MongoDB University课程M310 MongoDB Security 学习笔记

环境准备

此课程需要两台虚机。因此需要提前安装Vagrant和VirtualBox,这些我已经有了。因此只需要下载课程提供的Vagrant文件m310-vagrant-env.zip就可以了。

解压文件,进入目录,运行以下命令即可:

javascript 复制代码
$ cd m310-vagrant-env
$ vagrant plugin install vagrant-vbguest
$ vagrant up

注意需要先安装plugin,再运行vagrant up,如果顺序颠倒,会报以下错误

javascript 复制代码
    infrastructure: /home/vagrant/shared => D:/MongoU/m310-vagrant-env/shared
Vagrant was unable to mount VirtualBox shared folders. This is usually
because the filesystem "vboxsf" is not available. This filesystem is
made available via the VirtualBox Guest Additions and kernel module.
Please verify that these guest additions are properly installed in the
guest. This is not a bug in Vagrant and is usually caused by a faulty
Vagrant box. For context, the command attempted was:

mount -t vboxsf -o uid=1000,gid=1000 home_vagrant_shared /home/vagrant/shared

The error output from the command was:

mount: unknown filesystem type 'vboxsf'

或以下错误:

javascript 复制代码
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.neusoft.edu.cn
 * extras: mirrors.tuna.tsinghua.edu.cn
 * updates: mirrors.neusoft.edu.cn
No package kernel-devel-3.10.0-1127.el7.x86_64 available.
Error: Nothing to do
Unmounting Virtualbox Guest Additions ISO from: /mnt
umount: /mnt: not mounted
==> infrastructure: Checking for guest additions in VM...
    infrastructure: No guest additions were detected on the base box for this VM! Guest
    infrastructure: additions are required for forwarded ports, shared folders, host only
    infrastructure: networking, and more. If SSH fails on this machine, please install
    infrastructure: the guest additions and repackage the box to continue.
    infrastructure:
    infrastructure: This is not an error message; everything may continue to work properly,
    infrastructure: in which case you may ignore this message.
The following SSH command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!

umount /mnt

Stdout from the command:



Stderr from the command:

umount: /mnt: not mounted

如果遇到以下错误,可以禁用网络接口然后再启用,就好了:

javascript 复制代码
==> database: Booting VM...
There was an error while executing `VBoxManage`, a CLI used by Vagrant
for controlling VirtualBox. The command and stderr is shown below.

Command: ["startvm", "88f579c3-a16b-43b3-8274-068595e7d94e", "--type", "headless"]

Stderr: VBoxManage.exe: error: Failed to open/create the internal network 'HostInterfaceNetworking-VirtualBox Host-Only Ethernet Adapter #3' (VERR_INTNET_FLT_IF_NOT_FOUND).
VBoxManage.exe: error: Failed to attach the network LUN (VERR_INTNET_FLT_IF_NOT_FOUND)
VBoxManage.exe: error: Details: code E_FAIL (0x80004005), component ConsoleWrap, interface IConsole

运行vagrant putty可以启动两个putty界面,分别连到两个机器,看到以下共享目录就表示没问题了:

javascript 复制代码
$ df |grep shared
home_vagrant_shared 139957244 121128636  18828608  87% /home/vagrant/shared

其中主机名为localhost的是Centos,database的是Ubuntu,上面装了MongoDB企业版。

以下命令可连接指定的主机或所有主机:

vagrant putty infrastructure
vagrant putty database
vagrant putty

Chapter 1: Authentication

认证是验证身份(你是谁),鉴权是验证权限(你可以做什么)。鉴权又基于认证。

认证机制包括用户认证和内部认证。

MongoDB的用户认证有5种方式,前3种为社区版支持,后两种为企业版支持:

  1. SCRAM-SHA-1 - Challenge/Response认证
  2. MONGODB-CR - Challenge/Response认证
  3. X.509 - 证书认证
  4. LDAP - 外部认证
  5. Kerberos -外部认证
    前2种属于,第3种属于证书。

内部认证包括,如用于Sharding Cluster节点间,Replica Set间认证:

  1. Keyfile (SCRAM-SHA-1)
  2. X.509

Authentication Mechanisms

SCRAM-SHA-1是默认的认证方式。所谓Challenge/Response,其实就是用户名/口令。

MONGODB-CR过时了(MongoDB 3.0),被SCRAM-SHA-1取代。

X.509是MongoDB 2.6版本引入,基于证书,使用TLS连接。

LDAP即LightWeight Data Access Protocol,企业版专有,使用目录信息。是一种外部认证机制,也就是用户密码信息存于MongoDB外部。

