mongodb的权限 mongodb创建用户并授权

转载
mob6454cc6328d1 2023-09-10 08:06:49
文章标签 mongodb的权限 mongodb创建local库用户 mongodb 数据库用户登录 文章分类 MongoDB 数据库
## 1.用户授权
## (1) 在非--auth模式下启动
/mongodb/bin/mongod --dbpath=/data/mongodb
--logpath=/mongodb/logs/mongodb.log --logappend --journal --fork
--port=27017
> use admin
switched to db admin
> db.dropDatabase();
{ "dropped" : "admin", "ok" : 1 }
> use admin
switched to db admin
## 创建一个用户,有root权限
> db.createUser({user:"admin",pwd:"admin", roles:
[{role:"root", db:"admin"}]});
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" :
"root",
"db" :
"admin"
}
]
}
## (2) 可以看到相关集合以及关于新建用户的内容
> show collections;
system.indexes
system.users
system.version
> db.system.users.find();
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin",
"credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000,
"salt" : "2XdOg1YlUa5wwLj3Fx8WhA==", "storedKey"
:
"ENNWUOiKxfasE1Dz16qcXky44F4=", "serverKey" :
"deQB8LeyV4wkT4bfDf8gmbXiO9I=" } }, "roles" : [ { "role" : "root",
"db" : "admin" } ] }
> db.system.indexes.find();
{ "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" :
"admin.system.version" }
{ "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" :
"admin.system.users" }
{ "v" : 1, "unique" : true, "key" : { "user" : 1, "db" : 1 },
"name" : "user_1_db_1", "ns" : "admin.system.users" }
> db.system.version.find();
{ "_id" : "authSchema", "currentVersion" : 5 }
>
## (3)现在启用--auth
/mongodb/bin/mongod --dbpath=/data/mongodb
--logpath=/mongodb/logs/mongodb.log --logappend --journal --fork
--port=27017 --auth
## 直接mongo进去,发现啥也做不了
[root@centos511 ~]# mongo
MongoDB shell version: 3.0.7
connecting to: test
> show dbs;
2016-01-13T16:01:12.396+0800 E QUERY  Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute
command { listDatabases: 1.0 }",
"code" : 13
}
at Error ()
at Mongo.getDBs
(src/mongo/shell/mongo.js:47:15)
at shellHelper.show
(src/mongo/shell/utils.js:630:33)
at shellHelper
(src/mongo/shell/utils.js:524:36)
at (shellhelp2):1:1 at
src/mongo/shell/mongo.js:47
>
## (4)刚才在数据库admin创建了一个账户叫admin密码admin,
##  先切换到admin库进行连接(其他db则登录失败)：
[root@centos511 ~]# mongo
MongoDB shell version: 3.0.7
connecting to: test
> db.auth("admin","admin");
Error: 18 Authentication failed.
0
> use my_mongodb;
switched to db my_mongodb
> db.auth("admin","admin");
Error: 18 Authentication failed.
0
> use admin;
switched to db admin
> db.auth("admin","admin")
1
## db.auth("admin","admin")返回值为1，说明登录成功！
##
db.auth("admin","admin")的记录是不存在的，执行完后这一行在shell中不会记录历史。
## (5) 到admin库直接用db.auth登录
> use admin;
switched to db admin
> db.auth("admin","admin");
1
## 如果写错了库名admin,
可以写正确库名admin后db.auth登录,
## 进去后可以直接删除,可以直接删除
> use amin;
switched to db amin
> db.dropDatabase();
{ "ok" : 1 }
## 切换到admin库,登录admin用户
> use admin;
switched to db admin
> db.auth("admin","admin");
1
> show dbs;
admin  0.078GB
local  0.078GB
my_mongodb  0.078GB
test  0.078GB
## (6) 所以现在创建另一个用户rwuser(切换在admin数据库创建), 有readWrite权限
>
db.createUser({user:"rwuser",pwd:"rwuser",roles:[{role:"readWrite",db:"my_mongodb"}]});
Successfully added user: {
"user" : "rwuser",
"roles" : [
{
"role" :
"readWrite",
"db" :
"my_mongodb"
}
]
}
> use my_mongodb
switched to db my_mongodb
> show tables;
system.indexes
user
## 发现无法登录
> db.auth("rwuser","rwuser");
Error: 18 Authentication failed.
