目录
1 软件环境
2 权限、角色管理
2.1 创建角色
2.1.1 语法
2.1.2 示例
2.2 查询角色
2.2.1 语法
2.2.2 示例
2.3 查询所有角色
2.3.1 语法
2.3.2 示例
2.4 删除角色
2.4.1 语法
2.4.2 示例
2.5 删除所有角色
2.5.1 语法
2.5.2 示例
2.6 修改角色
2.6.1 语法
2.6.2 示例
2.7 授予角色权限
2.7.1 语法
2.7.2 示例
2.8 收回角色权限
2.8.1 语法
2.8.2 示例
2.9 授予角色角色
2.9.1 语法
2.9.2 示例
2.10 收回角色角色
2.10.1 语法
2.10.2 示例
MongoDB提供了各种特性,例如身份验证、访问控制、加密以保护MongoDB服务器。本篇主要对MongoDB下的权限及角色相关的指令进行总结。
1 软件环境
使用的软件分别为:
- VirtualBox 5.2
- Oracle Linux 6.7
- MongoDB 4.2.0
2 权限、角色管理
2.1 创建角色
在运行该命令所在的数据库上创建角色,可以通过为角色显式指定权限,或者继承其它角色的权限实现。
2.1.1 语法
db.createRole(role, writeConcern)其中,role是文档格式,有下面的形式:
{
role: "<name>",
privileges: [
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
roles: [
{ role: "<role>", db: "<database>" } | "<role>",
...
],
authenticationRestrictions: [
{
clientSource: ["<IP>" | "<CIDR range>", ...],
serverAddress: ["<IP>" | "<CIDR range>", ...]
},
...
]
}resource:说明是什么,可以是database、collection、collections或者cluster;
action:说明要干什么,即在resource上的操作。
2.1.2 示例
> use admin
> db.createRole(
... {
... role:"rd",
... privileges:[
... {resource:{db:"hr",collection:""},actions:["find","insert"]}
... ],
... roles:[{role:"read",db:"admin"}]
... }
... )
{
"role" : "rd",
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
}
],
"roles" : [
{
"role" : "read",
"db" : "admin"
}
]
}2.2 查询角色
查看角色信息,可用于查询用户自定义角色以及内建角色。
2.2.1 语法
db.getRole(rolename, args)其中,rolename是角色名称,字符串类型;args是文档类型,具体选项如下:
- showBuiltinRoles,布尔类型,用于显示内建角色,
- showPrivileges,布尔类型,用于显示角色权限,包含直接定义的权限,以及从其它角色继承的权限。
2.2.2 示例
示例1:
> db.getRole("rd")
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
}示例2:
> db.getRole("rd",{showBuiltinRoles:true,showPrivileges:true})
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
},
{
"resource" : {
"db" : "admin",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
]
}2.3 查询所有角色
查询在某个数据库中所有用户自定义的角色信息。
2.3.1 语法
db.getRoles()该命令不带参数时返回数据库用户自定义的角色信息,带参数时可以显示更多的信息,具体参数如下:
- rolesInfo:整数类型,设置为1,返回所有用户自定义的角色;
- showPrivileges:布尔类型,设置为true,查询角色权限,包括直接定义的和从其它角色继承的权限信息;
- showBuiltinRoles:布尔类型,设置为true,查询内建的和用户自定义的角色信息。
2.3.2 示例
示例1:
> use admin
switched to db admin
> db.getRoles()
[
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
}
]示例2:
> db.getRoles({rolesInfo:1,showBuiltinRoles:true})
[
{
"role" : "__queryableBackup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "__system",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "backup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterManager",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterMonitor",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbOwner",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "enableSharding",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "hostManager",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
},
{
"role" : "read",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readWrite",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readWriteAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "restore",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "root",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "userAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "userAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
]2.4 删除角色
删除用户自定义的角色信息。
2.4.1 语法
db.dropRole(rolename, writeConcern)其中,rolename是字符类型,为角色的名称。
2.4.2 示例
> use admin
switched to db admin
> db.dropRole("rd")
true
> db.getRoles()
[ ]2.5 删除所有角色
删除数据库中所有用户自定义的角色信息。
2.5.1 语法
db.dropAllRoles(writeConcern)2.5.2 示例
> use admin
> db.createRole({role:"r1",privileges:[{resource:{db:"hr",collection:""},actions:["find"]}],roles:[]})
{
"role" : "r1",
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"roles" : [ ]
}
> db.createRole({role:"r2",privileges:[{resource:{db:"test",collection:""},actions:["find","insert"]}],roles:["readWrite"]})
{
"role" : "r2",
"privileges" : [
{
"resource" : {
"db" : "test",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
}
],
"roles" : [
"readWrite"
]
}
> db.dropAllRoles()
NumberLong(2)2.6 修改角色
在运行角色的数据库中修改用户定义的角色信息。修改字段的操作是完全替换旧值,如果是授权或收回权限,可以使用授权或收回权限的方法。
2.6.1 语法
db.updateRole(
"<rolename>",
{
privileges:
[
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
roles:
[
{ role: "<role>", db: "<database>" } | "<role>",
...
