MongoDB默认是不认证的,默认没有账号,只要能连接上服务就可以对数据库进行各种操作,MongoDB认为安全最好的方法就是在一个可信的环境中运行它,保证之后可信的机器才能访问它,可能这些对一些要求高的环境,安全还不够。MongoDB提供用户认证,需要在启动时加上--auth开启认证。
一、MongoDB安装
Mongodb下载地址:https://pan.baidu.com/s/194ef261BpcypxzAl9aRaQg
提取密码:tv8m
下载放到服务器的/usr/local/src目录下
1.1)安装MongoDB
[root@MongoDB-server ~]# cd /usr/local/src/
[root@MongoDB-server src]# ll mongodb-linux-x86_64-rhel62-v3.2-latest.tgz
-rw-r--r-- 1 root root 86699142 Nov 22 2017 mongodb-linux-x86_64-rhel62-v3.2-latest.tgz
[root@MongoDB-server src]# tar -zvxf mongodb-linux-x86_64-rhel62-v3.2-latest.tgz
[root@MongoDB-server src]# mv mongodb-linux-x86_64-rhel62-3.2.17-34-g4c1bae566c /usr/local/mongodb
[root@MongoDB-server src]# ll /usr/local/mongodb //Mongodb主目录
total 100
drwxr-xr-x 2 root root 4096 Sep 20 22:33 bin
-rw-r--r-- 1 root root 34520 Nov 21 2017 GNU-AGPL-3.0
-rw-r--r-- 1 root root 16726 Nov 21 2017 MPL-2
-rw-r--r-- 1 root root 2262 Nov 21 2017 README
-rw-r--r-- 1 root root 35910 Nov 21 2017 THIRD-PARTY-NOTICES
[root@MongoDB-server src]# mkdir /usr/local/mongodb/data //Mongodb数据目录,可以存放在一个独立的大分区上
[root@MongoDB-server src]# mkdir /usr/local/mongodb/log //Mongodb日志目录
1.2)启动MongoDB
使用mongod命令建立一个mongodb数据库链接,数据库的路径为/usr/local/mongodb/data,日志路径为/usr/local/mongodb/log/mogodb.log
mongodb的启动程序放在后台执行,下面命令执行后,按ctrl+c。
[root@MongoDB-server src]# nohup /usr/local/mongodb/bin/mongod --dbpath=/usr/local/mongodb/data/ --logpath=/usr/local/mongodb/log/mongo.log &
==========================================
mongodb的参数说明:
--dbpath 数据库路径(数据文件)
--logpath 日志文件路径
--master 指定为主机器
--slave 指定为从机器
--source 指定主机器的IP地址
--pologSize 指定日志文件大小不超过64M.因为resync是非常操作量大且耗时,最好通过设置一个足够大的oplogSize来避免resync(默认的 oplog大小是空闲磁盘大小的5%)。
--logappend 日志文件末尾添加
--port 启用端口号
--fork 在后台运行
--only 指定只复制哪一个数据库
--slavedelay 指从复制检测的时间间隔
--auth 是否需要验证权限登录(用户名和密码)
==========================================
[root@MongoDB-server src]# ps -ef|grep mongodb
root 13216 10204 0 22:38 pts/1 00:00:00 /usr/local/mongodb/bin/mongod --dbpath=/usr/local/mongodb/data/ --logpath=/usr/local/mongodb/log/mongo.log
root 14185 10204 0 22:42 pts/1 00:00:00 grep mongodb
MongoDB默认端口是27017,启动后,等一会儿端口就会起来。如果启动后,发现端口没有起来,可以查看日志/usr/local/mongodb/log/mongo.log
[root@MongoDB-server src]# lsof -i:27017
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mongod 13216 root 6u IPv4 4260453 0t0 TCP *:27017 (LISTEN)
1.3)设置mongodb的环境变量
[root@MongoDB-server src]# vim /etc/profile
......
export PATH=$PATH:/usr/local/mongodb/bin/
[root@MongoDB-server src]# source /etc/profile
[root@MongoDB-server src]# mongod --version
db version v3.2.17-34-g4c1bae566c
git version: 4c1bae566c0c00f996a2feb16febf84936ecaf6f
OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
allocator: tcmalloc
modules: none
build environment:
distmod: rhel62
distarch: x86_64
target_arch: x86_64
1.4)为了更方便的启动和关闭MongoDB,可以使用Shell写脚本,当然也可以加入到service中。更好的方式是采用配置文件,把MongoDB需要的参数写入配置文件,
然后在脚本中引用;
[root@MongoDB-server src]# vim /usr/local/mongodb/mongodb.conf
#代表端口号,如果不指定则默认为27017
port=27017
#绑定ip
bind_ip=0.0.0.0
#MongoDB数据文件目录
dbpath=/usr/local/mongodb/data
#MongoDB日志文件目录
logpath=/usr/local/mongodb/log/mongo.log
#日志文件自动累加
logappend=true
编写MongoDB启动脚本
[root@MongoDB-server src]# vim /etc/init.d/mongodb
#!/bin/bash
#
# mongod Start up the MongoDB server daemon
#
# source function library
. /etc/rc.d/init.d/functions
#定义命令
CMD=/usr/local/mongodb/bin/mongod
#定义配置文件路径
INITFILE=/usr/local/mongodb/mongodb.conf
start()
{
#&表示后台启动,也可以使用fork参数
$CMD -f $INITFILE &
echo "MongoDB is running background..."
