MongoDBsecuritytutorial

LearningMongoDBsecurity authenticationauthorization, encryption, 访问控制 and securitybest practices, 保护您 MongoDBdatalibrary

1. authenticationauthorization

MongoDB默认circumstances under is 无authentication , 任何人都可以访问datalibrary. for 了保护datasecurity, 必须启用authenticationmechanism并设置适当 userpermission.

1.1 启用authentication

启用authentication 步骤: 

// 1. 首先 in 无authentication模式 under 启动MongoDB
mongod --dbpath /data/db

// 2. 连接 to MongoDB并creationmanagement员user
mongo
use admin
db.createUser({
  user: "admin",
  pwd: "adminPassword",
  roles: [{ role: "userAdminAnyDatabase", db: "admin" }]
});

// 3. 重启MongoDB并启用authentication
mongod --dbpath /data/db --auth

// 4. usingmanagement员user连接
mongo -u admin -p adminPassword --authenticationDatabase admin

1.2 in 置role

MongoDBproviding了 many 种 in 置role, 用于不同级别 访问控制:

roleclass型 role名称 describes
datalibraryuserrole read, readWrite for 指定datalibrary 读写permission
datalibrarymanagementrole dbAdmin, dbOwner, userAdmin for 指定datalibrary managementpermission
clustermanagementrole clusterAdmin, clustermanagementr, clusterMonitor, hostmanagementr for cluster managementpermission
backuprestorerole backup, restore for databackup and restore permission
超级userrole root 具 has 所 has permission

1.3 creationuser

// creationdatalibraryuser
use mydatabase
db.createUser({
  user: "appUser",
  pwd: "appPassword",
  roles: [{ role: "readWrite", db: "mydatabase" }]
});

// creation只读user
use mydatabase
db.createUser({
  user: "readUser",
  pwd: "readPassword",
  roles: [{ role: "read", db: "mydatabase" }]
});

// creation具 has  many 个role user
use admin
db.createUser({
  user: "opsUser",
  pwd: "opsPassword",
  roles: [
    { role: "readWrite", db: "mydatabase" },
    { role: "clusterMonitor", db: "admin" }
  ]
});

2. encryption

encryption is 保护MongoDBdatasecurity important 措施, including传输encryption and 静态encryption.

2.1 传输encryption (TLS/SSL)

configurationMongoDBusingTLS/SSLencryption客户端 and server之间 通信: 

// 1. 生成certificate
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb.pem -keyout mongodb.pem

// 2. configurationMongoDBusingTLS
mongod --dbpath /data/db --auth --sslMode requireSSL --sslPEMKeyFile /path/to/mongodb.pem

// 3. usingTLS连接
mongo --ssl -u admin -p adminPassword --authenticationDatabase admin --sslCAFile /path/to/mongodb.pem

2.2 静态encryption

MongoDB Enterpriseversionsupport静态encryption, 保护store in disk on data: 

// 启用静态encryption
mongod --dbpath /data/db --auth --enableEncryption --encryptionKeyFile /path/to/keyfile

注意: 静态encryption仅 in MongoDB Enterpriseversionin可用. communityversionuser可以usingoperationsystem级别 encryption来保护data.

2.3 keymanagement

  • using强随机key
  • 定期轮换key
  • securitystorekeyfile, permission设置 for 600
  • 考虑using硬件securitymodule (HSM) managementkey

3. 访问控制

除了authenticationauthorization out , 还需要throughnetwork访问控制 and 防火墙规则来限制 for MongoDB 访问.

3.1 network绑定

限制MongoDB只监听specific networkinterface: 

// 只监听本地interface
mongod --dbpath /data/db --auth --bind_ip 127.0.0.1

// 监听 many 个interface
mongod --dbpath /data/db --auth --bind_ip 127.0.0.1,192.168.1.100

dangerous : 不要using--bind_ip_all in produceenvironmentin, 这会允许 from 任何networkinterface访问MongoDB.

