MongoDB 3.0 用户创建
本文内容纲要:
摘要:
MongoDB3.0安全权限访问控制,在添加用户上面3.0版本和之前的版本有很大的区别,这里就说明下3.0的添加用户的方法。
环境、测试:
在安装MongoDB之后,先关闭auth认证,进入查看数据库,只有一个local库,admin库是不存在的:
root@zhoujinyi:/usr/local/mongo4#mongo--port=27020
MongoDBshellversion:3.0.4
connectingto:127.0.0.1:27020/test
2015-06-29T09:31:08.673-0400ICONTROL[initandlisten]
>showdbs;
local0.078GB
现在需要创建一个帐号,该账号需要有grant权限,即:账号管理的授权权限。注意一点,帐号是跟着库走的,所以在指定库里授权,必须也在指定库里验证(auth)。
>useadmin
switchedtodbadmin
>db.createUser(
...{
...user:"dba",
...pwd:"dba",
...roles:[{role:"userAdminAnyDatabase",db:"admin"}]
...}
...)
Successfullyaddeduser:{
"user":"dba",
"roles":[
{
"role":"userAdminAnyDatabase",
"db":"admin"
}
]
}
上面加粗的就是执行的命令:
user:用户名
pwd:密码
roles:指定用户的角色,可以用一个空数组给新用户设定空角色;在roles字段,可以指定内置角色和用户定义的角色。role里的角色可以选:
Built-InRoles(内置角色):
1.数据库用户角色:read、readWrite;
2.数据库管理角色:dbAdmin、dbOwner、userAdmin;
3.集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager;
4.备份恢复角色:backup、restore;
5.所有数据库角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase
6.超级用户角色:root
//这里还有几个角色间接或直接提供了系统超级用户的访问(dbOwner、userAdmin、userAdminAnyDatabase)
7.内部角色:__system
具体角色:
Read:允许用户读取指定数据库
readWrite:允许用户读写指定数据库
dbAdmin:允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile
userAdmin:允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户
clusterAdmin:只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。
readAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读权限
readWriteAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读写权限
userAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的userAdmin权限
dbAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。
root:只在admin数据库中可用。超级账号,超级权限
刚建立了userAdminAnyDatabase角色,用来管理用户,可以通过这个角色来创建、删除用户。验证:需要开启auth参数。
root@zhoujinyi:/usr/local/mongo4#mongo--port=27020
MongoDBshellversion:3.0.4
connectingto:127.0.0.1:27020/test
>showdbs;####没有验证,导致没权限。
2015-06-29T10:02:16.634-0400EQUERYError:listDatabasesfailed:{
"ok":0,
"errmsg":"notauthorizedonadmintoexecutecommand{listDatabases:1.0}",
"code":13
}
atError(<anonymous>)
atMongo.getDBs(src/mongo/shell/mongo.js:47:15)
atshellHelper.show(src/mongo/shell/utils.js:630:33)
atshellHelper(src/mongo/shell/utils.js:524:36)
at(shellhelp2):1:1atsrc/mongo/shell/mongo.js:47
>useadmin#验证,因为在admin下面添加的帐号,所以要到admin下面验证。
switchedtodbadmin
>db.auth('dba','dba')
1
>showdbs;
admin0.078GB
local0.078GB
>usetest#在test库里创建帐号
switchedtodbtest
>db.createUser(
...{
...user:"zjyr",
...pwd:"zjyr",
...roles:[
...{role:"read",db:"test"}#只读帐号
...]
...}
...)
Successfullyaddeduser:{
"user":"zjyr",
"roles":[
{
"role":"read",
"db":"test"
}
]
}
>db.createUser(
...{
...user:"zjy",
...pwd:"zjy",
...roles:[
...{role:"readWrite",db:"test"}#读写帐号
...]
...}
...)