],
authenticationRestrictions:
[
{
clientSource: ["<IP>" | "<CIDR range>", ...],
serverAddress: ["<IP>", | "<CIDR range>", ...]
},
...
]
},
{ <writeConcern> }
)2.6.2 示例
1)查看角色信息
> use admin
switched to db admin
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "hr"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "hr"
}
],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "hr",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
]
}2)修改角色
> db.updateRole(
... "r11",
... {roles:[]}
... )3)查看修改后的角色
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
]
}2.7 授予角色权限
给用户定义的角色授予权限。
2.7.1 语法
db.grantPrivilegesToRole(
"< rolename >",
[
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
{ < writeConcern > }
)2.7.2 示例
1)查看角色信息
> use admin
switched to db admin
> db.getRoles({showPrivileges:true})
[
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
]
}
]2)授予角色权限
> db.grantPrivilegesToRole(
... "r11",
... [
... {resource:{db:"hr",collection:"test"},actions:["find"]}
... ]
... )3)查看授权后的角色信息
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}2.8 收回角色权限
从用户定义的角色中收回特定的权限信息,收回的权限,必须和已有的权限文档精确匹配方可进行权限的回收。
2.8.1 语法
db.revokePrivilegesFromRole(
"<rolename>",
[
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
{ <writeConcern> }
)2.8.2 示例
1)收回权限
> use admin
switched to db admin
> db.revokePrivilegesFromRole( "r11", [{resource:{db:"scott",collection:""},actions:["find"]}] )2)查看权限
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}2.9 授予角色角色
将角色(包括内建角色和用户定义的角色)授予用户定义的角色。
2.9.1 语法
db.grantRolesToRole( "<rolename>", [ <roles> ], { <writeConcern> } )2.9.2 示例
1)查看角色信息
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ], <---------------角色为空
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}2)授予角色
> db.grantRolesToRole(
... "r11",
... ["readWrite"]
... )3)查看授权后的角色信息
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ <---------------授权后,角色数组包含具体的角色
{
"role" : "readWrite",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "readWrite",
"db" : "admin"
}
],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "admin",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"createIndex",
"dbHash",
"dbStats",
"dropCollection",
"dropIndex",
"emptycapped",
"find",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead",
"remove",
"renameCollectionSameDB",
"update"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"createIndex",
"dbHash",
"dbStats",
"dropCollection",
"dropIndex",
"emptycapped",
"find",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead",
"remove",
"renameCollectionSameDB",
"update"
]
}
]
}2.10 收回角色角色
从角色中收回对应的角色。
2.10.1 语法
db.revokeRolesFromRole( "<rolename>", [ <roles> ], { <writeConcern> } )2.10.2 示例
1)收回角色信息
> use admin
switched to db admin
> db.revokeRolesFromRole(
... "r11",
... ["readWrite"]
... )2)查看角色信息
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