}
stop()
{
pkill mongod
echo "MongoDB is stopped."
}
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo $"Usage: $0 {start|stop}"
esac
授予脚本可执行权限
[root@MongoDB-server src]# chmod 755 /etc/init.d/mongodb
[root@MongoDB-server src]# /etc/init.d/mongodb status
Usage: /etc/init.d/mongodb {start|stop}
[root@MongoDB-server src]# /etc/init.d/mongodb stop
Terminated
[root@MongoDB-server src]# lsof -i:27001
[1]+ Done nohup /usr/local/mongodb/bin/mongod --dbpath=/usr/local/mongodb/data/ --logpath=/usr/local/mongodb/log/mongo.log
[root@MongoDB-server src]# lsof -i:27001
[root@MongoDB-server src]# /etc/init.d/mongodb start
MongoDB is running background...
[root@MongoDB-server src]# ps -ef|grep mongodb
root 16060 1 2 22:49 pts/1 00:00:00 /usr/local/mongodb/bin/mongod -f /usr/local/mongodb/mongodb.conf
root 16205 10204 0 22:49 pts/1 00:00:00 grep mongodb
[root@MongoDB-server ~]# lsof -i:27001
[root@MongoDB-server ~]#
启动后发现27017端口没有起来,查看日志:
[root@MongoDB-server src]# tail -f /usr/local/mongodb/log/mongo.log
......
2018-09-20T22:55:46.236+0800 I NETWORK [initandlisten] waiting for connections on port 27017
2018-09-20T22:55:46.290+0800 W NETWORK [HostnameCanonicalizationWorker] Failed to obtain address information for hostname MongoDB-server: Name or service not known
2018-09-20T22:55:47.014+0800 I FTDC [ftdc] Unclean full-time diagnostic data capture shutdown detected, found interim file, some metrics may have been lost. OK
原因:获取不到地址对应的主机名,这一般与HOSTS有关
解决办法:
[root@MongoDB-server ~]# ifconfig|grep "inet addr"|grep Bcast|awk -F":" '{print $2}'|awk '{print $1}'
192.168.10.205
[root@MongoDB-server ~]# hostname
MongoDB-server
[root@MongoDB-server ~]# vim /etc/hosts
[root@MongoDB-server ~]# echo "192.168.10.205 MongoDB-server" >> /etc/hosts
[root@MongoDB-server ~]# cat /etc/hosts
......
192.168.10.205 MongoDB-server
再次启动
[root@MongoDB-server ~]# ps -ef|grep mongodb
root 17789 1 0 22:55 pts/0 00:00:01 /usr/local/mongodb/bin/mongod -f /usr/local/mongodb/mongodb.conf
root 18933 16606 0 23:00 pts/0 00:00:00 grep mongodb
[root@MongoDB-server ~]# kill -9 16890
[root@MongoDB-server ~]# ps -ef|grep mongodb
root 18979 16606 0 23:00 pts/0 00:00:00 grep mongodb
[root@MongoDB-server ~]# /etc/init.d/mongodb start
MongoDB is running background...
