo/s1_1/log/mongo.log --logappend --fork --keyFile /data/mongo/s1_1/keyfile
在serverB上:mongod --replSet s1 --port 27020 --dbpath=/data/mongo/s1_2/db --logpath=/data/mongo/s1_2/log/mongo.log --logappend --fork --keyFile /data/mongo/s1_2/keyfile
在serverC上:mongod --replSet s1 --port 27020 --dbpath=/data/mongo/s1_3/db --logpath=/data/mongo/s1_3/log/mongo.log --logappend --fork --keyFile /data/mongo/s1_3/keyfile
在serverA上:mongod --replSet s2 --port 27021 --dbpath=/data/mongo/s2_1/db --logpath=/data/mongo/s2_1/log/mongo.log --logappend --fork --keyFile /data/mongo/s2_1/keyfile
在serverB上:mongod --replSet s2 --port 27021 --dbpath=/data/mongo/s2_2/db --logpath=/data/mongo/s2_2/log/mongo.log --logappend --fork --keyFile /data/mongo/s2_2/keyfile
在serverC上:mongod --replSet s2 --port 27021 --dbpath=/data/mongo/s2_3/db --logpath=/data/mongo/s2_3/log/mongo.log --logappend --fork --keyFile /data/mongo/s2_3/keyfile
在serverA上:mongod -fork --configsvr --dbpath /data/mongo/config/db --port 27018 --logpath /data/mongo/config/log/mongo.log --fork --keyFile /data/mongo/config/keyfile
在serverB上:mongod -fork --configsvr --dbpath /data/mongo/config/db --port 27018 --logpath /data/mongo/config/log/mongo.log --fork --keyFile /data/mongo/config/keyfile
在serverC上:mongod -fork --configsvr --dbpath /data/mongo/config/db --port 27018 --logpath /data/mongo/config/log/mongo.log --fork --keyFile /data/mongo/config/keyfile
在serverA上:mongos -fork --logpath /data/mongo/route/log/mongo.log --configdb ServerA:27018,ServerB:27018,ServerC:27018 --port 27017 --keyFile /data/mongo/route/keyfile
在serverB上:mongos -fork --logpath /data/mongo/route/log/mongo.log --configdb ServerA:27018,ServerB:27018,ServerC:27018 --port 27017 --keyFile /data/mongo/route/keyfile
在serverC上:mongos -fork --logpath /data/mongo/route/log/mongo.log --configdb ServerA:27018,ServerB:27018,ServerC:27018 --port 27017 --keyFile /data/mongo/route/keyfile
完毕!
------------------------
安全与认证
如果开启了安全性检查,则只有数据库认证用户才能执行读或写操作。
mongodb会将普通的数据作为admin数据库处理,admin数据库中的用户被视为超级用户。
认证之后,管理员可以读写所有数据库,执行特定的管理命令,如listDatabase和shutdown
mongos> use admin
switched to db admin
mongos> db.addUser("root","abc")
{
"user" : "root",
"readOnly" : false,
"pwd" : "9ebcc685b65db596c75fd6128803440f",
"_id" : ObjectId("54213c293a41399ef4a3d60e")
}
use test
mongos> db.addUser("test_user","def");
{
"user" : "test_user",
"readOnly" : false,
"pwd" : "2d7ad5ae62d41e5253c32831a63079b1",
"_id" : ObjectId("54213c5f3a41399ef4a3d60f")
}
mongos> db.addUser("read_only","ghi",true);
{
"user" : "read_only",
"readOnly" : true,
"pwd" : "67e8e24078ad4a487c54cb16527af13a",
"_id" : ObjectId("54213c7d3a41399ef4a3d610")
}
mongos> db.system.users.find();
{ "_id" : ObjectId("54213c293a41399ef4a3d60e"), "user" : "root", "readOnly" : false, "pwd" : "9ebcc685b65db596c75fd6128803440f" }
{ "_id" : ObjectId("54213c5f3a41399ef4a3d60f"), "user" : "test_user", "readOnly" : false, "pwd" : "2d7ad5ae62d41e5253c32831a63079b1" }
{ "_id" : ObjectId("54213c7d3a41399ef4a3d610"), "user" : "read_only", "readOnly" : true, "pwd" : "67e8e24078ad4a487c54cb16527af13a" }
上面添加了管理员root,在test数据库添加了两个普通账号,其中一个有只读权限,不能对数据库写入
调用addUser必须有相应数据库的写权限。
addUser不仅能添加用户,还能修改用户口令或者只读窗台。
重启服务器,加入--auth命令行选项,开启安全检查。跟刚刚一样的,需要
[root@viptest2 ~]# openssl rand
Usage: rand [options] num
where options are
-out file - write to file
-engine e - use engine e, possibly a hardware device.
