生成并授予MongoDB数据库的凭据
mongogrant的Python项目详细描述
用户快速启动
所以,你友好的邻居说你知道 通过您的电子邮件地址建立数据库。现在怎么办?首先,安装mongogrant:
pip install mongogrant
接下来,请求将令牌链接发送到您的电子邮件:
mgrant init mcurie@espci.fr \
--endpoint https://grantmedb.materialsproject.org
单击电子邮件中的链接以证明您是您,从 加载页面,然后运行:
mgrant settoken wh054900d70k3ny35y0u423
最后,获取数据库的凭据。在这里,玛丽要求Mongogrant 打印出的db.json和my launchpad.yaml starter文件 FireWorks和 atomate:
mgrant db mongodb03.nersc.gov fw_mc_polonium \
--role readWrite \
--atomate-starters
关于mongogrant
mongogrant是一个用于授予用户名和密码的实用程序 不同数据库上读写角色的凭据 在不同的主机上发送给电子邮件地址的所有者
服务器管理员通过 允许/拒绝授予令牌和凭据的规则。 人们请求一封包含一次性链接的电子邮件。那个 link给用户一个fetch令牌。所有令牌过期 到期时间可自定义。然后人们使用 Mongogrant客户端发出如下请求
frommongogrant.clientimportClient# config file on disk has tokens and host/db aliases# `Client()` with no args looks to# ~/.mongogrant.json for configclient=Client()# No config yet? Set one up with at least one remote for fetching credentials# See below for how to obtain <FETCH_TOKEN> for a given <ENDPOINT>.client.set_remote("https://grantmedb.materialsproject.org","<FETCH_TOKEN>")# Set some aliases if you'd like:client.set_alias("dev","mongodb03.nersc.gov","host")client.set_alias("prod","mongodb04.nersc.gov","host")client.set_alias("fireworks","fw_dw_phonons","db")# pymongo.database.Database with read rolesource_db=client.db("ro:dev/fireworks")# readWrite role: config stores "prod" host alias and "fireworks" db aliastarget_db=client.db("rw:prod/fireworks")# ...Do database stuff!
也可以完全通过正在运行的应用程序的api:
> # Using the HTTPie command line HTTP client (https://httpie.org/) > # Install via `{brew,apt-get,pip,...} install httpie` > http GET https://grantmedb.materialsproject.org/gettoken/<YOUR_EMAIL> HTTP/1.1 200 OK Connection: keep-alive Content-Length: 59 Content-Type: application/json Date: Thu, 17 May 201818:05:30 GMT Server: nginx/1.10.3 {"msg": "Sent link to <YOUR_EMAIL> to retrieve token."} > http GET https://grantmedb.materialsproject.org/verifytoken/<VERIFY_TOKEN> HTTP/1.1 200 OK Connection: keep-alive Content-Encoding: gzip Content-Type: text/html;charset=utf-8 Date: Thu, 17 May 201818:06:17 GMT Server: nginx/1.10.3 Transfer-Encoding: chunked Fetch token: <FETCH_TOKEN> (expires 2018-06-19 18:05:30.508000 UTC) > # end-of-line "\" below only necessary if command spans two lines. > http --form POST https://grantmedb.materialsproject.org/grant/<FETCH_TOKEN> \ > role=readWrite host=mongodb03.nersc.gov db=dw_phonons HTTP/1.1 200 OK Connection: keep-alive Content-Length: 108 Content-Type: application/json Date: Thu, 17 May 201818:11:22 GMT Server: nginx/1.10.3 {"password": "<PASSWORD>", "username": "dwinston_lbl.gov_readWrite"} >
你可以在笔记本电脑上运行“服务器” 管理允许/拒绝规则,授予/撤消 证书等小容量应用程序 作为部署服务器的示例包括 客户端可以连接以获取令牌和凭据。
设置服务器
frommongogrant.configimportConfigfrommongogrant.serverimportServer,check,path,seed,Mailgunserver=Server(Config(check=check,path=path,seed=seed()))server.set_mgdb("mongodb://mgserver:mgserverpass@my.host.com/mongogrant")server.set_mailer(Mailgun,dict(api_key="YOUR_KEY",base_url="https://api.mailgun.net/v3/YOUR_DOMAIN",from_addr="mongogrant@YOUR_DOMAIN"))server.set_admin_client(host="other1.host.com",username="mongoadmin",password="mongoadminpass")server.set_admin_client(host="other2.host.com",username="mongoadmin",password="mongoadminpass")
指定其他人设置允许/拒绝规则
mongogrant服务器管理员可以添加“ruler”用户,这些用户可以通过mgrant
cli为用户设置允许/拒绝规则。管理员在server.mgdb
集合中设置标尺文档,例如
server.mgdb.rulers.replace_one({"email":"starlord@lbl.gov"},{"email":"starlord@lbl.gov","hosts":["mongodb03.nersc.gov"],"dbs":["mp_","fw_"],"emails":["@lbl.gov"],"which":["allow"]},upsert=True)
允许用户starlord@lbl.gov
为在Mongo主机“mongodb03.nersc.gov”上具有“@lbl.gov”电子邮件地址的任何用户设置allow
规则,以获取前缀为“mp”或“fw”的任何数据库名。标尺文档中的任何字段都可以设置为“全部”,而不是数组。