Kerberos也是企业版专有,是MIT开发的,也是外部认证机制。

再来看内部认证机制。replica set和sharding cluster节点间的认证。使用Keyfile (SCRAM-SHA-1)或X.509。前面的例子中用了前者。

Keyfile (SCRAM-SHA-1)表示共享口令,需要拷贝到每一成员,6-1024 Base64字符,空格忽略。

X.509基于证书,建议每一成员使用不同的证书,这样如果一个服务器被攻破,影响最小。

The Localhost Exception

首先以认证方式启动mongod:

javascript 复制代码
$ sudo mongod --auth --dbpath /var/lib/mongo

可以登录,因没有认证,因此无法执行命令:

javascript 复制代码
$ mongo
MongoDB shell version v4.4.2
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("9f347582-9704-4806-8556-f7c1cca20c71") }
MongoDB server version: 4.4.2
> db.hostInfo()
{
        "ok" : 0,
        "errmsg" : "not authorized on admin to execute command { hostInfo: 1.0, lsid: { id: UUID(\"9f347582-9704-4806-8556-f7c1cca20c71\") }, $db: \"admin\" }",
        "code" : 13,
        "codeName" : "Unauthorized"
}

接下来创建用户,赋予管理员权限:

javascript 复制代码
> use admin
switched to db admin
> db.createUser({user: 'xiaoyu', pwd: 'password', roles: [{role: 'userAdminAnyDatabase', db: "admin"}]})
Successfully added user: {
        "user" : "xiaoyu",
        "roles" : [
                {
                        "role" : "userAdminAnyDatabase",
                        "db" : "admin"
                }
        ]
}

# 发现只有第一个用户可以创建成功
> db.createUser({user: 'xiaoxiao', pwd: 'password', roles: [{role: 'userAdminAnyDatabase', db: "admin"}]})
uncaught exception: Error: couldn't add user: command createUser requires authentication :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.createUser@src/mongo/shell/db.js:1366:11
@(shell):1:1

接下来认证:

javascript 复制代码
> db.auth('xiaoyu', 'password')
1
> db.system.users.find()
{ "_id" : "admin.xiaoyu", "userId" : UUID("97f48666-fe25-4331-8ef3-75ae1b367012"), "user" : "xiaoyu", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "YP5P247FBW37k7BCVW7Z/w==", "storedKey" : "7xt8dd5PdhfT/gAqmKJ9dXSJUPU=", "serverKey" : "zDLZj/POc0NdkqU9SsU+o1QOVVs=" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "0r2TCYgRB50RcO6zWDVpN2iXVzrJbR9B5g6LGg==", "storedKey" : "2e/v1APunHQhN9CiWf7uOekt7ABnnXUdHlk9Ak5SaG0=", "serverKey" : "lYfwTjsRZ5xlmXDLlMa52jNsex8N2HnSyldYkqgoa1Y=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }

也可用命令行认证:

javascript 复制代码
$ mongo --authenticationDatabase admin --username xiaoyu --password password
MongoDB shell version v4.4.2
connecting to: mongodb://127.0.0.1:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("5e394319-c384-4afb-993c-1a6661cb03d1") }
MongoDB server version: 4.4.2
> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB

简而言之,localhost exception只能在本机执行,只能创建用户,而且只能创建一个用户。对于sharded cluster 或replica set也适用。

这两个虚机需占用3.1G磁盘空间,加上他们基础OS image的空间,总共4G空间。

Authentication Methods

authenticationDatabase可以指定认证库,但默认登录数据库仍为test:

javascript 复制代码
$ mongo --authenticationDatabase admin --username xiaoyu --password password
> db.getName()
test
> show dbs
报认证失败!