-rand file:file:... - seed PRNG from files
-base64 - base64 encode output
-hex - hex encode output
[root@viptest2 ~]# openssl rand -base64 753
WYPee/+hqZZ+SLJuTtupYklSJRGWS0sH7yZ1qxSa9ErBsriyHRsaKVCKN7Ngu/BS
B0D1QKyBGZ3A+JXugLu+n7d319AKwQkX+6SBff1KS4KWL6biaX9oURuQMgb6HUty
e6ep4kFqpt2zkE6SqY8Rg7Cuouhs/CQsrgpU7af5CfSLXMBGED284wKaE+wh7yls
QVznZCoIjR2mrb68P0r4bgivynRyRq49TgdxmiQmXCXKXNNyVPG8MjzWtJaTazR6
/lvSfDWqk+VDC0b97MFEdPEsQiLNa6EAv8xqN9aycaJH+bQANtysala0wxsqDv8q
YuT9EmnTJM6F5L3Z8PK7EZKtSOlXnJaEX2jvLfwpYNTH4nhHkQV9KZJXD6lGx7Wn
ifnqIl3pVyxDBGDe9PBmgeh0+sgaK8jHP386h4gU5MkX/bEHDV8TL60kU+cARJ0C
xeHNy8IQer1c9E5n1D6iT9JqdidSgfKWOYGB7l937hTjdVQG9ektxGGM39Y04ObV
FpB87QZFoVhOobb/TTbV5tl64rmjBlN0bhH0kDmBvIvFT3GfTyYa92+1QxAAXC4k
3ge0fDKoocxw0LmQdJpE7n6Zn8HBzC20EzxJ4yqCmY1kfhRjS1X6zMk1Xi2nOoIY
myGqEvkrkWybBWh83WSSlhMtBgvFzgo8rnT+ru/r3BaFXkRRM1DX1Cvw5G9+qG8i
7AvJdYZpheqLR71GFjZc+PSRiBD+PKlkZJjYe8fJM9VXO/ZZGcShasrr+A3rHLb8
j92AmLbIU8nZwW54gcs8lZC0ufOrhauxNhCay7k8YXhxqr/+3HQvAH8OZYWRZfdG
gXMo0fOk8HsmuahMN9U3TiAmBoh6MhOHyGefJF8O7g6iP0TkQxWWDQLuUqWJZnzu
lLwK8Na4B7gnoHlRt7lWBYLuUM1PTcKF7RtVuARkvlmE6FsrRIpc5RL8k25Ed67H
NSZ7PpP2xLmHvC27CBCw5A9gux3r
在testdb中创建一个普通用户
mongos> use testdb
switched to db testdb
mongos> db.addUser('putong','putong');
{
"user" : "putong",
"readOnly" : false,
"pwd" : "9bef249456e43c9b819a4ff08f66c744",
"_id" : ObjectId("542142ea2f4e2dc152cf19c0")
}
mongos> db.system.users.find();
{ "_id" : ObjectId("542142ea2f4e2dc152cf19c0"), "user" : "putong", "readOnly" : false, "pwd" : "9bef249456e43c9b819a4ff08f66c744" }
[root@testvip1 ~]# openssl rand -base64 753 >keyfile1
[root@testvip1 ~]# chmod 600 keyfile1
[root@testvip1 ~]# scp keyfile1 192.168.12.107:/root
keyfile1 100% 1020 1.0KB/s 00:00
[root@testvip1 ~]# mongod --dbpath=/mongo1 --port 27017 --rest --keyFile=/root/keyfile1 --分配和config每个都这么启动
[root@viptest2 ~]# mongos --port 27021 --configdb=192.168.12.107:27018 --keyFile=/root/keyfile1 --mongos这么启动
使用mongo 192.168.12.107:27021/admin 登录进来后,可以看到,权限已经变更,需要认证才能进行操作。
> db.usr.find().limit(10);
error: { "$err" : "not authorized for query on testdb.usr", "code" : 16549 }
[root@viptest2 ~]# mongo 192.168.12.107:27021/admin -u root -p 使用用户root 密码abc进来
MongoDB shell version: 2.4.6
Enter password:
connecting to: 192.168.12.107:27021/admin
mongos>
use testdb
> db.auth('putong','putong');
1
> show collections;
address
blog
games
people
system.indexes
system.users
testa
usr
> use admin
switched to db admin
> show dbs
Tue Sep 23 18:19:10.744 listDatabases failed:{
"note" : "not authorized for command: listDatabases on database admin",
