为MongoDB数据库生成和授权凭据
项目描述
用户快速入门
所以,你友好的mongogranter说现在你可以通过电子邮件地址访问数据库了。接下来做什么?首先,安装mongogrant
pip install mongogrant
然后,请求将令牌链接发送到你的电子邮件
mgrant init mcurie@espci.fr \
--endpoint https://grantmedb.materialsproject.org
点击电子邮件中的链接以证明你是你自己,从加载的页面复制fetch令牌,然后运行
mgrant settoken wh054900d70k3ny35y0u423
最后,获取数据库的凭据。在这里,Marie请求mongogrant打印出db.json和my_launchpad.yaml启动文件,用于FireWorks和atomate
mgrant db mongodb03.nersc.gov fw_mc_polonium \
--role readWrite \
--atomate-starters
关于mongogrant
Mongogrant是一个实用工具,它为电子邮件地址的拥有者授权在各个主机上的各种数据库的读取和读写角色的用户名和密码凭据。
服务器管理员可以通过允许/拒绝规则对令牌和凭据进行细粒度控制。人们请求一封包含一次性链接的电子邮件。该链接为用户提供获取令牌。所有令牌都会过期,过期时间可自定义。然后,人们使用mongogrant客户端进行如下请求:
from mongogrant.client import Client
# config file on disk has tokens and host/db aliases
# `Client()` with no args looks to
# ~/.mongogrant.json for config
client = Client()
# No config yet? Set one up with at least one remote for fetching credentials
# See below for how to obtain <FETCH_TOKEN> for a given <ENDPOINT>.
client.set_remote("https://grantmedb.materialsproject.org", "<FETCH_TOKEN>")
# Set some aliases if you'd like:
client.set_alias("dev", "mongodb03.nersc.gov", "host")
client.set_alias("prod", "mongodb04.nersc.gov", "host")
client.set_alias("fireworks", "fw_dw_phonons", "db")
# pymongo.database.Database with read role
source_db = client.db("ro:dev/fireworks")
# readWrite role: config stores "prod" host alias and "fireworks" db alias
target_db = client.db("rw:prod/fireworks")
# ...Do database stuff!
也可以完全通过运行应用程序的API进行。
> # Using the HTTPie command line HTTP client (https://httpie.org/)
> # Install via `{brew,apt-get,pip,...} install httpie`
> http GET https://grantmedb.materialsproject.org/gettoken/<YOUR_EMAIL>
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 59
Content-Type: application/json
Date: Thu, 17 May 2018 18:05:30 GMT
Server: nginx/1.10.3
{
"msg": "Sent link to <YOUR_EMAIL> to retrieve token."
}
> http GET https://grantmedb.materialsproject.org/verifytoken/<VERIFY_TOKEN>
HTTP/1.1 200 OK
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Thu, 17 May 2018 18:06:17 GMT
Server: nginx/1.10.3
Transfer-Encoding: chunked
Fetch token: <FETCH_TOKEN> (expires 2018-06-19 18:05:30.508000 UTC)
> # end-of-line "\" below only necessary if command spans two lines.
> http --form POST https://grantmedb.materialsproject.org/grant/<FETCH_TOKEN> \
> role=readWrite host=mongodb03.nersc.gov db=dw_phonons
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 108
Content-Type: application/json
Date: Thu, 17 May 2018 18:11:22 GMT
Server: nginx/1.10.3
{
"password": "<PASSWORD>",
"username": "dwinston_lbl.gov_readWrite"
}
>
您可以在笔记本电脑上的Jupyter笔记本中运行一个“服务器”,并管理允许/拒绝规则,授予/撤销凭据的授权等。包含一个小型Flask应用程序作为示例,用于部署一个客户端可以连接以获取令牌和凭据的服务器。
设置服务器
from mongogrant.config import Config
from mongogrant.server import Server, check, path, seed, Mailgun
server = Server(Config(check=check, path=path, seed=seed()))
server.set_mgdb("mongodb://mgserver:mgserverpass@my.host.com/mongogrant")
server.set_mailer(Mailgun, dict(
api_key="YOUR_KEY",
base_url="https://api.mailgun.net/v3/YOUR_DOMAIN",
from_addr="mongogrant@YOUR_DOMAIN"))
server.set_admin_client(
host="other1.host.com",
username="mongoadmin",
password="mongoadminpass")
server.set_admin_client(
host="other2.host.com",
username="mongoadmin",
password="mongoadminpass")
指定其他人设置允许/拒绝规则
Mongogrant服务器管理员可以通过mgrant CLI添加“规则”用户,他们可以通过以下方式为用户设置允许/拒绝规则。管理员在server.mgdb集合中设置规则文档,例如:
server.mgdb.rulers.replace_one(
{"email": "starlord@lbl.gov"},
{
"email": "starlord@lbl.gov",
"hosts": ["mongodb03.nersc.gov"],
"dbs": ["mp_", "fw_"],
"emails": ["@lbl.gov"],
"which": ["allow"]
},
upsert=True)
允许用户starlord@lbl.gov为Mongo主机“mongodb03.nersc.gov”上任何数据库名称以“mp_”或“fw_”开头,且具有“@lbl.gov”电子邮件地址的用户设置allow规则。规则文档中的任何字段都可以设置为“all”,而不是数组。
下载文件
下载您平台上的文件。如果您不确定选择哪个,请了解更多关于安装包的信息。
源代码发行版
mongogrant-0.3.3.tar.gz (23.2 kB 查看哈希值)
构建发行版
mongogrant-0.3.3-py3-none-any.whl (25.0 kB 查看哈希值)
关闭
mongogrant-0.3.3.tar.gz的哈希值
| 算法 | 哈希摘要 | |
|---|---|---|
| SHA256 | ad494b8638adfa840cdd5568af44448dd43771b58102550cf7c61402b1620ab4 |
|
| MD5 | c0fa7c60b5aef06465440da93b096c9e |
|
| BLAKE2b-256 | 86ea236c569243a19bfb7097fd6b2fd09aa68af57e3d76e3ff65ea69333c0760 |
关闭
mongogrant-0.3.3-py3-none-any.whl的哈希值
| 算法 | 哈希摘要 | |
|---|---|---|
| SHA256 | e32ea6f07d72c7d08ab78d17c79ab7ee56373458ae79d2995c3cc6c2eb3ecbdb |
|
| MD5 | a4c2fb61f652525816c6bdd9425310f2 |
|
| BLAKE2b-256 | 43c2711d4a1c01205e206bc7f270522254ac374a86b5e99798e2cfd3cd426d08 |