未指定authenticationDatabase,相当于在默认数据库test中认证,仍会失败:

javascript 复制代码
$ mongo -u xiaoyu -p password
直接报认证失败

指定连接的目标库,成功:

javascript 复制代码
$ mongo admin -u xiaoyu -p password
> db.getName()
admin

如果指定连接test,报认证失败,因为test中并没有建立用户:

javascript 复制代码
$ mongo test -u xiaoyu -p password
{"t":{"$date":"2020-12-28T04:49:12.175+00:00"},"s":"I",  "c":"ACCESS",   "id":20251,   "ctx":"conn6","msg":"Supported SASL mechanisms requested for unknown user","attr":{"user":"xiaoyu@test"}}
{"t":{"$date":"2020-12-28T04:49:12.176+00:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn6","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-256","principalName":"xiaoyu","authenticationDatabase":"test","client":"127.0.0.1:49010","result":"UserNotFound: Could not find user \"xiaoyu\" for db \"test\""}}
{"t":{"$date":"2020-12-28T04:49:12.177+00:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn6","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-1","principalName":"xiaoyu","authenticationDatabase":"test","client":"127.0.0.1:49010","result":"UserNotFound: Could not find user \"xiaoyu\" for db \"test\""}}
{"t":{"$date":"2020-12-28T04:49:12.188+00:00"},"s":"I",  "c":"NETWORK",  "id":22944,   "ctx":"conn6","msg":"Connection ended","attr":{"remote":"127.0.0.1:49010","connectionId":6,"connectionCount":0}}
Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:374:17

也可以先登录再认证:

javascript 复制代码
$ mongo
> use admin
switched to db admin
> db.auth('xiaoyu', 'password')
1
> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB

为test数据库新建用户:

javascript 复制代码
> use test
switched to db test
> db.createUser({user: 'user01', pwd: 'password', roles: ["readWrite", "dbAdmin"]})
Successfully added user: { "user" : "user01", "roles" : [ "readWrite", "dbAdmin" ] }

用此用户登录test成功,登录admin失败:

javascript 复制代码
$ mongo test -u user01 -p password
$ mongo admin -u user01 -p password

Authentication on Sharded Clusters

这一节介绍了一个工具mtools:

javascript 复制代码
$ git clone https://github.com/rueckstiess/mtools.git

安装参见这里

可以快速启动一个shard+replica set环境,主要先要停掉其它mongod服务,以免端口冲突:

javascript 复制代码
$ mlaunch init --sharded 3 --replicaset --nodes 3 --config 3 --auth
launching: "mongod" on port 27018
launching: "mongod" on port 27019
launching: "mongod" on port 27020
launching: "mongod" on port 27021
launching: "mongod" on port 27022
launching: "mongod" on port 27023
launching: "mongod" on port 27024
launching: "mongod" on port 27025
launching: "mongod" on port 27026
launching: config server on port 27027
launching: config server on port 27028
launching: config server on port 27029
replica set 'configRepl' initialized.
replica set 'shard01' initialized.
replica set 'shard02' initialized.
replica set 'shard03' initialized.
launching: mongos on port 27017
adding shards. can take up to 30 seconds...
sent signal Signals.SIGTERM to 13 processes.
launching: config server on port 27027
launching: config server on port 27028
launching: config server on port 27029
launching: "mongod" on port 27018
launching: "mongod" on port 27019
launching: "mongod" on port 27020
launching: "mongod" on port 27021
launching: "mongod" on port 27022
launching: "mongod" on port 27023
launching: "mongod" on port 27024
launching: "mongod" on port 27025
launching: "mongod" on port 27026
launching: mongos on port 27017
Username "user", password "password"

通过查找进程,可知keyFile的位置:

javascript 复制代码
$ ps -ef|grep mongo
...
vagrant   5617     1  2 08:02 ?        00:00:07 mongod --replSet shard03 --dbpath /home/vagrant/mtools/data/shard03/rs3/db --logpath /home/vagrant/mtools/data/shard03/rs3/mongod.log --port 27026 --fork --keyFile /home/vagrant/mtools/data/keyfile --shardsvr --wiredTigerCacheSizeGB 1
vagrant   5795     1  1 08:02 ?        00:00:04 mongos --logpath /home/vagrant/mtools/data/mongos.log --port 27017 --configdb configRepl/localhost:27027,localhost:27028,localhost:27029 --keyFile /home/vagrant/mtools/data/keyfile --fork

验证登录:

javascript 复制代码
$ mongo
mongos> db.system.users.find()
Error: error: {
        "ok" : 0,
        "errmsg" : "command find requires authentication",
        "code" : 13,
        "codeName" : "Unauthorized",
        "operationTime" : Timestamp(1609142982, 14),
        "$clusterTime" : {
                "clusterTime" : Timestamp(1609142982, 14),
                "signature" : {
                        "hash" : BinData(0,"94k9tXIieH+lvIwvgKKnTzI98a4="),
                        "keyId" : NumberLong("6911214218830151701")
                }
        }
}
mongos> use admin
switched to db admin
mongos> db.auth('user', 'password')
1
mongos> db.system.users.find()
{ "_id" : "admin.user", "userId" : UUID("d59eb9a3-795f-48e9-a36f-5c7dcbbdf3ce"), "user" : "user", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "jFlNKaCXQQjBm1xwVApGlw==", "storedKey" : "5HWswxEWhXTwfvVCZlNfZmUQlUI=", "serverKey" : "HOySUF9fwAO0//8mc3J3TavsjWg=" } }, "roles" : [ { "role" : "dbAdminAnyDatabase", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "clusterAdmin", "db" : "admin" } ] }