"ok" : 0,
"errmsg" : "unauthorized"
} at src/mongo/shell/mongo.js:46
> db.auth('root','abc');
1
---只有在admin中定义的用户,才能在admin中认证通过,在testdb中都不行
备注:在普通库中切换成超级用户失败,超级用户需要在 admin 库中切换才能生效
mongos> db.addUser('putong','putong',true); --这里是进的admin,是超级用户,将putong用户改成readonly
{
"_id" : ObjectId("542142ea2f4e2dc152cf19c0"),
"user" : "putong",
"readOnly" : true,
"pwd" : "9bef249456e43c9b819a4ff08f66c744"
}
只读用户的登录
[root@viptest2 ~]# mongo 192.168.12.107:27021/testdb -u putong -p
MongoDB shell version: 2.4.6
Enter password:
connecting to: 192.168.12.107:27021/testdb
>
> db.testa.insert({"name":"haha"});
not authorized for insert on testdb.testa --putong用户只有只读权限
------------------------------------------------
MongoDB 安装后默认不启用认证,也就是说在本地可以通过 mongo 命令不输入用户名密码,
直接登陆到数据库,下面介绍下启用 mongodb 用户认证,详细如下:
启用 mongodb 认证只需要在启动 mongod 服务时配置 auth 参数成 'true'即可可 ,在配置
参数前先添加超级用户。
一 启用认证
--1.1 增加管理用户
> use admin;
switched to db admin
> db.addUser('root','123456');
{
"user" : "root",
"readOnly" : false,
"pwd" : "34e5772aa66b703a319641d42a47d696",
"_id" : ObjectId("50ad456a0b12589bdc45cf92")
}
> db.system.users.find();
{ "_id" : ObjectId("50ad6ecda579c47efacf811b"), "user" : "root", "readOnly" : false, "pwd" : "34e5772aa66b703a319641d42a47d696" }
备注:在 admin 库中增加的用户为超级用户,权限最大,可以访问所有库。
--1.2 增加普通用户
> use skytf;
switched to db skytf
> db.addUser('skytf','skytf');
{
"user" : "skytf",
"readOnly" : false,
"pwd" : "8c438fc9e2031577cea03806db0ee137",
"_id" : ObjectId("50ad45dd0b12589bdc45cf93")
}
> db.system.users.find();
{ "_id" : ObjectId("50ad6ef3a579c47efacf811c"), "user" : "skytf", "readOnly" : false, "pwd" : "8c438fc9e2031577cea03806db0ee137" }
--1.3 配置 auth 参数
vim /database/mongodb/data/mongodb_27017.conf,增加 " auth = true ” 参数
fork = true
bind_ip = 127.0.0.1
port = 27017
quiet = true
dbpath = /database/mongodb/data/
logpath = /var/applog/mongo_log/mongo.log
logappend = true
journal = true
auth = true
备注:增加 “auth = true” 配置。
--1.4 重启 mongodb
[mongo@redhatB data]$ ps -ef | grep mongo
root 10887 10859 0 04:47 pts/0 00:00:00 su - mongo
mongo 10889 10887 0 04:47 pts/0 00:00:00 -bash
root 10984 10964 0 04:53 pts/1 00:00:00 su - mongo
mongo 10986 10984 0 04:53 pts/1 00:00:00 -bash
mongo 12749 1 0 07:54 ? 00:00:01 mongod -f /database/mongodb/data/mongodb_27017.conf
mongo 13035 10986 13 08:21 pts/1 00:00:00 ps -ef
mongo 13036 10986 0 08:21 pts/1 00:00:00 grep mongo
[mongo@redhatB data]$ kill 12749
[mongo@redhatB data]$ mongod -f /database/mongodb/data/mongodb_27017.conf
forked process: 13042
all output going to: /var/applog/mongo_log/mongo.log
--1.5 测试 skytf 帐号
