MongoDb中怎么控制用戶權限
今天就跟大家聊聊有關MongoDb中怎么控制用戶權限�����,可能很多人都不太了解��,為了讓大家更加了解��,小編給大家總結了以下內容�����,希望大家根據這篇文章可以有所收獲�����。
Mongodb創建用戶的語法在不用的版本之間還是不一樣的��。我這里使用的版本3.0.6�。版本3.0之前使用的是db.addUser(),但3.0之后使用的是db.createUser()��。3.0后版本中再使用db.addUser()會報如下錯誤:
> db.addUser('dba','dba')
2017-11-17T13:17:08.001+0800 E QUERY TypeError: Property 'addUser' of object admin is not a function如果數據庫中還沒有添加任何用戶��,要想新創建一個用戶�,要先把auth認證停掉���,在進入數據庫���,也就是讓auth=false�。
[root@MidApp mongodb]# cat mongodb.conf#配置文件
dbpath=/data/db
logpath=/usr/local/mongodb/logs/mongodb.log
logappend=true
port=27000
fork=true
auth=false
nohttpinterface=false
bind_ip=192.168.221.161
journal=false
quiet=true
登入數據庫���,只能看到一個庫��,看不到admin庫:
[root@MidApp mongodb]# mongo 192.168.221.161:27000
MongoDB shell version: 3.0.6
connecting to: 192.168.221.161:27000/test
> show dbs
local 0.078GB
現在需要創建一個帳號�����,該賬號需要有grant權限�,即:賬號管理的授權權限�����。注意一點�����,mongodb帳號是跟著庫走的��,所以在指定庫里授權���,必須也在指定庫里驗證(auth)
> use admin
switched to db admin
> db.createUser({user:"dba",pwd:"dba",roles:[{role:"userAdminAnyDatabase",db:"admin"}]})
Successfully added user: {
"user" : "dba",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
> db.system.users.find()
{ "_id" : "admin.dba", "user" : "dba", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "MXvU7oJanxW7gPw+NwI7rw==", "storedKey" : "lTPmK31qbk1YKmx5stmYiphsQZE=", "serverKey" : "gVovcstiwC0nuU6LTXZAiWkucfA=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
> db.system.users.find().pretty()
{
"_id" : "admin.dba",
"user" : "dba",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "MXvU7oJanxW7gPw+NwI7rw==",
"storedKey" : "lTPmK31qbk1YKmx5stmYiphsQZE=",
"serverKey" : "gVovcstiwC0nuU6LTXZAiWkucfA="
}
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}可以看到創建了一個用戶dba���,密碼dba�����,擁有admin庫的userAdminAnyDatabase角色�。下面看一下mongodb中的內置角色:
1. 數據庫用戶角色:read����、readWrite;
2. 數據庫管理角色:dbAdmin���、dbOwner�����、userAdmin���;
3. 集群管理角色:clusterAdmin�����、clusterManager���、clusterMonitor��、hostManager����;
4. 備份恢復角色:backup���、restore�;
5. 所有數據庫角色:readAnyDatabase���、readWriteAnyDatabase��、userAdminAnyDatabase�����、dbAdminAnyDatabase
6. 超級用戶角色:root
// 這里還有幾個角色間接或直接提供了系統超級用戶的訪問(dbOwner ��、userAdmin�����、userAdminAnyDatabase)
7. 內部角色:__system
看一下具體的角色定義:
Read:允許用戶讀取指定數據庫
readWrite:允許用戶讀寫指定數據庫
dbAdmin:允許用戶在指定數據庫中執行管理函數�����,如索引創建����、刪除���,查看統計或訪問system.profile
userAdmin:允許用戶向system.users集合寫入����,可以找指定數據庫里創建�����、刪除和管理用戶
clusterAdmin:只在admin數據庫中可用���,賦予用戶所有分片和復制集相關函數的管理權限����。
readAnyDatabase:只在admin數據庫中可用�����,賦予用戶所有數據庫的讀權限
readWriteAnyDatabase:只在admin數據庫中可用��,賦予用戶所有數據庫的讀寫權限
userAdminAnyDatabase:只在admin數據庫中可用�,賦予用戶所有數據庫的userAdmin權限
dbAdminAnyDatabase:只在admin數據庫中可用����,賦予用戶所有數據庫的dbAdmin權限���。
root:只在admin數據庫中可用�����。超級賬號�����,超級權限
我們打開auth參數�����,來驗證一下��。
[root@MidApp mongodb]# mongo 192.168.221.161:27000
MongoDB shell version: 3.0.6
connecting to: 192.168.221.161:27000/test
> show dbs#沒有驗證����,不會有權限
2017-11-17T13:04:35.357-0800 E QUERY Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
}
at Error (<anonymous>)
at Mongo.getDBs (src/mongo/shell/mongo.js:47:15)