[root@MongoDB-server ~]# ps -ef|grep mongodb
root 17789 1 0 22:55 pts/0 00:00:01 /usr/local/mongodb/bin/mongod -f /usr/local/mongodb/mongodb.conf
root 19132 16606 0 23:00 pts/0 00:00:00 grep mongodb
[root@MongoDB-server ~]# lsof -i:27017
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mongod 17789 root 6u IPv4 4289555 0t0 TCP *:27017 (LISTEN)
连接MongoDB服务
[root@MongoDB-server src]# mongo 127.0.0.1:27017 或者直接使用mongo命令进行连接,默认连接的就是127.0.0.1:27017
MongoDB shell version: 3.2.17-34-g4c1bae566c
connecting to: 127.0.0.1:27017/test
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
http://docs.mongodb.org/
Questions? Try the support group
http://groups.google.com/group/mongodb-user
Server has startup warnings:
2018-09-20T22:55:46.232+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten]
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten]
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten]
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2018-09-20T22:55:46.233+0800 I CONTROL [initandlisten]
> help
db.help() help on db methods
db.mycoll.help() help on collection methods
sh.help() sharding helpers
rs.help() replica set helpers
help admin administrative help
help connect connecting to a db help
help keys key shortcuts
help misc misc things to know
help mr mapreduce
show dbs show database names
show collections show collections in current database
show users show users in current database
show profile show most recent system.profile entries with time >= 1ms
show logs show the accessible logger names
show log [name] prints out the last segment of log in memory, 'global' is default
use <db_name> set current database
db.foo.find() list objects in collection foo
db.foo.find( { a : 1 } ) list objects in foo where a == 1
it result of the last line evaluated; use to further iterate
DBQuery.shellBatchSize = x set default number of items to display on shell
exit quit the mongo shell
> show dbs
local 0.000GB
>
二、MongoDB认证
MongoDB Roles(内置角色) - 数据库用户角色:read、readWrite; - 数据库管理角色:dbAdmin、dbOwner、userAdmin; - 集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager; - 备份恢复角色:backup、restore; - 所有数据库角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase - 超级用户角色:root - 这里还有几个角色间接或直接提供了系统超级用户的访问(dbOwner 、userAdmin、userAdminAnyDatabase) - 内部角色:__system
具体角色 - Read:允许用户读取指定数据库 - readWrite:允许用户读写指定数据库 - dbAdmin:允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile - userAdmin:允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户 - clusterAdmin:只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。 - readAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读权限 - readWriteAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读写权限 - userAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的userAdmin权限 - dbAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。 - root:只在admin数据库中可用。超级账号,超级权限
MongoDB认证前需要添加账号,添加管理员账号(默认情况下系统中没有用户)
谨记:先在不开启认证的情况下,创建用户,之后关闭服务,然后再开启认证,才生效!!!!
[root@MongoDB-server src]# mongo 127.0.0.1:27017
......
切换到admin库
> use admin
switched to db admin
添加超级用户
> db.system.users.find();
> db.addUser("admin","1234!@#$qwer")
2018-09-20T23:12:10.968+0800 E QUERY [thread1] TypeError: db.addUser is not a function :
@(shell):1:1
如上创建用户报错:报错addUser is not a function
经过排查原因,由于MongDB3.x版本已经不再支持addUser()方法,用createUser()方法取而代之。
> db.createUser({user: "admin",pwd: "1234!@#$qwer",roles: [ "readWrite", "dbAdmin" ]})
Successfully added user: { "user" : "admin", "roles" : [ "readWrite", "dbAdmin" ] }
查询添加的用户
> db.system.users.find();
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" :
"TzPswYhGHMhnb18ccP41Hw==", "storedKey" : "MFNZp6CAAzd+XYi9hv1EQm6jHdU=", "serverKey" : "s1nHp0XO19IgIsd//wXc22ukaAY=" } }, "roles"
: [ { "role" : "readWrite", "db" : "admin" }, { "role" : "dbAdmin", "db" : "admin" } ] }
添加普通账号
切换到kevin库添加普通用户(readWrite有读写权限;read有读权限)
> use kevin;
switched to db kevin
> db.createUser({user: "bobo",pwd: "bobo@123",roles: [ "dbOwner" ]});
Successfully added user: { "user" : "bobo", "roles" : [ "dbOwner" ] }
> db.createUser({user: "shibo",pwd: "shibo@123",roles: [ "read" ]});
Successfully added user: { "user" : "shibo", "roles" : [ "read" ] }
查询刚刚添加的所有用户:
> use admin;
switched to db admin
> db.system.users.find();