[mongo@redhatB data]$ mongo 127.0.0.1/skytf -u skytf -p
MongoDB shell version: 2.2.1
Enter password:
connecting to: 127.0.0.1/skytf
Error: { errmsg: "auth fails", ok: 0.0 }
Thu Nov 22 08:23:11 uncaught exception: login failed
exception: login failed
[mongo@redhatB data]$ mongo 127.0.0.1/skytf -u skytf -p
MongoDB shell version: 2.2.1
Enter password:
connecting to: 127.0.0.1/skytf
> show collections;
system.indexes
system.users
test_1
test_2
test_3
test_4
things
things_1
> db.test_5.find();
{ "_id" : ObjectId("50ad7177d114dcf18a8bb220"), "id" : 1 }
> show dbs;
Thu Nov 22 08:24:03 uncaught exception: listDatabases failed:{ "errmsg" : "need to login", "ok" : 0 }
> use test;
switched to db test
> show collections;
Thu Nov 22 09:01:32 uncaught exception: error: {
"$err" : "unauthorized db:test ns:test.system.namespaces lock type:0 client:127.0.0.1",
"code" : 10057
备注:从上看出, skytf 用户的认证已生效,并且能查看数据库 skytf 里的集合,但不能执行 “show dbs”
命令;并且能连接数据库 test ,但没有权限执行“show collections” 命令。
二 切换用户
--2.1 在普通库中切换成 root 用户
> use test;
switched to db test
> db.auth('root','123456');db.auth('root','123456');
Error: { errmsg: "auth fails", ok: 0.0 }
0
备注:在普通库中切换成超级用户失败,超级用户需要在 admin 库中切换才能生效。
--2.2 在 admin 库中切换成 root 用户
> use admin;
switched to db admin
> db.auth('root','123456');
1
备注:在 admin 库中切换成超级用户成功。
三 新增只读帐号
--3.1 增加只读帐号
> db.addUser('skytf_select','skytf_select',true);
{
"user" : "skytf_select",
"readOnly" : true,
"pwd" : "e344f93a69f20ca9f3dfbc40da4a3082",
"_id" : ObjectId("50ad71c7d114dcf18a8bb221")
}
> db.system.users.find();db.system.users.find();
{ "_id" : ObjectId("50ad6ef3a579c47efacf811c"), "user" : "skytf", "readOnly" : false, "pwd" : "8c438fc9e2031577cea03806db0ee137" }
{ "_id" : ObjectId("50ad71c7d114dcf18a8bb221"), "user" : "skytf_select", "readOnly" : true, "pwd" : "e344f93a69f20ca9f3dfbc40da4a3082" }
备注:只需在 addUser 命令中增加第三个参数,并指定为“true” ,即可创建只读帐号。
--3.2 测试
[mongo@redhatB data]$ mongo 127.0.0.1/skytf -u skytf_select -p
MongoDB shell version: 2.2.1
Enter password:
connecting to: 127.0.0.1/skytf
> show collections;
system.indexes
system.users
test_1
test_2
test_3
test_4
test_5
things
things_1
> db.test_5.find();
{ "_id" : ObjectId("50ad7177d114dcf18a8bb220"), "id" : 1 }
{ "_id" : ObjectId("50ad724ed114dcf18a8bb222"), "id" : 2 }
> db.test_5.save({id:3});
unauthorized
备注:以只读帐号 skytf_select 登陆库 skytf,有权限执行查询操作,没有权限执行插入操作;
四 附 命令参考
--4.1 db.addUser
Parameters:
username (string) – Specifies a new username.
password (string) – Specifies the corresponding password.
readOnly (boolean) – Optional. Restrict a user to read-privileges only. Defaults to false.
