MongoDB University课程M310 MongoDB Security 学习笔记

环境准备

此课程需要两台虚机。因此需要提前安装Vagrant和VirtualBox，这些我已经有了。因此只需要下载课程提供的Vagrant文件m310-vagrant-env.zip就可以了。

解压文件，进入目录，运行以下命令即可：

$ cd m310-vagrant-env
$ vagrant plugin install vagrant-vbguest
$ vagrant up

注意需要先安装plugin，再运行vagrant up，如果顺序颠倒，会报以下错误

    infrastructure: /home/vagrant/shared => D:/MongoU/m310-vagrant-env/shared
Vagrant was unable to mount VirtualBox shared folders. This is usually
because the filesystem "vboxsf" is not available. This filesystem is
made available via the VirtualBox Guest Additions and kernel module.
Please verify that these guest additions are properly installed in the
guest. This is not a bug in Vagrant and is usually caused by a faulty
Vagrant box. For context, the command attempted was:mount -t vboxsf -o uid=1000,gid=1000 home_vagrant_shared /home/vagrant/sharedThe error output from the command was:mount: unknown filesystem type 'vboxsf'

或以下错误：

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile* base: mirrors.neusoft.edu.cn* extras: mirrors.tuna.tsinghua.edu.cn* updates: mirrors.neusoft.edu.cn
No package kernel-devel-3.10.0-1127.el7.x86_64 available.
Error: Nothing to do
Unmounting Virtualbox Guest Additions ISO from: /mnt
umount: /mnt: not mounted
==> infrastructure: Checking for guest additions in VM...infrastructure: No guest additions were detected on the base box for this VM! Guestinfrastructure: additions are required for forwarded ports, shared folders, host onlyinfrastructure: networking, and more. If SSH fails on this machine, please installinfrastructure: the guest additions and repackage the box to continue.infrastructure:infrastructure: This is not an error message; everything may continue to work properly,infrastructure: in which case you may ignore this message.
The following SSH command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!umount /mntStdout from the command:Stderr from the command:umount: /mnt: not mounted

如果遇到以下错误，可以禁用网络接口然后再启用，就好了：

==> database: Booting VM...
There was an error while executing `VBoxManage`, a CLI used by Vagrant
for controlling VirtualBox. The command and stderr is shown below.Command: ["startvm", "88f579c3-a16b-43b3-8274-068595e7d94e", "--type", "headless"]Stderr: VBoxManage.exe: error: Failed to open/create the internal network 'HostInterfaceNetworking-VirtualBox Host-Only Ethernet Adapter #3' (VERR_INTNET_FLT_IF_NOT_FOUND).
VBoxManage.exe: error: Failed to attach the network LUN (VERR_INTNET_FLT_IF_NOT_FOUND)
VBoxManage.exe: error: Details: code E_FAIL (0x80004005), component ConsoleWrap, interface IConsole

运行vagrant putty可以启动两个putty界面，分别连到两个机器，看到以下共享目录就表示没问题了：

$ df |grep shared
home_vagrant_shared 139957244 121128636  18828608  87% /home/vagrant/shared

其中主机名为localhost的是Centos，database的是Ubuntu，上面装了MongoDB企业版。

以下命令可连接指定的主机或所有主机：

vagrant putty infrastructure
vagrant putty database
vagrant putty

Chapter 1: Authentication

认证是验证身份（你是谁），鉴权是验证权限（你可以做什么）。鉴权又基于认证。

认证机制包括用户认证和内部认证。
MongoDB的用户认证有5种方式，前3种为社区版支持，后两种为企业版支持：

SCRAM-SHA-1 - Challenge/Response认证
MONGODB-CR - Challenge/Response认证
X.509 - 证书认证
LDAP - 外部认证
Kerberos -外部认证
前2种属于，第3种属于证书。