Successfullyaddeduser:{
"user":"zjy",
"roles":[
{
"role":"readWrite",#读写账号
"db":"test"
}
]
}
>showusers;#查看当前库下的用户
{
"_id":"test.zjyr",
"user":"zjyr",
"db":"test",
"roles":[
{
"role":"read",
"db":"test"
}
]
}
{
"_id":"test.zjy",
"user":"zjy",
"db":"test",
"roles":[
{
"role":"readWrite",
"db":"test"
}
]
}
上面创建了2个帐号,现在验证下:验证前提需要一个集合
>db.abc.insert({"a":1,"b":2})#插入失败,没有权限,userAdminAnyDatabase权限只是针对用户管理的,对其他是没有权限的。
WriteResult({
"writeError":{
"code":13,
"errmsg":"notauthorizedontesttoexecutecommand{insert:\"abc\",documents:[{_id:ObjectId('55915185d629831d887ce2cb'),a:1.0,b:2.0}],ordered:true}"
}
})
>
bye
root@zhoujinyi:/usr/local/mongo4#mongo--port=27020
MongoDBshellversion:3.0.4
connectingto:127.0.0.1:27020/test
>usetest
switchedtodbtest
>db.auth('zjy','zjy')#用创建的readWrite帐号进行写入
1
>db.abc.insert({"a":1,"b":2})
WriteResult({"nInserted":1})
>db.abc.insert({"a":11,"b":22})
WriteResult({"nInserted":1})
>db.abc.insert({"a":111,"b":222})
WriteResult({"nInserted":1})
>db.abc.find()
{"_id":ObjectId("559151a1b78649ebd8316853"),"a":1,"b":2}
{"_id":ObjectId("559151cab78649ebd8316854"),"a":11,"b":22}
{"_id":ObjectId("559151ceb78649ebd8316855"),"a":111,"b":222}
>db.auth('zjyr','zjyr')#切换到只有read权限的帐号
1
>db.abc.insert({"a":1111,"b":2222})#不能写入
WriteResult({
"writeError":{
"code":13,
"errmsg":"notauthorizedontesttoexecutecommand{insert:\"abc\",documents:[{_id:ObjectId('559151ebb78649ebd8316856'),a:1111.0,b:2222.0}],ordered:true}"
}
})
>db.abc.find()#可以查看
{"_id":ObjectId("559151a1b78649ebd8316853"),"a":1,"b":2}
{"_id":ObjectId("559151cab78649ebd8316854"),"a":11,"b":22}
{"_id":ObjectId("559151ceb78649ebd8316855"),"a":111,"b":222}
有没有一个超级权限?不仅可以授权,而且也可以对集合进行任意操作?答案是肯定的,只是不建议使用。那就是role角色设置成root。
>db.auth('dba','dba')
1
>db.createUser(
...{
...user:"zhoujinyi",
...pwd:"zhoujinyi",
...roles:[
...{role:"root",db:"admin"}#超级root帐号
...]
...}
...)
Successfullyaddeduser:{
"user":"zhoujinyi",
"roles":[
{
"role":"root",
"db":"admin"
}
]
}
>
>showusers;#查看当前库下的用户
{
"_id":"admin.dba",
"user":"dba",
"db":"admin",
"roles":[
{
"role":"userAdminAnyDatabase",
"db":"admin"
}
]
}
{
"_id":"admin.zhoujinyi",
"user":"zhoujinyi",
"db":"admin",
"roles":[
{
"role":"root",
"db":"admin"
}
]
}
>useadmin
switchedtodbadmin
>db.auth('zhoujinyi','zhoujinyi')
1
>usetest
switchedtodbtest
>db.abc.insert({"a":1,"b":2})
WriteResult({"nInserted":1})
>db.abc.insert({"a":1111,"b":2222})#权限都有
WriteResult({"nInserted":1})
>db.abc.find()
{"_id":ObjectId("5591539bb78649ebd8316857"),"a":1,"b":2}
{"_id":ObjectId("559153a0b78649ebd8316858"),"a":1111,"b":2222}
>db.abc.remove({})
WriteResult({"nRemoved":2})
因为帐号都是在当前需要授权的数据库下授权的,那要是不在当前数据库下会怎么样?
>db
admin
>db.createUser(
...{
...user:"dxy",
...pwd:"dxy",
...roles:[
...{role:"readWrite",db:"test"},#在当前库下创建其他库的帐号,在admin库下创建test、abc库的帐号
...{role:"readWrite",db:"abc"}
...]
...}
...)
Successfullyaddeduser:{
"user":"dxy",
"roles":[
{
"role":"readWrite",
"db":"test"
},
{
"role":"readWrite",
"db":"abc"
}
]
}
>
>showusers;
{
"_id":"admin.dba",
"user":"dba",
"db":"admin",
"roles":[
{
"role":"userAdminAnyDatabase",
"db":"admin"
}
]
}
{
"_id":"admin.zhoujinyi",
"user":"zhoujinyi",
"db":"admin",
"roles":[
{
"role":"root",
"db":"admin"
}
]
}
{
"_id":"admin.dxy",
"user":"dxy",
"db":"admin",
"roles":[
{
"role":"readWrite",
"db":"test"
},
{
"role":"readWrite",
"db":"abc"
}
]
}
>usetest
switchedtodbtest
>db.auth('dxy','dxy')#在admin下创建的帐号,不能直接在其他库验证,
Error:18Authenticationfailed.