0
## 只能在admin登录
> use admin
switched to db admin
> db.auth("rwuser","rwuser");
1
## 这时再切换到my_mongodb测试库,可以使用
> use my_mongodb
switched to db my_mongodb
> show tables;
system.indexes
user
## (7)对于用户, 可以增减角色:
## 增加角色:
db.grantRolesToUser("username",[{role:"",db:""}]);
db.grantRolesToUser('rwuser',[{role:"dbOwner",db:"my_mongodb"}]);
## 取消角色:
db.revokeRolesFromUser("username",[{role:"",db:""}]);
db.revokeRolesFromUser('rwuser',[{role:"readWrite",db:"my_mongodb"}]);
## 切换到admin用户
> use admin;
switched to db admin
> db.auth("admin","admin");
1
## 授予dbOwner角色, 并取消readWrite角色
>
db.grantRolesToUser('rwuser',[{role:"dbOwner",db:"my_mongodb"}]);
>
db.revokeRolesFromUser('rwuser',[{role:"readWrite",db:"my_mongodb"}]);
## my_mongodb直接登录失败
> use my_mongodb;
switched to db my_mongodb
> db.auth("rwuser","rwuser");
Error: 18 Authentication failed.
0
> db
my_mongodb
## 切换到admin登录
> use admin
switched to db admin
> db.auth("rwuser","rwuser");
1
> use my_mongodb;
switched to db my_mongodb
## dbOwner有list collections权限, 插入权限, find权限
> show collections;
system.indexes
user
>
db.user.save({"uid":3,"username":"Steven","age":27});
WriteResult({ "nInserted" : 1 })
> db.user.find({uid:3});
{ "_id" : ObjectId("56961538e8fc7d6a180d4607"), "uid" : 3,
"username" : "Steven", "age" : 27 }
(8) 在创建用户时可以在其数据库创建,不用每次切换到admin数据库登录后再切换
## 1) admin登录
> use admin;
switched to db admin
> db.auth("admin","admin");
1
## 2) 切换到业务库,进行创建用户,发现可以直接在业务库进行新用户登录
> use my_mongodb
switched to db my_mongodb
>
db.createUser({user:"usersteven",pwd:"usersteven",roles:[{
role:"dbOwner",db:"my_mongodb"}]});
Successfully added user: {
"user" : "usersteven",
"roles" : [
{
"role" :
"dbOwner",
"db" :
"my_mongodb"
}
]
}
> db.auth("usersteven","usersteven");
1
## 2.创建角色
## 切换到my_mongodb并且在数据库my_mongodb中创建角色
## roles:  创建角色"testRole"在数据库"my_mongodb" 中
## privileges: 该角色可查看"find"数据库"my_mongodb"的所有集合
## db.dropRole("testRole")进行删除角色
## (1)切换admin库admin用户登录
> use admin;
switched to db admin
> db.auth("admin","admin");
1
## (2)切换至my_mongodb,并创建角色,action行为配置为find
> use my_mongodb
switched to db my_mongodb
>
db.createRole({role:"testRole",privileges:[{resource:{db:"my_mongodb",collection:""},
actions:["find"]}],roles:[]});
{
"role" : "testRole",
"privileges" : [
{
"resource"
: {
"db" : "my_mongodb",
"collection" : ""
},
"actions"
: [
"find"
]
}
],
"roles" : [ ]
}
## (3) 去admin库admin用户登录查看授权情况
> use admin;
switched to db admin
> show collections;
system.indexes
system.roles
system.users
system.version
> db.system.roles.find();
{ "_id" : "my_mongodb.testRole", "role" : "testRole", "db" :
"my_mongodb", "privileges" : [ { "resource" : { "db" :
"my_mongodb", "collection" : "" }, "actions" : [ "find" ] } ],
"roles" : [ ] }
## (4) 回到my_mongodb,创建用户userwill,并授予自定义角色
> use my_mongodb