Use this function to create new database users, by specifying a username and password as arguments
to the command. If you want to restrict the user to have only read-only privileges, supply a true third
argument; however, this defaults to false。
--4.2 db.auth
Parameters:
username (string) – Specifies an existing username with access privileges for this database.
password (string) – Specifies the corresponding password.
Allows a user to authenticate to the database from within the shell. Alternatively use mongo
--username and --password to specify authentication credentials.
五 参考
http://docs.mongodb.org/manual/tutorial/control-access-to-mongodb-with-authentication/
http://docs.mongodb.org/manual/administration/security/
http://blog.163.com/dazuiba_008/blog/static/36334981201110311534143/
-----以上是单个mongodb的用户认证,下面是集群的
7、登录mongos添加用户:
use admin
db.addUser("<user>","<password>")
db.addUser("<user>","<password>",true) //添加只读用户
8、关闭三台机器的全部mongod,mongos:
sudo killall mongod
sudo killall mongos
9、生成keyfile:(每个进程的key file都保持一致)
openssl rand -base64 753 >keyfile
将生成的keyfile 拷贝到mongod/mongos 进程对应的文件夹
并执行语句更改权限:sudo chmod 600 keyfile
使用--keyFile参数指定前面生成的keyfile文件,重启三台机器全部mongod,mongos进程
在serverA上:mongod --replSet s1 --port 27020 --dbpath=/data/mongo/s1_1/db --logpath=/data/mongo/s1_1/log/mongo.log --logappend --fork --keyFile /data/mongo/s1_1/keyfile
在serverB上:mongod --replSet s1 --port 27020 --dbpath=/data/mongo/s1_2/db --logpath=/data/mongo/s1_2/log/mongo.log --logappend --fork --keyFile /data/mongo/s1_2/keyfile
在serverC上:mongod --replSet s1 --port 27020 --dbpath=/data/mongo/s1_3/db --logpath=/data/mongo/s1_3/log/mongo.log --logappend --fork --keyFile /data/mongo/s1_3/keyfile
在serverA上:mongod --replSet s2 --port 27021 --dbpath=/data/mongo/s2_1/db --logpath=/data/mongo/s2_1/log/mongo.log --logappend --fork --keyFile /data/mongo/s2_1/keyfile
在serverB上:mongod --replSet s2 --port 27021 --dbpath=/data/mongo/s2_2/db --logpath=/data/mongo/s2_2/log/mongo.log --logappend --fork --keyFile /data/mongo/s2_2/keyfile
在serverC上:mongod --replSet s2 --port 27021 --dbpath=/data/mongo/s2_3/db --logpath=/data/mongo/s2_3/log/mongo.log --logappend --fork --keyFile /data/mongo/s2_3/keyfile
在serverA上:mongod -fork --configsvr --dbpath /data/mongo/config/db --port 27018 --logpath /data/mongo/config/log/mongo.log --fork --keyFile /data/mongo/config/keyfile
在serverB上:mongod -fork --configsvr --dbpath /data/mongo/config/db --port 27018 --logpath /data/mongo/config/log/mongo.log --fork --keyFile /data/mongo/config/keyfile
在serverC上:mongod -fork --configsvr --dbpath /data/mongo/config/db --port 27018 --logpath /data/mongo/config/log/mongo.log --fork --keyFile /data/mongo/config/keyfile
在serverA上:mongos -fork --logpath /data/mongo/route/log/mongo.log --configdb ServerA:27018,ServerB:27018,ServerC:27018 --port 27017 --keyFile /data/mongo/route/keyfile
在serverB上:mongos -fork --logpath /data/mongo/route/log/mongo.log --configdb ServerA:27018,ServerB:27018,ServerC:27018 --port 27017 --keyFile /data/mongo/route/keyfile
在serverC上:mongos -fork --logpath /data/mongo/route/log/mongo.log --configdb ServerA:27018,ServerB:27018,ServerC:27018 --port 27017 --keyFile /data/mongo/route/keyfile
完毕!
