您如何保护客户端 MongoDB API? [英] How do you secure the client side MongoDB API?
问题描述
我不希望我的所有用户都能够插入/销毁数据.
I don't want just all of my users being able to insert/destroy data.
推荐答案
[UPDATE] 现在有一个官方的、有文档记录的 Auth 包,它提供了不同的解决方案来保护集合.
[UPDATE] There is now an official and documented Auth Package which provides different solutions to secure a collection.
在 CRUD 级别:
[服务器] collection.allow(options) 和 collection.deny(options).限制此集合的默认写入方法.一旦在集合上调用其中任何一个,该集合上的所有写入方法都将受到限制,而不管不安全的包是什么.
[Server] collection.allow(options) and collection.deny(options). Restricts default write methods on this collection. Once either of these are called on a collection, all write methods on that collection are restricted regardless of the insecure package.
还有 insecure 可以删除客户端的完全写入权限.
And there is also insecureto remove full write access from the client.
来源:Auth 入门(感谢@dan-dascalescu)
source : Getting Started with Auth (thanks to @dan-dascalescu)
[旧答案]
显然正在开发 Auth Package(?) 应该避免任何用户像现在一样完全控制数据库.还有人建议通过定义您自己的突变(方法)并在他们尝试执行未经授权的操作时使它们失败来建议存在现有的解决方案(解决方法).我没有做得更好,但我认为这通常是必要的,因为我怀疑 Auth 包会让您在行级别上实现通常的身份验证逻辑,但可能仅在 CRUD 方法上.必须看看开发者怎么说.
Apparently there are working on Auth Package(?) that should avoid any users taking full control on the db as it is now. There is also someone suggesting that there is an existing solution (workaround) by defining your own mutations (methods) and make them failed if they attempts to perform an unauthorized action. I didn't get it much better but I think this will often be necessary since I doubt the Auth Package will let you implement the usual auth logic on a row level but probably only on the CRUD methods. Will have to see what the devs have to say.
发现了一些似乎证实了我的想法的东西:
Found something that seems to confirm my thoughts :
目前,客户端被授予对集合的完全写入权限.他们可以执行任意 Mongo 更新命令.一旦我们构建了身份验证,您将能够限制客户端对插入、更新和删除的直接访问.我们也在考虑验证器和其他类似 ORM 的功能.
Currently the client is given full write access to the collection. They can execute arbitrary Mongo update commands. Once we build authentication, you will be able to limit the client's direct access to insert, update, and remove. We are also considering validators and other ORM-like functionality.
这个答案的来源:
这篇关于您如何保护客户端 MongoDB API?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
