ubuntu搭建安全的mongodb

How to Install and Secure MongoDB on Ubuntu 16.04

step1 Adding the MongoDB Repository

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6

step2 Next, we'll add MongoDB repository details so apt will know where to download the packages. Issue the following command to create a list file for MongoDB.

echo "deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list

Finally, we'll update the packages list.

sudo apt-get update

Installing MongoDB

sudo apt-get install mongodb-org
y
sudo systemctl start mongod
sudo systemctl status mongod
# Press q to exit.
sudo systemctl enable mongod

Securing MongoDB

use admin
db.createUser(
  {
    user: "scott",
    pwd: "tanyun161019",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)
# Type 'exit' and press ENTER or use CTRL+C to leave the client.

Enabling Authentication

In the #security section, we'll remove the hash in front of security to enable the stanza. Then we'll add the authorization setting. When we're done, the lines should look like the excerpt below:

sudo vim /etc/mongod.conf

security:
  authorization: "enabled"

# Note that the “security” line has no spaces at the beginning, and the “authorization” line must be indented with two spaces
# Once we've saved and exited the file, we'll restart the daemon:

sudo systemctl restart mongod

mongo
show dbs;
# We wouldn't be able to create users or similarily privileged tasks without authenticating.

Verifying the Administrative User's Access

mongo -u scott -p --authenticationDatabase admin
show dbs;
# ok

Configuring Remote Access (Optional)

Before we start working with an installation that allows remote connections, ideally we'll have MongoDB behind an external firewall, protected by a virtual private network (VPN), or restricted through a bastion host. As we work toward that, however, we can take the somewhat less-complicated step of enabling a firewall on the database server and restricting access to the specific host or hosts that need it.

Enabling UFW

sudo ufw status
sudo uwf enable
# allow ssh
# sudo ufw allow 22
sudo ufw allow OpenSSH
sudo ufw allow 27017
# specify port,allow a specify client_public-ip（ifconfig en0以太网ip） to connect
# sudo ufw allow from 192.168.100.207 to any port 27017
sudo ufw status

sudo vim /etc/mongod.conf

net:
  port: 27017
  bindIp: 127.0.0.1,vps_public_ip
# 如果这里有逗号会报错 此外netstat -tl 监听的是本地 远程是无法访问的 改为0.0.0.0

sudo systemctl restart mongod
sudo systemctl status mongod

# 先启动本地Mac的mongodb
cd ~
export PATH=~/mongodb/bin:$PATH
mongod --dbpath ~/data
# 开始连接远程
# mongo -u AdminSammy -p --authenticationDatabase admin --host vps's_public_ip 
mongo -u scott -p --authenticationDatabase admin --host 178.62.25.205

use scott
db.user.insert({name:"scott"})

WriteResult({
    "writeError" : {
        "code" : 13,
        "errmsg" : "not authorized on scott to execute command { insert: \"user\", ordered: true, documents: [ { _id: ObjectId('5bd6ba3fb8c71cd9a0af47fd'), a: \"@@@\" } ] }"
    }
})

这时，可以远程登录，可以查看，就是没有读写权限

use admin
show users;
db.stats()

如何解决呢？

use admin
db.grantRolesToUser("scott", [ { role:'readWrite', db: "admin" } ])
db.grantRolesToUser ( "scott", [ { role: "__system", db: "admin" } ] )

OK,尽情玩耍吧

参考

https://stackoverflow.com/questions/29920127/mongodb-root-and-dbowner-are-not-authorized-to-run-update-command https://docs.mongodb.com/manual/reference/method/db.grantRolesToUser/ https://stackoverflow.com/questions/35881662/show-dbs-gives-not-authorized-to-execute-command-error/35882021 https://www.percona.com/blog/2017/05/17/mongodb-authentication-and-roles-creating-your-first-personalized-role/

上面最后一个链接解决的问题

I ran into the same problem myself. It turned out I needed the "__system" role.