------------------------
安全与认证
如果开启了安全性检查,则只有数据库认证用户才能执行读或写操作。
mongodb会将普通的数据作为admin数据库处理,admin数据库中的用户被视为超级用户。
认证之后,管理员可以读写所有数据库,执行特定的管理命令,如listDatabase和shutdown
mongos> use admin
switched to db admin
mongos> db.addUser("root","abc")
{
"user" : "root",
"readOnly" : false,
"pwd" : "9ebcc685b65db596c75fd6128803440f",
"_id" : ObjectId("54213c293a41399ef4a3d60e")
}
use test
mongos> db.addUser("test_user","def");
{
"user" : "test_user",
"readOnly" : false,
"pwd" : "2d7ad5ae62d41e5253c32831a63079b1",
"_id" : ObjectId("54213c5f3a41399ef4a3d60f")
}
mongos> db.addUser("read_only","ghi",true);
{
"user" : "read_only",
"readOnly" : true,
"pwd" : "67e8e24078ad4a487c54cb16527af13a",
"_id" : ObjectId("54213c7d3a41399ef4a3d610")
}
mongos> db.system.users.find();
{ "_id" : ObjectId("54213c293a41399ef4a3d60e"), "user" : "root", "readOnly" : false, "pwd" : "9ebcc685b65db596c75fd6128803440f" }
{ "_id" : ObjectId("54213c5f3a41399ef4a3d60f"), "user" : "test_user", "readOnly" : false, "pwd" : "2d7ad5ae62d41e5253c32831a63079b1" }
{ "_id" : ObjectId("54213c7d3a41399ef4a3d610"), "user" : "read_only", "readOnly" : true, "pwd" : "67e8e24078ad4a487c54cb16527af13a" }
上面添加了管理员root,在test数据库添加了两个普通账号,其中一个有只读权限,不能对数据库写入
调用addUser必须有相应数据库的写权限。
addUser不仅能添加用户,还能修改用户口令或者只读窗台。
重启服务器,加入--auth命令行选项,开启安全检查。跟刚刚一样的,需要
[root@viptest2 ~]# openssl rand
Usage: rand [options] num
where options are
-out file - write to file
-engine e - use engine e, possibly a hardware device.
-rand file:file:... - seed PRNG from files
-base64 - base64 encode output
-hex - hex encode output
[root@viptest2 ~]# openssl rand -base64 753
WYPee/+hqZZ+SLJuTtupYklSJRGWS0sH7yZ1qxSa9ErBsriyHRsaKVCKN7Ngu/BS
B0D1QKyBGZ3A+JXugLu+n7d319AKwQkX+6SBff1KS4KWL6biaX9oURuQMgb6HUty
e6ep4kFqpt2zkE6SqY8Rg7Cuouhs/CQsrgpU7af5CfSLXMBGED284wKaE+wh7yls
QVznZCoIjR2mrb68P0r4bgivynRyRq49TgdxmiQmXCXKXNNyVPG8MjzWtJaTazR6
/lvSfDWqk+VDC0b97MFEdPEsQiLNa6EAv8xqN9aycaJH+bQANtysala0wxsqDv8q
YuT9EmnTJM6F5L3Z8PK7EZKtSOlXnJaEX2jvLfwpYNTH4nhHkQV9KZJXD6lGx7Wn
ifnqIl3pVyxDBGDe9PBmgeh0+sgaK8jHP386h4gU5MkX/bEHDV8TL60kU+cARJ0C
xeHNy8IQer1c9E5n1D6iT9JqdidSgfKWOYGB7l937hTjdVQG9ektxGGM39Y04ObV
FpB87QZFoVhOobb/TTbV5tl64rmjBlN0bhH0kDmBvIvFT3GfTyYa92+1QxAAXC4k
3ge0fDKoocxw0LmQdJpE7n6Zn8HBzC20EzxJ4yqCmY1kfhRjS1X6zMk1Xi2nOoIY
myGqEvkrkWybBWh83WSSlhMtBgvFzgo8rnT+ru/r3BaFXkRRM1DX1Cvw5G9+qG8i
7AvJdYZpheqLR71GFjZc+PSRiBD+PKlkZJjYe8fJM9VXO/ZZGcShasrr+A3rHLb8