0
>useadmin
switchedtodbadmin#只能在帐号创建库下认证,再去其他库进行操作。
>db.auth('dxy','dxy')
1
>usetest
switchedtodbtest
>db.abc.insert({"a":1111,"b":2222})
WriteResult({"nInserted":1})
>useabc
switchedtodbabc
>db.abc.insert({"a":1111,"b":2222})
WriteResult({"nInserted":1})
上面更加进一步说明数据库帐号是跟着数据库来走的,哪里创建哪里认证。
创建了这么多帐号,怎么查看所有帐号?
>useadmin
switchedtodbadmin
>db.auth('dba','dba')
1
>db.system.users.find().pretty()
{
"_id":"admin.dba",
"user":"dba",
"db":"admin",
"credentials":{
"SCRAM-SHA-1":{
"iterationCount":10000,
"salt":"KfDUzCOIUo7WVjFr64ZOcQ==",
"storedKey":"t4sPsKG2dXnZztVYj5EgdUzT9sc=",
"serverKey":"2vCGiq9NIc1zKqeEL6VvO4rP26A="
}
},
"roles":[
{
"role":"userAdminAnyDatabase",
"db":"admin"
}
]
}
{
"_id":"test.zjyr",
"user":"zjyr",
"db":"test",
"credentials":{
"SCRAM-SHA-1":{
"iterationCount":10000,
"salt":"h1gOW3J7wzJuTqgmmQgJKQ==",
"storedKey":"7lkoANdxM2py0qiDBzFaZYPp1cM=",
"serverKey":"Qyu6IRNyaKLUvqJ2CAa/tQYY36c="
}
},
"roles":[
{
"role":"read",
"db":"test"
}
]
}
{
"_id":"test.zjy",
"user":"zjy",
"db":"test",
"credentials":{
"SCRAM-SHA-1":{
"iterationCount":10000,
"salt":"afwaKuTYPWwbDBduQ4Hm7g==",
"storedKey":"ebb2LYLn4hiOVlZqgrAKBdStfn8=",
"serverKey":"LG2qWwuuV+FNMmr9lWs+Rb3DIhQ="
}
},
"roles":[
{
"role":"readWrite",
"db":"test"
}
]
}
{
"_id":"admin.zhoujinyi",
"user":"zhoujinyi",
"db":"admin",
"credentials":{
"SCRAM-SHA-1":{
"iterationCount":10000,
"salt":"pE2cSOYtBOYevk8tqrwbSQ==",
"storedKey":"TwMxdnlB5Eiaqg4tNh9ByNuUp9A=",
"serverKey":"Mofr9ohVlFfR6/md4LMRkOhXouc="
}
},
"roles":[
{
"role":"root",
"db":"admin"
}
]
}
{
"_id":"admin.dxy",
"user":"dxy",
"db":"admin",
"credentials":{
"SCRAM-SHA-1":{
"iterationCount":10000,
"salt":"XD6smcWX4tdg/ZJPoLxxRg==",
"storedKey":"F4uiayykHDp/r9krAKZjdr+gqjM=",
"serverKey":"Kf51IU9J3RIrB8CFn5Z5hEKMSkw="
}
},
"roles":[
{
"role":"readWrite",
"db":"test"
},
{
"role":"readWrite",
"db":"abc"
}
]
}
>db.system.users.find().count()
5
备份还原使用那个角色的帐号?之前创建的帐号zjy:test库读写权限;zjyr:test库读权限
root@zhoujinyi:~#mongodump--port=27020-uzjyr-pzjyr--db=test-obackup#只要读权限就可以备份
2015-06-29T11:20:04.864-0400writingtest.abctobackup/test/abc.bson
2015-06-29T11:20:04.865-0400writingtest.abcmetadatatobackup/test/abc.metadata.json
2015-06-29T11:20:04.866-0400donedumpingtest.abc
2015-06-29T11:20:04.867-0400writingtest.system.indexestobackup/test/system.indexes.bson
root@zhoujinyi:~#mongorestore--port=27020-uzjy-pzjy--db=testbackup/test/#读写权限可以进行还原
2015-06-29T11:20:26.607-0400buildingalistofcollectionstorestorefrombackup/test/dir
2015-06-29T11:20:26.609-0400readingmetadatafilefrombackup/test/abc.metadata.json
2015-06-29T11:20:26.609-0400restoringtest.abcfromfilebackup/test/abc.bson
2015-06-29T11:20:26.611-0400error:E11000duplicatekeyerrorindex:test.abc.$_id_dupkey:{:ObjectId('559154efb78649ebd831685a')}
2015-06-29T11:20:26.611-0400restoringindexesforcollectiontest.abcfrommetadata
2015-06-29T11:20:26.612-0400finishedrestoringtest.abc
2015-06-29T11:20:26.612-0400done
相关连接:
MongoDB权限控制系统简介
本文内容总结:
原文链接:https://www.cnblogs.com/zhoujinyi/p/4610050.html