switched to db my_mongodb
>
db.createUser({user:"userwill",pwd:"userwill",roles:[{role:"testRole",
db:"my_mongodb"}]});
Successfully added user: {
"user" : "userwill",
"roles" : [
{
"role" :
"testRole",
"db" :
"my_mongodb"
}
]
}
## 退出,切库至my_mongodb,新用户userwill登录
> exit
bye
[root@centos511 ~]# mongo
MongoDB shell version: 3.0.7
connecting to: test
> use my_mongodb;
switched to db my_mongodb
> db.auth("userwill","userwill");
1
## 可以find
> db.user.find({uid:3});
{ "_id" : ObjectId("56961538e8fc7d6a180d4607"), "uid" : 3,
"username" : "Steven", "age" : 27 }
## 但也只有查询权限,
> db.user.save({"uid":4,"username":"will","age":28});
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on
my_mongodb to execute command { insert: "user", documents: [ {
uid: 4.0, username: "will", age: 28.0, _id:
ObjectId('56963bd65a3618cf60c7e08a') } ], ordered: true }"
}
})
##
(5)给testRole添加三个"privilege"权限:"update","insert","remove",再重新操作
## 给权限又只能切换到admin库admin用户登录
> use admin;
switched to db admin
> db.auth("admin","admin");
1
>
db.grantPrivilegesToRole("testRole",[{resource:{db:"my_mongodb",collection:""},actions:["update","insert","remove"]}]);
## 退出重新登录
> exit
[root@centos511 ~]# mongo
MongoDB shell version: 3.0.7
connecting to: test
## 切换到my_mongodb库
> use my_mongodb
switched to db my_mongodb
## 登录
> db.auth("userwill","userwill");
1
## 发现保存成功
> db.user.save({"uid":4,"username":"will","age":28});
WriteResult({ "nInserted" : 1 })
## uid=4记录保存成功
> db.user.find();
{ "_id" : ObjectId("56939ea79c8c3085fbb0283d"), "uid" : 2,
"username" : "Jerry", "age" : 100 }
{ "_id" : ObjectId("56939ea79c8c3085fbb0283e"), "uid" : 1,
"username" : "Tom", "age" : 25 }
{ "_id" : ObjectId("56961538e8fc7d6a180d4607"), "uid" : 3,
"username" : "Steven", "age" : 27 }
{ "_id" : ObjectId("5697399f23598adf661315c3"), "uid" : 4,
"username" : "will", "age" : 28 }
>
## 切换至admin库查看权限,发现不准
> use admin;
switched to db admin
> db.system.roles.find();
Error: error: { "$err" : "not authorized for query on
admin.system.roles", "code" : 13 }
## 只有登录admin用户才能查看权限
> db.auth("admin","admin");
1
> db.system.roles.find();
{ "_id" : "my_mongodb.testRole", "role" : "testRole", "db" :
"my_mongodb", "privileges" : [ { "resource" : { "db" :
"my_mongodb", "collection" : "" }, "actions" : [ "find", "insert",
"remove", "update" ] } ], "roles" : [ ] }
## (6) 更改角色roles, 不同于增加或减少授权, 而是完整更新。
Privileges也可以更新和替换!
> use admin
switched to db admin
> db.auth("admin","admin")
1
> use my_mongodb
switched to db my_mongodb
> db.updateRole("testRole",{ roles:[{ role: "readWrite",db:
"my_mongodb"}]},{ w:"majority" })
> db.auth("userwill","userwill");
1
> show dbs;
admin  0.078GB
local  0.078GB
my_mongodb  0.078GB
test  0.078GB
本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。