Enabling SCRAM-SHA-1

默认的认证方式,服务器端可以用mongod --auth或以下配置文件启用:

yaml 复制代码
security:
	authorization: 'enabled'

Homework 1.1 : Enable SCRAM-SHA-1

在非Auth模式下启动mongod,然后建立用户:

javascript 复制代码
MongoDB Enterprise > use admin
switched to db admin
MongoDB Enterprise > db.createUser({user: 'alice', pwd: 'secret', roles: ['root']})
Successfully added user: { "user" : "alice", "roles" : [ "root" ] }

然后以auth模式启动mongod,看一下哪些语句正确:

mongo admin --eval "db.auth('alice', 'secret');db.runCommand({getParameter: 1, authenticationMechanisms: 1})"

mongo -u alice -p secret --eval "db.runCommand({getParameter: 1, authenticationMechanisms: 1})" --authenticationDatabase admin

mongo -u alice -p secret --eval "db=db.getSisterDB('admin');db.runCommand({getParameter: 1, authenticationMechanisms: 1})" --authenticationDatabase admin

mongo -u alice -p secret --eval "db.runCommand({getParameter: 1, authenticationMechanisms: 1})"

mongo admin -u alice -p secret --eval "db.runCommand({getParameter: 1, authenticationMechanisms: 1})"

mongo --eval "db.runCommand({getParameter: 1, authenticationMechanisms: 1})"

以下是一个示例,注意getParameter只能在admin数据库中运行:

javascript 复制代码
$ mongo admin --eval "db.auth('alice', 'secret');db.runCommand({getParameter: 1, authenticationMechanisms: 1})"
MongoDB shell version: 3.2.22
connecting to: admin
2020-12-28T09:37:24.306+0000 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:47280 #1 (1 connection now open)
2020-12-28T09:37:24.345+0000 I ACCESS   [conn1] Successfully authenticated as principal alice on admin
{
        "authenticationMechanisms" : [
                "MONGODB-CR",
                "MONGODB-X509",
                "SCRAM-SHA-1"
        ],
        "ok" : 1
}
2020-12-28T09:37:24.353+0000 I NETWORK  [conn1] end connection 127.0.0.1:47280 (0 connections now open)

Enabling X.509

X.509证书需要安全的TLS连接。

以下命令可以确认TLS是否启用,注意OpenSSL那行:

javascript 复制代码
$ mongod --version
db version v3.2.22
git version: 105acca0d443f9a47c1a5bd608fd7133840a58dd
OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014
allocator: tcmalloc
modules: enterprise
build environment:
    distmod: ubuntu1404
    distarch: x86_64
    target_arch: x86_64

Enabling LDAP

LDAP = Lightweight Directory Access Protocol

客户端通过驱动连接mongoDB,mongoDB通过saslauthd代理服务联系LDAP Server。

javascript 复制代码
$ sudo apt-get install sasl2-bin
Reading package lists... Done
Building dependency tree
Reading state information... Done
sasl2-bin is already the newest version.