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "TzPswYhGHMhnb18ccP41Hw==", "storedKey" : "MFNZp6CAAzd+XYi9hv1EQm6jHdU=", "serverKey" : "s1nHp0XO19IgIsd//wXc22ukaAY=" } }, "roles" : [ { "role" : "readWrite", "db" : "admin" }, { "role" : "dbAdmin", "db" : "admin" } ] }
{ "_id" : "kevin.bobo", "user" : "bobo", "db" : "kevin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "cuv5jNwgZJygGFLtjD/Mjw==", "storedKey" : "OqJ25tCFO/+VTcKiKNCIHNivLEs=", "serverKey" : "XVyASud0LDPREZ3EqM78bBtGomk=" } }, "roles" : [ { "role" : "dbOwner", "db" : "kevin" } ] }
{ "_id" : "kevin.shibo", "user" : "shibo", "db" : "kevin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "Y7HmwAIYs+OHETZO0V2yTg==", "storedKey" : "5OjRBikMkn2ns+pDCvn3FVc5RJE=", "serverKey" : "YYRypQKmZcpg07tT+4F5MBwqHJY=" } }, "roles" : [ { "role" : "read", "db" : "kevin" } ] }
>
删除用户
> db.system.users.remove({user:"admin"})
WriteResult({ "nRemoved" : 1 })
> db.system.users.remove({user:"shibo"})
WriteResult({ "nRemoved" : 1 })
> db.system.users.remove({user:"bobo"});
WriteResult({ "nRemoved" : 1 })
再次查看
> db.system.users.find();
>
再添加用户
> use admin
switched to db admin
> db.createUser({user: "admin",pwd: "admin2018",roles: [{role:"readWrite",db:"dbAdmin"}]})
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "dbAdmin"
}
]
}
> use kevin
switched to db kevin
> db.createUser({user: "kevin",pwd: "shibo2018",roles: [{role:"readWrite",db:"kevin"}]});
Successfully added user: {
"user" : "kevin",
"roles" : [
{
"role" : "readWrite",
"db" : "kevin"
}
]
}
> use admin
switched to db admin
> db.system.users.find();
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "ZT4lWai64T8GO7jSfxuWTA==", "storedKey" : "oscsyuNiSfOvjPZgzAcapyqJjdM=", "serverKey" : "HLGVVyKMXI96StrnrhngQl2jA10=" } }, "roles" : [ { "role" : "readWrite", "db" : "dbAdmin" } ] }
{ "_id" : "kevin.kevin", "user" : "kevin", "db" : "kevin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "iwyUMHBs6QUc4htcjQxJag==", "storedKey" : "hWZ0CvjVEwMUSm5wKen8Sg9Ju1Q=", "serverKey" : "QRqigCFp5Ph1D+GpOJDvGiIGfj8=" } }, "roles" : [ { "role" : "readWrite", "db" : "kevin" } ] }
>
修改用户密码,可以利用db.changeUserPassword进行密码重置!!!!!
> use shibo;
switched to db shibo
> db.changeUserPassword("shibo","bobo@19870709");
以--auth启动mongodb开启认证(或者在配置文件中添加"auth=true")
[root@MongoDB-server ~]# vim /usr/local/mongodb/mongodb.conf
#代表端口号,如果不指定则默认为27017
port=27017
#绑定ip
bind_ip=0.0.0.0
#MongoDB数据文件目录
dbpath=/usr/local/mongodb/data
#MongoDB日志文件目录
logpath=/usr/local/mongodb/log/mongo.log
#日志文件自动累加
logappend=true
#开启MongoDB认证
auth=true
[root@MongoDB-server ~]# cat /etc/init.d/mongodb
......
$CMD -f $INITFILE --auth &
......
重启mongodb
[root@MongoDB-server ~]# ps -ef|grep mongodb
root 17789 1 0 22:55 pts/0 00:00:06 /usr/local/mongodb/bin/mongod -f /usr/local/mongodb/mongodb.conf
root 25161 16606 0 23:24 pts/0 00:00:00 grep mongodb
[root@MongoDB-server ~]# kill -9 17789
[root@MongoDB-server ~]# ps -ef|grep mongodb
root 25190 16606 0 23:24 pts/0 00:00:00 grep mongodb
[root@MongoDB-server ~]# /etc/init.d/mongodb start
MongoDB is running background...
[root@MongoDB-server ~]# ps -ef|grep mongodb
root 1687 1 12 23:58 pts/0 00:00:00 /usr/local/mongodb/bin/mongod -f /usr/local/mongodb/mongodb.conf --auth
root 1713 16606 0 23:58 pts/0 00:00:00 grep mongodb
[root@MongoDB-server ~]# lsof -i:27017
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mongod 25342 root 6u IPv4 4330699 0t0 TCP *:27017 (LISTEN)
验证安全认证:
[root@MongoDB-server src]# mongo 127.0.0.1:27017
MongoDB shell version: 3.2.17-34-g4c1bae566c
connecting to: 127.0.0.1:27017/test
> use admin
switched to db admin
> show dbs
2018-09-20T23:25:52.201+0800 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:781:19
shellHelper@src/mongo/shell/utils.js:671:15
@(shellhelp2):1:1
>
如上由于没有认证,所以查看不到。需要认证后再次查看才可以
> db.auth("admin","admin2018");
1
> db.system.users.find();
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "ZT4lWai64T8GO7jSfxuWTA==", "storedKey" : "oscsyuNiSfOvjPZgzAcapyqJjdM=", "serverKey" : "HLGVVyKMXI96StrnrhngQl2jA10=" } }, "roles" : [ { "role" : "readWrite", "db" : "dbAdmin" } ] }
{ "_id" : "kevin.kevin", "user" : "kevin", "db" : "kevin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "iwyUMHBs6QUc4htcjQxJag==", "storedKey" : "hWZ0CvjVEwMUSm5wKen8Sg9Ju1Q=", "serverKey" : "QRqigCFp5Ph1D+GpOJDvGiIGfj8=" } }, "roles" : [ { "role" : "readWrite", "db" : "kevin" } ] }
>