3.2 防火墙规则

using防火墙限制 for MongoDB端口 (默认27017) 访问: 

// Linux iptablesexample
iptables -A INPUT -p tcp --dport 27017 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 27017 -j DROP

// Windows防火墙example
New-NetFirewallRule -DisplayName "MongoDB" -Direction Inbound -LocalPort 27017 -Protocol TCP -Action Allow -RemoteAddress 192.168.1.0/24

3.3 copy集 and shardcluster 访问控制

for 于copy集 and shardcluster, 需要:

  • for cluster in 部通信configurationkeyfile
  • 确保所 has node之间 通信都经过authentication
  • 限制configurationserver and routingnode 访问
// creationkeyfile
openssl rand -base64 756 > mongodb-keyfile
chmod 600 mongodb-keyfile

//  in 所 has node on using相同 keyfile
mongod --replSet rs0 --dbpath /data/db --auth --keyFile /path/to/mongodb-keyfile

4. securitybest practices

遵循以 under securitybest practices, 确保MongoDBdeployment security性:

4.1 basicsecurity措施

  • 始终启用authentication: 不允许无authentication访问
  • using强password: 定期轮换password
  • 最 small permissionprinciples: 只授予user必要 permission
  • 启用TLS/SSL: encryption所 has network通信
  • 限制network访问: using防火墙 and 绑定IP

4.2 operationsecurity

  • 定期backup: 确保data可以restore
  • monitorauditlog: 跟踪可疑活动
  • 定期update: installation最 new securitypatch
  • 禁用不必要 service: such asHTTPinterface, RESTinterfaceetc.
  • using专用serviceaccount: 不usingrootaccountrunMongoDB

4.3 application程序security

  • parameter化query: 防止注入攻击
  • encryption敏感data: such aspassword, 信用卡informationetc.
  • securitystore凭证: 不 in codein硬编码password
  • verification输入data: 防止恶意data注入
  • 限制连接池 big small : 防止DoS攻击

4.4 securityaudit

定期forsecurityaudit, check:

  • userpermission is 否适当
  • is 否 has 未using useraccount
  • securityconfiguration is 否符合best practices
  • is 否 has 可疑 访问模式
// 启用auditlog
mongod --dbpath /data/db --auth --auditDestination file --auditFormat JSON --auditPath /path/to/audit.log

5. 实践case: 构建security MongoDBdeployment

fake设我们需要 for 一个金融applicationdeploymentMongoDB, 确保最advanced别 security性, 具体步骤such as under :

5.1 environment准备

  • usingMongoDB Enterpriseversion
  • deployment in 隔离 networkenvironmentin
  • configuration专用 serviceaccount

5.2 securityconfiguration

// 1. creationkeyfile
openssl rand -base64 756 > mongodb-keyfile
chmod 600 mongodb-keyfile

// 2. creationSSLcertificate
openssl req -newkey rsa:2048 -new -x509 -days 365 -nodes -out mongodb.pem -keyout mongodb.pem

// 3. 启动MongoDB (package含所 has security选项) 
mongod \
  --dbpath /data/db \
  --auth \
  --sslMode requireSSL \
  --sslPEMKeyFile /path/to/mongodb.pem \
  --bind_ip 192.168.1.100 \
  --keyFile /path/to/mongodb-keyfile \
  --enableEncryption \
  --encryptionKeyFile /path/to/encryption-keyfile \
  --auditDestination file \
  --auditFormat JSON \
  --auditPath /path/to/audit.log

5.3 usermanagement

// 1. creationmanagement员user
use admin
db.createUser({
  user: "admin",
  pwd: "StrongAdminPassword123!",
  roles: [{ role: "userAdminAnyDatabase", db: "admin" }]
});

// 2. creationapplicationuser (最 small permission) 
use finance
db.createUser({
  user: "financeApp",
  pwd: "StrongAppPassword456!",
  roles: [{ role: "readWrite", db: "finance" }]
});

// 3. creation只读audituser
use admin
db.createUser({
  user: "auditor",
  pwd: "StrongAuditPassword789!",
  roles: [{ role: "readAnyDatabase", db: "admin" }]
});

5.4 防火墙configuration

// 只允许applicationserver and managementserver访问
iptables -A INPUT -p tcp --dport 27017 -s 192.168.1.200 -j ACCEPT  # applicationserver
iptables -A INPUT -p tcp --dport 27017 -s 192.168.1.201 -j ACCEPT  # managementserver
iptables -A INPUT -p tcp --dport 27017 -j DROP

6. 互动练习

issues1: MongoDB默认 securitystatus is what?

A. 已启用authentication

B. 已启用TLS/SSL

C. 无authentication, 任何人都可以访问

D. 已启用防火墙

issues2: 以 under 哪个不 is MongoDB in 置role?

A. readWrite

B. dbAdmin

C. clusterAdmin

D. superUser

issues3: 传输encryptionusingwhatprotocol?

A. HTTP

B. TLS/SSL

C. FTP

D. SMTP

issues4: 最 small permissionprinciples 含义 is what?

A. 只授予user必要 最 small permission

B. 所 has user都using最 small permission

C. 限制user数量

D. 禁用所 has advancedpermission

7. 推荐链接