To maintain database security, you can limit authorized, non-root users' privileges, allowing them to perform administrative operations without granting them full root privileges.为了维护数据库安全,您可以限制授权的非root用户的权限,允许他们在不授予其完全root权限的情况下执行管理操作。
This page demonstrates how to allow non-root users to start, stop, and restart 本页演示了如何允许非mongod processes on Linux systems, without allowing them access to all root user privileges. This procedure applies to users belonging to a non-root Linux group, distinct from the group under which the mongod process runs.root用户在Linux系统上启动、停止和重新启动mongod进程,而不允许他们访问所有root用户权限。此过程适用于属于非根Linux组的用户,与运行mongod进程的组不同。
Before You Begin开始之前
Install MongoDB Community or MongoDB Enterprise.安装MongoDB社区版或MongoDB企业版。
Considerations注意事项
Important
The following procedure requires root access for the setup. Incorrect settings can lead to an unresponsive system, so always test on a development environment before implementing in production. 以下过程要求安装程序具有root访问权限。不正确的设置可能会导致系统无响应,因此在生产环境中实施之前,请务必在开发环境中进行测试。Ensure you have a current backup of your data.确保您有最新的数据备份。
We recommend you perform this procedure while setting up a new system. If this is not possible, perform the procedure during the maintenance window.我们建议您在设置新系统时执行此过程。如果无法做到这一点,请在维护窗口期间执行该程序。This procedure impacts the settings of only one local system. If you are using a replica set or a sharded cluster, perform this procedure in a rolling matter. Do not update all of your nodes at once.此过程仅影响一个本地系统的设置。如果您使用的是副本集或分片集群,请在滚动文件中执行此过程。不要一次更新所有节点。This procedure works with all Linux distributions, but has only been tested with CentOS 6/7, RHEL 6/7, Ubuntu 18.04, and Amazon Linux 2.此过程适用于所有Linux发行版,但仅在CentOS 6/7、RHEL 6/7、Ubuntu 18.04和Amazon Linux 2上进行了测试。
Procedure过程
Select the tab for your system provider below.在下面为您的系统提供商选择选项卡。
systemd
This procedure works for CentOS 7 and RHEL 7.此过程适用于CentOS 7和RHEL 7。
Update the configuration file permissions.更新配置文件权限。
Use the following commands to update the permissions in the configuration file, found at 使用以下命令更新/etc/mongod.conf:/etc/mongod.conf中的配置文件中的权限:
sudo chown mongod:mongod /etc/mongod.conf
sudo chmod 600 /etc/mongod.conf
ls -l /etc/mongod.conf
-rw-------. 1 mongod mongod 330 Feb 27 18:43 /etc/mongod.confThis configuration ensures that only the 此配置确保只有mongod user and root have permissions to access and edit the mongod.conf file.mongod用户和root有权访问和编辑mongod.conf文件。
Update the sudoers file.更新sudoers文件。
sudoers file.Add the following configuration lines to the sudoers file with visudo:使用visudo将以下配置行添加到sudoers文件中:
%mongod ALL =(ALL) NOPASSWD: /bin/systemctl start mongod.service, /bin/systemctl stop mongod.service, /bin/systemctl restart mongod.service
%testuser ALL =(ALL) NOPASSWD: /bin/systemctl start mongod.service, /bin/systemctl stop mongod.service, /bin/systemctl restart mongod.serviceNote
A syntax error in the sudoers file may affect the functionality of the root user account.sudoers文件中的语法错误可能会影响root用户帐户的功能。
Confirm the non-root user's permissions.确认非root用户的权限。
Your new user now can start and stop the 您的新用户现在可以启动和停止mongod service, but cannot read the /etc/mongod.conf file.mongod服务,但无法读取/etc/mongod.conf文件。
Have your new user run the following command to start 让您的新用户运行以下命令启动mongod and confirm that they do not receive a [Permission Denied] message:mongod,并确认他们没有收到[Permission Denied](拒绝权限)消息:
sudo /bin/systemctl start mongod.serviceThey can run a similar test using 他们可以使用sudo /bin/systemctl stop mongod.service to ensure that they can stop the mongod service with no errors.sudo /bin/systemctl stop mongod.service运行类似的测试,以确保他们可以停止mongod服务而不会出错。
Now, have them run the following command to attempt to access the 现在,让他们运行以下命令来尝试访问/etc/mongod.conf file:/etc/mongod.conf文件:
sudo vi /etc/mongod.confThis command should return a 此命令应返回[Permission Denied] message.[Permission Denied](拒绝权限)消息。
System V Init
This procedure works for CentOS 6, RHEL 6, Amazon Linux 2 and Ubuntu 18.04.此过程适用于CentOS 6、RHEL 6、Amazon Linux 2和Ubuntu 18.04。
Update the configuration file permissions.更新配置文件权限。
Use the following commands to update the permissions in the configuration file, found at 使用以下命令更新/etc/mongod.conf:/etc/mongod.conf中的配置文件中的权限:
sudo chown mongod:mongod /etc/mongod.conf
sudo chmod 600 /etc/mongod.conf
ls -l /etc/mongod.conf
-rw-------. 1 mongod mongod 330 Feb 27 18:43 /etc/mongod.confThis configuration ensures that only the 此配置确保只有mongod user and root have permissions to access and edit the mongod.conf file.mongod用户和root有权访问和编辑mongod.conf文件。
Update the sudoers file.更新sudoers文件。
sudoers file.Add the following configuration lines to the sudoers file with visudo.使用visudo将以下配置行添加到sudoers文件中。
For CentOS 6, RHEL 6 and Amazon Linux 2:对于CentOS 6、RHEL 6和亚马逊Linux 2:
%mongod ALL =(ALL) NOPASSWD: /sbin/service mongod start, /sbin/service mongod stop, /sbin/service mongod restart
%testuser ALL =(ALL) NOPASSWD: /sbin/service mongod start, /sbin/service mongod stop, /sbin/service mongod restartFor Ubuntu 18.04:对于Ubuntu 18.04:
%mongod ALL =(ALL) NOPASSWD: /usr/sbin/service mongod start, /usr/sbin/service mongod stop, /usr/sbin/service mongod restart
%testuser ALL =(ALL) NOPASSWD: /usr/sbin/service mongod start, /usr/sbin/service mongod stop, /usr/sbin/service mongod restartNote
A syntax error in the sudoers file may affect the functionality of the root user account.sudoers文件中的语法错误可能会影响root用户帐户的功能。
Confirm the non-root user's permissions.确认非root用户的权限。
Your new user now can start and stop the 您的新用户现在可以启动和停止mongod service, but cannot read the /etc/mongod.conf file.mongod服务,但无法读取/etc/mongod.conf文件。
Have your new user run the following commands to start 让你的新用户运行以下命令来启动mongod:mongod:
sudo service mongod startEnsure that they receive the following confirmation in the shell:确保他们在shell中收到以下确认:
Starting mongod: [ OK ]They can run a similar test using 他们可以使用sudo service mongod stop to ensure that they can stop the mongod service with no errors.sudo service mongod stop运行类似的测试,以确保他们可以在没有错误的情况下停止mongod服务。
Now, have them run the following command to attempt to access the 现在,让他们运行以下命令来尝试访问/etc/mongod.conf file:/etc/mongod.conf文件:
sudo vi /etc/mongod.confThis command should return a 此命令应返回[Permission Denied] message.[Permission Denied](拒绝权限)消息。