内部认证包括，如用于Sharding Cluster节点间，Replica Set间认证：

Keyfile （SCRAM-SHA-1）
X.509

Authentication Mechanisms

SCRAM-SHA-1是默认的认证方式。所谓Challenge/Response，其实就是用户名/口令。

MONGODB-CR过时了（MongoDB 3.0），被SCRAM-SHA-1取代。

X.509是MongoDB 2.6版本引入，基于证书，使用TLS连接。

LDAP即LightWeight Data Access Protocol，企业版专有，使用目录信息。是一种外部认证机制，也就是用户密码信息存于MongoDB外部。

Kerberos也是企业版专有，是MIT开发的，也是外部认证机制。

再来看内部认证机制。replica set和sharding cluster节点间的认证。使用Keyfile （SCRAM-SHA-1）或X.509。前面的例子中用了前者。

Keyfile （SCRAM-SHA-1）表示共享口令，需要拷贝到每一成员，6-1024 Base64字符，空格忽略。

X.509基于证书，建议每一成员使用不同的证书，这样如果一个服务器被攻破，影响最小。

The Localhost Exception

首先以认证方式启动mongod：

$ sudo mongod --auth --dbpath /var/lib/mongo

可以登录，因没有认证，因此无法执行命令：

$ mongo
MongoDB shell version v4.4.2
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("9f347582-9704-4806-8556-f7c1cca20c71") }
MongoDB server version: 4.4.2
> db.hostInfo()
{"ok" : 0,"errmsg" : "not authorized on admin to execute command { hostInfo: 1.0, lsid: { id: UUID(\"9f347582-9704-4806-8556-f7c1cca20c71\") }, $db: \"admin\" }","code" : 13,"codeName" : "Unauthorized"
}

接下来创建用户，赋予管理员权限：

> use admin
switched to db admin
> db.createUser({user: 'xiaoyu', pwd: 'password', roles: [{role: 'userAdminAnyDatabase', db: "admin"}]})
Successfully added user: {"user" : "xiaoyu","roles" : [{"role" : "userAdminAnyDatabase","db" : "admin"}]
}# 发现只有第一个用户可以创建成功
> db.createUser({user: 'xiaoxiao', pwd: 'password', roles: [{role: 'userAdminAnyDatabase', db: "admin"}]})
uncaught exception: Error: couldn't add user: command createUser requires authentication :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.createUser@src/mongo/shell/db.js:1366:11
@(shell):1:1

接下来认证：

> db.auth('xiaoyu', 'password')
1
> db.system.users.find()
{ "_id" : "admin.xiaoyu", "userId" : UUID("97f48666-fe25-4331-8ef3-75ae1b367012"), "user" : "xiaoyu", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "YP5P247FBW37k7BCVW7Z/w==", "storedKey" : "7xt8dd5PdhfT/gAqmKJ9dXSJUPU=", "serverKey" : "zDLZj/POc0NdkqU9SsU+o1QOVVs=" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "0r2TCYgRB50RcO6zWDVpN2iXVzrJbR9B5g6LGg==", "storedKey" : "2e/v1APunHQhN9CiWf7uOekt7ABnnXUdHlk9Ak5SaG0=", "serverKey" : "lYfwTjsRZ5xlmXDLlMa52jNsex8N2HnSyldYkqgoa1Y=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }

也可用命令行认证：

$ mongo --authenticationDatabase admin --username xiaoyu --password password
MongoDB shell version v4.4.2
connecting to: mongodb://127.0.0.1:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("5e394319-c384-4afb-993c-1a6661cb03d1") }
MongoDB server version: 4.4.2
> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB

简而言之，localhost exception只能在本机执行，只能创建用户，而且只能创建一个用户。对于sharded cluster 或replica set也适用。

这两个虚机需占用3.1G磁盘空间，加上他们基础OS image的空间，总共4G空间。

Authentication Methods

authenticationDatabase可以指定认证库，但默认登录数据库仍为test:

$ mongo --authenticationDatabase admin --username xiaoyu --password password
> db.getName()
test
> show dbs
报认证失败！

