M310: MongoDB Security Homework 2.1
For this homework exercise you're going to spin up a replica set and create some users with different roles based on the different tasks that each user needs to be able to perform.
Your replica set should be running on the following ports:
| Type | Primary | Secondary | Secondary |
|---|---|---|---|
| Port | 31210 | 31211 | 31212 |
Your replica set should have authentication enabled using a shared keyfile.
After you have your members up and running you can connect to the mongod running on port 31210. Once connected create the following users:
| User | Password | Can | Cannot |
|---|---|---|---|
| userAdmin | badges | create users on any database | run dbhash |
| sysAdmin | cables | configure a replica set and add shards | run hostInfo |
| dbAdmin | collections | create a collection on any database | run insert |
| dataLoader | dumpin | insert data on any database | run validate |
The Can column denotes tasks that the user should be able to complete. The Cannotcolumn denotes tasks that the user shouldn't have the privileges to complete. Your goal is to figure out which built-in role best suits the needs of each user.
All of these user's roles should be scoped to the admin database.
Note: You should assume that these privileges only extend to non-system collections. If you find a role that seems to fit these requirements, but find an action in the Cannotcolumn being applied to a system collection you should continue to use that role.
After you've created the sysAdmin user you can authenticate against that user and add the other running members to the replica set.
Once you have your replica set up and running with authentication enabled and have all 4 users created with the appropriate roles you can run the validation script and copy the output into the submission area below.
$ cd ~/shared
$ ./validate-hw-2.1.sh
Replica Set Setup
First creating key file
mac/unix
openssl rand -base64 755 > mongodb-keyfile
chmod 400 mongodb-keyfile
windows os
install git then execute above the code again
windows os
./mongod.exe --dbpath r0/db --logpath r0/db/mongo.log --replSet myrep1 --port 31210 --keyFile mongodb-keyfile
mongod --dbpath r1/db --logpath r1/db/mongo.log --replSet myrep1 --port 31211 --keyFile mongodb-keyfile
mongod --dbpath r2/db --logpath r2/db/mongo.log --replSet myrep1 --port 31212 --keyFile mongodb-keyfile
mac/unix
./mongod.exe --dbpath r0/db --logpath r0/db/mongo.log --fork --replSet myrep1 --port 31210 --keyFile mongodb-keyfile
./mongod.exe --dbpath r1/db --logpath r1/db/mongo.log --fork --replSet myrep1 --port 31211 --keyFile mongodb-keyfile
./mongod.exe --dbpath r2/db --logpath r2/db/mongo.log --fork --replSet myrep1 --port 31212 --keyFile mongodb-keyfile
windows os
> mongo --port 31210
> rs.initiate()
{
"info2" : "no configuration specified. Using a default configuration for the set",
"me" : "BT-0265:31210",
"ok" : 1
}
myrep1:SECONDARY> use admin
switched to db admin
myrep1:PRIMARY> db.createUser({user:'ogan', pwd:'password', roles:['root']})
Successfully added user: { "user" : "ogan", "roles" : [ "root" ] }
myrep1:PRIMARY> db.auth('ogan','password')
1
myrep1:PRIMARY> rs.add('BT-0265:31211')
{ "ok" : 1 }
myrep1:PRIMARY> rs.add('BT-0265:31212')
{ "ok" : 1 }
myrep1:PRIMARY> rs.status()
{
"set" : "myrep1",
"date" : ISODate("2017-01-24T07:29:00.205Z"),
"myState" : 1,
"term" : NumberLong(1),
"heartbeatIntervalMillis" : NumberLong(2000),
"optimes" : {
"lastCommittedOpTime" : {
"ts" : Timestamp(1485242918, 1),
"t" : NumberLong(1)
},
"appliedOpTime" : {
"ts" : Timestamp(1485242934, 1),
"t" : NumberLong(1)
},
"durableOpTime" : {
"ts" : Timestamp(1485242934, 1),
"t" : NumberLong(1)
}
},
"members" : [
{
"_id" : 0,
"name" : "BT-0265:31210",
"health" : 1,
"state" : 1,
"stateStr" : "PRIMARY",
"uptime" : 383,
"optime" : {
"ts" : Timestamp(1485242934, 1),
"t" : NumberLong(1)
},
"optimeDate" : ISODate("2017-01-24T07:28:54Z"),
"electionTime" : Timestamp(1485242767, 2),
"electionDate" : ISODate("2017-01-24T07:26:07Z"),
"configVersion" : 3,
"self" : true
},
{
"_id" : 1,
"name" : "BT-0265:31211",
"health" : 1,
"state" : 5,
"stateStr" : "STARTUP2",
"uptime" : 12,
"optime" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"optimeDurable" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"optimeDate" : ISODate("1970-01-01T00:00:00Z"),
"optimeDurableDate" : ISODate("1970-01-01T00:00:00Z"),
"lastHeartbeat" : ISODate("2017-01-24T07:28:58.531Z"),
"lastHeartbeatRecv" : ISODate("2017-01-24T07:28:58.562Z"),
"pingMs" : NumberLong(0),
"syncingTo" : "BT-0265:31210",
"configVersion" : 3
},
{
"_id" : 2,
"name" : "BT-0265:31212",
"health" : 1,
"state" : 0,
"stateStr" : "STARTUP",
"uptime" : 0,
"optime" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"optimeDurable" : {
"ts" : Timestamp(0, 0),
"t" : NumberLong(-1)
},
"optimeDate" : ISODate("1970-01-01T00:00:00Z"),
"optimeDurableDate" : ISODate("1970-01-01T00:00:00Z"),
"lastHeartbeat" : ISODate("2017-01-24T07:28:59.547Z"),
"lastHeartbeatRecv" : ISODate("1970-01-01T00:00:00Z"),
"pingMs" : NumberLong(0),
"configVersion" : -2
}
],
"ok" : 1
}
myrep1:PRIMARY> db.createUser({ user:'userAdmin', pwd:'badges', roles:[{role:'userAdminAnyDatabase', db:'admin'}]})
Successfully added user: {
"user" : "userAdmin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
myrep1:PRIMARY> db.createUser({ user:'sysAdmin', pwd:'cables', roles:[{role: 'clusterManager', db:'admin'}]})
Successfully added user: {
"user" : "sysAdmin",
"roles" : [
{
"role" : "clusterManager",
"db" : "admin"
}
]
}
myrep1:PRIMARY> db.createUser({user:'dbAdmin', pwd:'collections', roles:[{ role: 'dbAdminAnyDatabase', db:'admin'}]}, {w:"majority", wtimeout:300})
Successfully added user: {
"user" : "dbAdmin",
"roles" : [
{
"role" : "dbAdminAnyDatabase",
"db" : "admin"
}
]
}
myrep1:PRIMARY> db.createUser({user:'dataLoader', pwd:'dumpin', roles: [{ role: 'readWriteAnyDatabase', db: 'admin'}]})
Successfully added user: {
"user" : "dataLoader",
"roles" : [
{
"role" : "readWriteAnyDatabase",
"db" : "admin"
}
]
}
Windows
After that execute the ./validate-hw-2.1.sh in git terminal sreen
Answer
{"users":[{"user":"dataLoader","roles":[{"role":"readWriteAnyDatabase","db":"admin"}]},{"user":"dbAdmin","roles":[{"role":"dbAdminAnyDatabase","db":"admin"}]},{"user":"sysAdmin","roles":[{"role":"clusterManager","db":"admin"}]},{"user":"userAdmin","roles":[{"role":"userAdminAnyDatabase","db":"admin"}]}],"numMembers":3}
Yorumlar
Yorum Gönder