我决定在 Linux 容器上运行 Unifi 控制器,所以据我阅读和谷歌搜索,它仅适用于 MongoDB。 下面是完美运行的 compose-docker 代码片段,它运行 Unifi 控制器以及 MongoDB 容器...但仅在 MongoDB 端没有任何类型的身份验证时才有效....好吧,这很好,但是从安全角度来看,这不太好......所以我想在 MongoDB 数据库上打开身份验证,并使 Unifi 控制器对其进行身份验证。
这是正常的,因为我已经尚未在 mongo db 中创建这些帐户.....mongo db 可以正常工作,无需此时我已经通过 Compass 测试了任何身份验证,并且我可以登录 DB
db.createUser({
user: "root",
pwd: "12345678", // Replace with a strong passwordd
roles: [{ role: "root", db: "admin" }]
});
"
db.createUser({
user: "unifi",
pwd: "12345678", // Replace with a strong password
roles: [
{ role: "dbOwner", db: "unifi" },
{ role: "readWrite", db: "unifi" }
{ role: "userAdmin", db: "unifi" },
{ role: "listCollectionsRole", db: "unifi" }, #custom role ]
});
db.createUser({
user: "unifi",
pwd: "12345678", // Replace with a strong password
roles: [
{ role: "dbOwner", db: "unifi_stat" },
{ role: "readWrite", db: "unifi_stat" }
{ role: "userAdmin", db: "unifi" },
{ role: "listCollectionsRole", db: "unifi" }, #custom role
]
});
################################################## ###################
“身份验证此时仍处于关闭状态”
Caused by: com.mongodb.MongoCommandException: Command failed with error 13 (Unauthorized): 'not authorized on unifi_stat to execute command { listCollections: 1, cursor: {}, nameOnly: true, $db: "unifi_stat", lsid: { id: UUID("ae95edea-70d5-4427-9780-3549e80deecb") } }' on server test_mongo:27017. The full response is {"ok": 0.0, "errmsg": "not authorized on unifi_stat to execute command { listCollections: 1, cursor: {}, nameOnly: true, $db: \"unifi_stat\", lsid: { id: UUID(\"ae95edea-70d5-4427-9780-3549e80deecb\") } }", "code": 13, "codeName": "Unauthorized"}
[conn105] Unauthorized: not authorized on unifi_stat to execute command { listCollections: 1, cursor: {}, nameOnly: true, $db: "unifi_stat", lsid: { id: UUID("0461caa4-467a-4234-bb71-07d41a1218ad") } }
version: '2.3'
services:
mongo:
image: mongo:3.6
container_name: ${COMPOSE_PROJECT_NAME}_mongo
restart: always
volumes:
- db:/data/db
- dbcfg:/data/configdb
controller:
image: "jacobalberty/unifi:${TAG:-latest}"
container_name: ${COMPOSE_PROJECT_NAME}_controller
depends_on:
- mongo
init: true
restart: always
volumes:
- dir:/unifi
- data:/unifi/data
- log:/unifi/log
- cert:/unifi/cert
- init:/unifi/init.d
- run:/var/run/unifi
# Mount local folder for backups and autobackups
- ./backup:/unifi/data/backup
user: unifi
sysctls:
net.ipv4.ip_unprivileged_port_start: 0
environment:
DB_URI: mongodb://unifi:12345678@test_mongo/unifi?authSource=unifi
STATDB_URI: mongodb://unifi:12345678@test_mongo/unifi_stat?authSource=unifi_stat
DB_NAME: unifi
ports:
- "3478:3478/udp" # STUN
- "6789:6789/tcp" # Speed test
- "8080:8080/tcp" # Device/ controller comm.
- "8443:8443/tcp" # Controller GUI/API as seen in a web browser
- "8880:8880/tcp" # HTTP portal redirection
- "8843:8843/tcp" # HTTPS portal redirection
- "10001:10001/udp" # AP discovery
logs:
image: bash
container_name: ${COMPOSE_PROJECT_NAME}_logs
depends_on:
- controller
command: bash -c 'tail -F /unifi/log/*.log'
restart: always
volumes:
- log:/unifi/log
volumes:
db:
dbcfg:
data:
log:
cert:
init:
dir:
run:
我不知道我到底应该尝试什么
unifi
和
unifi_stats),它们在连接字符串变量
DB_URI和
STATDB_URI中引用。仅使用一个数据库作为认证数据库,参考
DB_NAME。您将创建帐户
unifi
两次,这是行不通的,因为 Unifi 预计仅使用一个身份验证数据库。确保
DB_NAME指向活动数据库,即在创建帐户之前运行
use unifi。然后创建两个单独的帐户或一个具有两个数据库权限的帐户。我正在研究与你类似的设置。这是我用来配置
unifi
数据库中现有
unifi用户以连接到两个数据库的方法。服务启动没有错误,我可以使用 GUI,但这就是我迄今为止测试的范围。
unifi_db = db.getSiblingDB('unifi'); // Switch to the 'unifi' database
unifi_db.updateUser("unifi", {
roles: [
{ role: "readWrite", db: "unifi" },
{ role: "dbAdmin", db: "unifi" },
{ role: "readWrite", db: "unifi_stat" },
{ role: "dbAdmin", db: "unifi_stat" },
{ role: "clusterMonitor", db: "admin" }
]
});