j92AmLbIU8nZwW54gcs8lZC0ufOrhauxNhCay7k8YXhxqr/+3HQvAH8OZYWRZfdG
gXMo0fOk8HsmuahMN9U3TiAmBoh6MhOHyGefJF8O7g6iP0TkQxWWDQLuUqWJZnzu
lLwK8Na4B7gnoHlRt7lWBYLuUM1PTcKF7RtVuARkvlmE6FsrRIpc5RL8k25Ed67H
NSZ7PpP2xLmHvC27CBCw5A9gux3r
在testdb中创建一个普通用户
mongos> use testdb
switched to db testdb
mongos> db.addUser('putong','putong');
{
"user" : "putong",
"readOnly" : false,
"pwd" : "9bef249456e43c9b819a4ff08f66c744",
"_id" : ObjectId("542142ea2f4e2dc152cf19c0")
}
mongos> db.system.users.find();
{ "_id" : ObjectId("542142ea2f4e2dc152cf19c0"), "user" : "putong", "readOnly" : false, "pwd" : "9bef249456e43c9b819a4ff08f66c744" }
[root@testvip1 ~]# openssl rand -base64 753 >keyfile1
[root@testvip1 ~]# chmod 600 keyfile1
[root@testvip1 ~]# scp keyfile1 192.168.12.107:/root
keyfile1 100% 1020 1.0KB/s 00:00
[root@testvip1 ~]# mongod --dbpath=/mongo1 --port 27017 --rest --keyFile=/root/keyfile1 --分配和config每个都这么启动
[root@viptest2 ~]# mongos --port 27021 --configdb=192.168.12.107:27018 --keyFile=/root/keyfile1 --mongos这么启动
使用mongo 192.168.12.107:27021/admin 登录进来后,可以看到,权限已经变更,需要认证才能进行操作。
> db.usr.find().limit(10);
error: { "$err" : "not authorized for query on testdb.usr", "code" : 16549 }
[root@viptest2 ~]# mongo 192.168.12.107:27021/admin -u root -p 使用用户root 密码abc进来
MongoDB shell version: 2.4.6
Enter password:
connecting to: 192.168.12.107:27021/admin
mongos>
use testdb
> db.auth('putong','putong');
1
> show collections;
address
blog
games
people
system.indexes
system.users
testa
usr
> use admin
switched to db admin
> show dbs
Tue Sep 23 18:19:10.744 listDatabases failed:{
"note" : "not authorized for command: listDatabases on database admin",
"ok" : 0,
"errmsg" : "unauthorized"
} at src/mongo/shell/mongo.js:46
> db.auth('root','abc');
1
---只有在admin中定义的用户,才能在admin中认证通过,在testdb中都不行
备注:在普通库中切换成超级用户失败,超级用户需要在 admin 库中切换才能生效
mongos> db.addUser('putong','putong',true); --这里是进的admin,是超级用户,将putong用户改成readonly
{
"_id" : ObjectId("542142ea2f4e2dc152cf19c0"),
"user" : "putong",
"readOnly" : true,
"pwd" : "9bef249456e43c9b819a4ff08f66c744"
}
只读用户的登录
[root@viptest2 ~]# mongo 192.168.12.107:27021/testdb -u putong -p
MongoDB shell version: 2.4.6
Enter password:
connecting to: 192.168.12.107:27021/testdb
>
> db.testa.insert({"name":"haha"});
not authorized for insert on testdb.testa --putong用户只有只读权限
------------------------------------------------