配置文件为/etc/default/saslauthd。

javascript 复制代码
mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem
openssl x509 -in client.pem -inform PEM -subject -nameport RFC2253 -noout
mongo --ssl --sslPemKeyFile client.pem --sslCAFile ca.pem
javascript 复制代码
$ openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Generating a 4096 bit RSA private key
.......................................................................................................................++
.........................................................................................................................................................................................................................................................................................................++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MongoDB
Organizational Unit Name (eg, section) []:KernelUser
Common Name (e.g. server FQDN or YOUR name) []:client
Email Address []:
vagrant@database:~/work$ ls -l
total 8
-rw-rw-r-- 1 vagrant vagrant 2037 Dec 29 02:46 cert.pem
-rw-rw-r-- 1 vagrant vagrant 3272 Dec 29 02:46 key.pem
javascript 复制代码
    mongod-m034: + echo 'Installing BI Connector'
    mongod-m034: + mkdir -p /home/vagrant/biconnector
    mongod-m034: + curl -o mongo-bi.tgz https://s3.amazonaws.com/mciuploads/sqlproxy/binaries/linux/mongodb-bi-linux-x86_64-ubuntu1404-v2.0.0-beta5-7-g048ac56.tgz
    mongod-m034:
    mongod-m034:
    mongod-m034: %
    mongod-m034:
    mongod-m034: T
    mongod-m034: o
    mongod-m034: t
    mongod-m034: a
    mongod-m034: l
    mongod-m034:
    mongod-m034:
    mongod-m034:   % Received % Xferd  Average Speed   Time    Time     Time  Current
    mongod-m034:                                  Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
    mongod-m034:   0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
    mongod-m034:
    mongod-m034:
    mongod-m034: 0
    mongod-m034:
    mongod-m034:     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
    mongod-m034: 1
    mongod-m034: 0
    mongod-m034: 0
    mongod-m034:    243    0   243    0     0    123      0 --:--:--  0:00:01 --:--:--   123
    mongod-m034: + tar xf mongo-bi.tgz -C /home/vagrant/biconnector
    mongod-m034: tar:
    mongod-m034: This does not look like a tar archive
    mongod-m034:
    mongod-m034: gzip: stdin: not in gzip format
    mongod-m034: tar: Child returned status 1
    mongod-m034: tar: Error is not recoverable: exiting now
The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.
javascript 复制代码
{ unauthorizedStatus: {"set":"TO_BE_SECURED","date":"2020-12-29T08:31:50.657Z","myState":1,"term":{"floatApprox":5},"heartbeatIntervalMillis":{"floatApprox":2000},"members":[{"_id":1,"name":"database.m310.mongodb.university:31120","health":1,"state":1,"stateStr":"PRIMARY","uptime":922,"optime":{"ts":{"t":1609229915,"i":4},"t":{"floatApprox":5}},"optimeDate":"2020-12-29T08:18:35.000Z","electionTime":{"t":1609229799,"i":1},"electionDate":"2020-12-29T08:16:39.000Z","configVersion":1,"self":true},{"_id":2,"name":"database.m310.mongodb.university:31121","health":1,"state":2,"stateStr":"SECONDARY","uptime":916,"optime":{"ts":{"t":1609229915,"i":4},"t":{"floatApprox":5}},"optimeDate":"2020-12-29T08:18:35.000Z","lastHeartbeat":"2020-12-29T08:31:50.149Z","lastHeartbeatRecv":"2020-12-29T08:31:50.197Z","pingMs":{"floatApprox":0},"syncingTo":"database.m310.mongodb.university:31120","configVersion":1},{"_id":3,"name":"database.m310.mongodb.university:31122","health":1,"state":2,"stateStr":"SECONDARY","uptime":916,"optime":{"ts":{"t":1609229915,"i":4},"t":{"floatApprox":5}},"optimeDate":"2020-12-29T08:18:35.000Z","lastHeartbeat":"2020-12-29T08:31:50.150Z","lastHeartbeatRecv":"2020-12-29T08:31:49.852Z","pingMs":{"floatApprox":0},"syncingTo":"database.m310.mongodb.university:31120","configVersion":1}],"ok":1}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }
相关推荐
lmxnsI4 分钟前
docker使用笔记
笔记·docker·容器
程序猿online26 分钟前
nvm安装使用,控制node版本
开发语言·前端·学习
lijiachang03071839 分钟前
设计模式(一):单例模式
c++·笔记·学习·程序人生·单例模式·设计模式·大学生
Hacker_Oldv1 小时前
网络安全攻防学习平台 - 基础关
网络·学习·web安全
Suwg2091 小时前
《手写Mybatis渐进式源码实践》实践笔记(第七章 SQL执行器的创建和使用)
java·数据库·笔记·后端·sql·mybatis·模板方法模式
胡西风_foxww1 小时前
【ES6复习笔记】let 和 const 命令(1)
笔记·学习·es6·const·let
胡西风_foxww1 小时前
【ES6复习笔记】Spread 扩展运算符(8)
前端·笔记·es6·扩展·运算符·spread
网络安全(king)2 小时前
网络安全之接入控制
网络·学习·安全·web安全
赵渝强老师3 小时前
【赵渝强老师】MongoDB逻辑存储结构
数据库·mongodb
红色的山茶花3 小时前
YOLOv9-0.1部分代码阅读笔记-anchor_generator.py
笔记·深度学习·yolo