几个月前我为 MongoDB 做了一些安全文档,可以在这里找到,这应该是你的起点。
在 MongoDB 2.2 之前,身份验证和授权都是本地的。在 2.2 中,RBAC(基于角色的访问)是有限的,即“读”和“写”两个角色,“写”能够在该数据库上执行所有操作,即行政。
在 2.4 中,新角色将发生变化:
name description of privilege
read ability to query data in any collection in the database, other than 'system.users', and also ability to run any command without an A or W attribute
readWrite everything permitted by 'read' privilege, and also the ability to insert, update,
or remove documents or indexes in any collection other than 'system.users', and also the ability to run any command without an A attribute
userAdmin ability to read and write the 'system.users' collection
dbAdmin ability to run admin commands affecting a single database; see list below
serverAdmin ability to run admin commands affecting the entire database server; Can only be set on admin database; see discussion
clusterAdmin admin commands for a cluster of shards or a replica set; Can only be set on admin database
如此处所述。这个增强的 RBAC 将在 2.3.2(开发版本)和下一个生产版本 2.4.0 的所有 MongoDB 版本中可用。
With MongoDB 2.4, there will also be the ability to use Kerberos for authentication, however, this delegated authentication will only be available in the Enterprise builds, which require a Commercial Support contract for us.
There is currently nothing within MongoDB that enforces password complexity but obviously in 2.4 with Kerberos, the KDC can do this. You will manually have to ensure (through your internal password policy etc) that users realise the issues of using non-complex passwords and re-using the same passwords on multiple devices. Assuming you are running 2.2, all logins, passwords and permissions for MongoDB access are stored in the system.users collection under each database. Here is the exact link to the documentation that you should read.