未指定authenticationDatabase，相当于在默认数据库test中认证，仍会失败：

$ mongo -u xiaoyu -p password
直接报认证失败

指定连接的目标库，成功：

$ mongo admin -u xiaoyu -p password
> db.getName()
admin

如果指定连接test，报认证失败，因为test中并没有建立用户：

$ mongo test -u xiaoyu -p password
{"t":{"$date":"2020-12-28T04:49:12.175+00:00"},"s":"I",  "c":"ACCESS",   "id":20251,   "ctx":"conn6","msg":"Supported SASL mechanisms requested for unknown user","attr":{"user":"xiaoyu@test"}}
{"t":{"$date":"2020-12-28T04:49:12.176+00:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn6","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-256","principalName":"xiaoyu","authenticationDatabase":"test","client":"127.0.0.1:49010","result":"UserNotFound: Could not find user \"xiaoyu\" for db \"test\""}}
{"t":{"$date":"2020-12-28T04:49:12.177+00:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn6","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-1","principalName":"xiaoyu","authenticationDatabase":"test","client":"127.0.0.1:49010","result":"UserNotFound: Could not find user \"xiaoyu\" for db \"test\""}}
{"t":{"$date":"2020-12-28T04:49:12.188+00:00"},"s":"I",  "c":"NETWORK",  "id":22944,   "ctx":"conn6","msg":"Connection ended","attr":{"remote":"127.0.0.1:49010","connectionId":6,"connectionCount":0}}
Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:374:17

也可以先登录再认证：

$ mongo
> use admin
switched to db admin
> db.auth('xiaoyu', 'password')
1
> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB

为test数据库新建用户：

> use test
switched to db test
> db.createUser({user: 'user01', pwd: 'password', roles: ["readWrite", "dbAdmin"]})
Successfully added user: { "user" : "user01", "roles" : [ "readWrite", "dbAdmin" ] }

用此用户登录test成功，登录admin失败：

$ mongo test -u user01 -p password
$ mongo admin -u user01 -p password

Authentication on Sharded Clusters

这一节介绍了一个工具mtools：

$ git clone https://github.com/rueckstiess/mtools.git

安装参见这里。

可以快速启动一个shard+replica set环境，主要先要停掉其它mongod服务，以免端口冲突：

$ mlaunch init --sharded 3 --replicaset --nodes 3 --config 3 --auth
launching: "mongod" on port 27018
launching: "mongod" on port 27019
launching: "mongod" on port 27020
launching: "mongod" on port 27021
launching: "mongod" on port 27022
launching: "mongod" on port 27023
launching: "mongod" on port 27024
launching: "mongod" on port 27025
launching: "mongod" on port 27026
launching: config server on port 27027
launching: config server on port 27028
launching: config server on port 27029
replica set 'configRepl' initialized.
replica set 'shard01' initialized.
replica set 'shard02' initialized.
replica set 'shard03' initialized.
launching: mongos on port 27017
adding shards. can take up to 30 seconds...
sent signal Signals.SIGTERM to 13 processes.
launching: config server on port 27027
launching: config server on port 27028
launching: config server on port 27029
launching: "mongod" on port 27018
launching: "mongod" on port 27019
launching: "mongod" on port 27020
launching: "mongod" on port 27021
launching: "mongod" on port 27022
launching: "mongod" on port 27023
launching: "mongod" on port 27024
launching: "mongod" on port 27025
launching: "mongod" on port 27026
launching: mongos on port 27017
Username "user", password "password"

通过查找进程，可知keyFile的位置：

$ ps -ef|grep mongo
...
vagrant   5617     1  2 08:02 ?        00:00:07 mongod --replSet shard03 --dbpath /home/vagrant/mtools/data/shard03/rs3/db --logpath /home/vagrant/mtools/data/shard03/rs3/mongod.log --port 27026 --fork --keyFile /home/vagrant/mtools/data/keyfile --shardsvr --wiredTigerCacheSizeGB 1
vagrant   5795     1  1 08:02 ?        00:00:04 mongos --logpath /home/vagrant/mtools/data/mongos.log --port 27017 --configdb configRepl/localhost:27027,localhost:27028,localhost:27029 --keyFile /home/vagrant/mtools/data/keyfile --fork

