MongoDB安装完成后,有两种启动方式:
>mongod
这是默认启动方式,没有开启auth权限验证,或者
>mongod --auth
这是使用auth权限验证。在这种模式下,每次操作一个一个库前,必须做auth验证,而且每次默认首先进入的是test db,所以一旦开启验证,必须确保test添加了验证。如下是创建用户的简要过程。
以关闭auth验证启动MongoDB,创建一个有grant权限的用户,即账号管理,
> use admin
switched to db admin
> db.createUser(
... {
... user: "dba",
... pwd: "dba",
... roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
... }
... )
Successfully added user: {
"user" : "dba",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
这样user("dba","dba")创建完成,它保存在admin中,角色是userAdminAnyDatabase(用户级别的数据库管理权限),以后可以用来管理其他的用户账号,这里总结下MongoDB的roles角色。
Built-In Roles(内置角色) | 具体角色 |
1. 数据库用户角色:read、readWrite; 2. 数据库管理角色:dbAdmin、dbOwner、userAdmin; 3. 集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager; 4. 备份恢复角色:backup、restore; 5. 所有数据库角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase 6. 超级用户角色:root // 这里还有几个角色间接或直接提供了系统超级用户的访问(dbOwner 、userAdmin、userAdminAnyDatabase) 7. 内部角色:__system | Read:允许用户读取指定数据库 readWrite:允许用户读写指定数据库 dbAdmin:允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile userAdmin:允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户 clusterAdmin:只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。 readAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读权限 readWriteAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读写权限 userAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的userAdmin权限 dbAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。 root:只在admin数据库中可用。超级账号,超级权限 |
这样,先看下变化
> show dbs
admin 0.000GB
local 0.000GB
test 0.000GB
young 0.006GB
> use admin
switched to db admin
> show collections
system.users
system.version
可以清楚的看到,数据库里面多了admin,查看admin中的集合,可以发现,我们新建的用户都保存在system.users这个集合中,通过命令查看刚才新建的命令:
> db.system.users.find({user:"dba"}).pretty();
{
"_id" : "admin.dba",
"user" : "dba",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "bFBofkgvlS9/DEfuYBYFBA==",
"storedKey" : "QAwo9n5KQ/ewyu/RJiJX8fk5LqY=",
"serverKey" : "HUqkLsGk1g9NAfoheoQBuauwRo8="
}
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
接下来,我们分别为test创建一个具有readWrite权限的用户test:
> db.createUser(
... ... {
... ... user: "test",
... ... pwd: "test",
... ... roles: [ { role: "readWrite", db: "test" } ]
... ... });
Successfully added user: {
"user" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
,为young库创建readWrite权限的用户run:
> db.createUser(
... ... {
... ... user: "run",
... ... pwd: "run",
... ... roles: [ { role: "readWrite", db: "young" } ]
... ... })
Successfully added user: {
"user" : "run",
"roles" : [
{
"role" : "readWrite",
"db" : "young"
}
]
}
> db.createUser(
... ... {
... ... user: "run",
... ... pwd: "run",
... ... roles: [ { role: "readWrite", db: "young" } ]
... ... })
Successfully added user: {
"user" : "run",
"roles" : [
{
"role" : "readWrite",
"db" : "young"
}
]
这样基本的用户创建完毕,最后总的来看一下刚才的所有的用户:
> db.system.users.find({},{_id:0,credentials:0}).pretty();
{
"user" : "dba",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
{
"user" : "run",
"db" : "young",
"roles" : [
{
"role" : "readWrite",
"db" : "young"
}
]
}
{
"user" : "test",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
至此,用户权限的创建完成。以开启auth权限验证启动MongoDB(mongod --auth),并做一些基本的操作:
localhost:~ yfangjun$ mongo
MongoDB shell version: 3.2.3
connecting to: test
> db.auth("test","test");
1
> use admin
switched to db admin
> db.auth("dba","dba");
1
> show dbs;
admin 0.000GB
local 0.000GB
test 0.000GB
young 0.006GB
> use young;
switched to db young
> db.auth("run","run");
1
> show collections;
app143897298787642
restaurants
> db.restaurants.find({},{_id:0,"address.coord":1}).limit(1);
{ "address" : { "coord" : [ -73.961704, 40.662942 ] } }