at shellHelper.show (src/mongo/shell/utils.js:630:33)
at shellHelper (src/mongo/shell/utils.js:524:36)
at (shellhelp2):1:1 at src/mongo/shell/mongo.js:47
> use admin#在admin庫下面添加的賬號��,所以要切到admin下面認證
switched to db admin
> db.auth('dba','dba')
1
> show dbs
admin 0.078GB
local 0.078GB可以看到����,創建的dba用戶已經驗證成功����。接下來我在創建兩個用戶�,驗證一下其他角色權限�。創建一個只讀用戶�����,一個讀寫用戶��。
> use test;
switched to db test
> db.createUser({user:"zduser",pwd:"zduser",roles:[{role:"read",db:"test"}]})
Successfully added user: {
"user" : "zduser",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
> db.createUser({user:"dxuser",pwd:"dxuser",roles:[{role:"readWrite",db:"test"}]})
Successfully added user: {
"user" : "dxuser",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
> show users;
{
"_id" : "test.zduser",
"user" : "zduser",
"db" : "test",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
{
"_id" : "test.dxuser",
"user" : "dxuser",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
>在test庫中創建一個集合����,驗證一下這兩個用戶權限:
> show tables;#userAdminAnyDatabase權限只針對用戶管理�����,沒有其他的權限
2017-11-17T13:47:39.845-0800 E QUERY Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on test to execute command { listCollections: 1.0 }",
"code" : 13
}
at Error (<anonymous>)
at DB._getCollectionInfosCommand (src/mongo/shell/db.js:646:15)
at DB.getCollectionInfos (src/mongo/shell/db.js:658:20)
at DB.getCollectionNames (src/mongo/shell/db.js:669:17)
at shellHelper.show (src/mongo/shell/utils.js:625:12)
at shellHelper (src/mongo/shell/utils.js:524:36)
at (shellhelp2):1:1 at src/mongo/shell/db.js:646
> exit
bye
[root@MidApp mongodb]# mongo 192.168.221.161:27000 #重新登錄一下
MongoDB shell version: 3.0.6
connecting to: 192.168.221.161:27000/test
> use test
switched to db test
> db.tb1.insert({"a":1,"b":2})#先試著插入數據看看
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on test to execute command { insert: \"tb1\", documents: [ { _id: ObjectId('5a0f595b3b6523dcb81d4f76'), a: 1.0, b: 2.0 } ], ordered: true }"
}
})
> db.auth('dxuser','dxuser')#用可讀寫的用戶認證
1
> db.tb1.insert({"a":1,"b":2})#可以插入數據
WriteResult({ "nInserted" : 1 })
> db.tb1.insert({"a":11,"b":22})
WriteResult({ "nInserted" : 1 })
> db.tb1.insert({"a":111,"b":222})
WriteResult({ "nInserted" : 1 })
> db.tb1.find()
{ "_id" : ObjectId("5a0f597f3b6523dcb81d4f77"), "a" : 1, "b" : 2 }
{ "_id" : ObjectId("5a0f59933b6523dcb81d4f78"), "a" : 11, "b" : 22 }
{ "_id" : ObjectId("5a0f59983b6523dcb81d4f79"), "a" : 111, "b" : 222 }
> db.auth('zduser','zduser')#切換只讀用戶
1
> db.tb1.insert({"a":1111,"b":2222})#沒有權限插入數據
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on test to execute command { insert: \"tb1\", documents: [ { _id: ObjectId('5a0f59c63b6523dcb81d4f7a'), a: 1111.0, b: 2222.0 } ], ordered: true }"
}
})
> db.tb1.find()#可以查看數據
{ "_id" : ObjectId("5a0f597f3b6523dcb81d4f77"), "a" : 1, "b" : 2 }
{ "_id" : ObjectId("5a0f59933b6523dcb81d4f78"), "a" : 11, "b" : 22 }
{ "_id" : ObjectId("5a0f59983b6523dcb81d4f79"), "a" : 111, "b" : 222 }
>看完上述內容��,你們對MongoDb中怎么控制用戶權限有進一步的了解嗎�����?如果還想了解更多知識或者相關內容���,請關注億速云行業資訊頻道��,感謝大家的支持�。