验证登录：

$ mongo
mongos> db.system.users.find()
Error: error: {"ok" : 0,"errmsg" : "command find requires authentication","code" : 13,"codeName" : "Unauthorized","operationTime" : Timestamp(1609142982, 14),"$clusterTime" : {"clusterTime" : Timestamp(1609142982, 14),"signature" : {"hash" : BinData(0,"94k9tXIieH+lvIwvgKKnTzI98a4="),"keyId" : NumberLong("6911214218830151701")}}
}
mongos> use admin
switched to db admin
mongos> db.auth('user', 'password')
1
mongos> db.system.users.find()
{ "_id" : "admin.user", "userId" : UUID("d59eb9a3-795f-48e9-a36f-5c7dcbbdf3ce"), "user" : "user", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "jFlNKaCXQQjBm1xwVApGlw==", "storedKey" : "5HWswxEWhXTwfvVCZlNfZmUQlUI=", "serverKey" : "HOySUF9fwAO0//8mc3J3TavsjWg=" } }, "roles" : [ { "role" : "dbAdminAnyDatabase", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "clusterAdmin", "db" : "admin" } ] }

Enabling SCRAM-SHA-1

默认的认证方式，服务器端可以用mongod --auth或以下配置文件启用：

security:authorization: 'enabled'

Homework 1.1 : Enable SCRAM-SHA-1

在非Auth模式下启动mongod，然后建立用户：

MongoDB Enterprise > use admin
switched to db admin
MongoDB Enterprise > db.createUser({user: 'alice', pwd: 'secret', roles: ['root']})
Successfully added user: { "user" : "alice", "roles" : [ "root" ] }

然后以auth模式启动mongod，看一下哪些语句正确：

mongo admin --eval "db.auth('alice', 'secret');db.runCommand({getParameter: 1, authenticationMechanisms: 1})"mongo -u alice -p secret --eval "db.runCommand({getParameter: 1, authenticationMechanisms: 1})" --authenticationDatabase adminmongo -u alice -p secret --eval "db=db.getSisterDB('admin');db.runCommand({getParameter: 1, authenticationMechanisms: 1})" --authenticationDatabase adminmongo -u alice -p secret --eval "db.runCommand({getParameter: 1, authenticationMechanisms: 1})"mongo admin -u alice -p secret --eval "db.runCommand({getParameter: 1, authenticationMechanisms: 1})"mongo --eval "db.runCommand({getParameter: 1, authenticationMechanisms: 1})"

以下是一个示例，注意getParameter只能在admin数据库中运行：

$ mongo admin --eval "db.auth('alice', 'secret');db.runCommand({getParameter: 1, authenticationMechanisms: 1})"
MongoDB shell version: 3.2.22
connecting to: admin
2020-12-28T09:37:24.306+0000 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:47280 #1 (1 connection now open)
2020-12-28T09:37:24.345+0000 I ACCESS   [conn1] Successfully authenticated as principal alice on admin
{"authenticationMechanisms" : ["MONGODB-CR","MONGODB-X509","SCRAM-SHA-1"],"ok" : 1
}
2020-12-28T09:37:24.353+0000 I NETWORK  [conn1] end connection 127.0.0.1:47280 (0 connections now open)

Enabling X.509

X.509证书需要安全的TLS连接。

以下命令可以确认TLS是否启用，注意OpenSSL那行：

$ mongod --version
db version v3.2.22
git version: 105acca0d443f9a47c1a5bd608fd7133840a58dd
OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014
allocator: tcmalloc
modules: enterprise
build environment:distmod: ubuntu1404distarch: x86_64target_arch: x86_64

Enabling LDAP

LDAP = Lightweight Directory Access Protocol

客户端通过驱动连接mongoDB，mongoDB通过saslauthd代理服务联系LDAP Server。

$ sudo apt-get install sasl2-bin
Reading package lists... Done
Building dependency tree
Reading state information... Done
sasl2-bin is already the newest version.

