问题
I am planning to install mongodb and the windows service which is connecting to it to the same machine. That machine will be in isolated network.
When we do it like that. Is it ok to connect local mongodb passwordless?
My planned properties will be like this...
private MongoDatabase _db;
public MongoDatabase DB
{
get
{
if (_db == null)
{
var mongoServer = MongoServer.Create();
_db = mongoServer.GetDatabase("myStatistics");
}
return _db;
}
}
private MongoCollection _collection;
public MongoCollection Collection
{
get { return _collection ?? (_collection = DB.GetCollection("myStats")); }
}
回答1:
There are two options:
- Password-less in trusted environment
- Password protected
It's okay to use MongoDB with auth disabled in trusted network. MongoDb developers recommend running the database in trusted environment rather than focusing on auth options.
回答2:
Same machine, isolated network. I'd say yes. I do the same with the system I work on. Only issue is if there are other computers connected to the network, that are also connected to the internet, and might not be secure (no anti-virus, firewall, etc).
回答3:
To me, the question is, what do you gain from running it password-less?
Even if you are running in a trusted environment, does it really cost that much to use a password? While the trusted environment should not be breached, nothing is completely safe and by adding the password, you are adding an additional layer of defense. So if somebody breaches your server they shouldn't automatically have access to the database.
For the same reason you would encrypt/hash user passwords when they are stored in the database. If somebody breaches your server, they don't automatically gain access to everything.
This approach is called defense in depth.
回答4:
If your system is isolated that yes you can do it. but think in term future picture of your project.Later you might need to users with restricted access ,You might need user roles ,and if you do which is highly possible ,than its better to start thinking in that direction and start using authentication. This will also add one more layer to the security of your db with out costing much.
来源:https://stackoverflow.com/questions/8209948/is-it-ok-to-use-mongodb-passwordless