配置文件为/etc/default/saslauthd。

mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem
openssl x509 -in client.pem -inform PEM -subject -nameport RFC2253 -noout
mongo --ssl --sslPemKeyFile client.pem --sslCAFile ca.pem

$ openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
Generating a 4096 bit RSA private key
.......................................................................................................................++
.........................................................................................................................................................................................................................................................................................................++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MongoDB
Organizational Unit Name (eg, section) []:KernelUser
Common Name (e.g. server FQDN or YOUR name) []:client
Email Address []:
vagrant@database:~/work$ ls -l
total 8
-rw-rw-r-- 1 vagrant vagrant 2037 Dec 29 02:46 cert.pem
-rw-rw-r-- 1 vagrant vagrant 3272 Dec 29 02:46 key.pem

    mongod-m034: + echo 'Installing BI Connector'mongod-m034: + mkdir -p /home/vagrant/biconnectormongod-m034: + curl -o mongo-bi.tgz https://s3.amazonaws.com/mciuploads/sqlproxy/binaries/linux/mongodb-bi-linux-x86_64-ubuntu1404-v2.0.0-beta5-7-g048ac56.tgzmongod-m034:mongod-m034:mongod-m034: %mongod-m034:mongod-m034: Tmongod-m034: omongod-m034: tmongod-m034: amongod-m034: lmongod-m034:mongod-m034:mongod-m034:   % Received % Xferd  Average Speed   Time    Time     Time  Currentmongod-m034:                                  Dload  Upload   Total   Spent    Left  Speed0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0mongod-m034:   0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0mongod-m034:mongod-m034:mongod-m034: 0mongod-m034:mongod-m034:     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0mongod-m034: 1mongod-m034: 0mongod-m034: 0mongod-m034:    243    0   243    0     0    123      0 --:--:--  0:00:01 --:--:--   123mongod-m034: + tar xf mongo-bi.tgz -C /home/vagrant/biconnectormongod-m034: tar:mongod-m034: This does not look like a tar archivemongod-m034:mongod-m034: gzip: stdin: not in gzip formatmongod-m034: tar: Child returned status 1mongod-m034: tar: Error is not recoverable: exiting now
The SSH command responded with a non-zero exit status. Vagrant
assumes that this means the command failed. The output for this command
should be in the log above. Please read the output to determine what
went wrong.

{ unauthorizedStatus: {"set":"TO_BE_SECURED","date":"2020-12-29T08:31:50.657Z","myState":1,"term":{"floatApprox":5},"heartbeatIntervalMillis":{"floatApprox":2000},"members":[{"_id":1,"name":"database.m310.mongodb.university:31120","health":1,"state":1,"stateStr":"PRIMARY","uptime":922,"optime":{"ts":{"t":1609229915,"i":4},"t":{"floatApprox":5}},"optimeDate":"2020-12-29T08:18:35.000Z","electionTime":{"t":1609229799,"i":1},"electionDate":"2020-12-29T08:16:39.000Z","configVersion":1,"self":true},{"_id":2,"name":"database.m310.mongodb.university:31121","health":1,"state":2,"stateStr":"SECONDARY","uptime":916,"optime":{"ts":{"t":1609229915,"i":4},"t":{"floatApprox":5}},"optimeDate":"2020-12-29T08:18:35.000Z","lastHeartbeat":"2020-12-29T08:31:50.149Z","lastHeartbeatRecv":"2020-12-29T08:31:50.197Z","pingMs":{"floatApprox":0},"syncingTo":"database.m310.mongodb.university:31120","configVersion":1},{"_id":3,"name":"database.m310.mongodb.university:31122","health":1,"state":2,"stateStr":"SECONDARY","uptime":916,"optime":{"ts":{"t":1609229915,"i":4},"t":{"floatApprox":5}},"optimeDate":"2020-12-29T08:18:35.000Z","lastHeartbeat":"2020-12-29T08:31:50.150Z","lastHeartbeatRecv":"2020-12-29T08:31:49.852Z","pingMs":{"floatApprox":0},"syncingTo":"database.m310.mongodb.university:31120","configVersion":1}],"ok":1}, memberStatuses: ["PRIMARY","SECONDARY","SECONDARY"] }