mongo 用戶角色

http://www.cnblogs.com/zhoujinyi/p/4610050.html

創(chuàng)建用戶,用戶是跟著庫(kù)走,哪個(gè)庫(kù)下創(chuàng)建那個(gè)庫(kù)下驗(yàn)證。

use test
db.createUser(
{
user: "liyuhuan",
pwd: "jkinfo",
roles: [
{ role: "readWrite", db: "test" },{ role: "backup", db: "test" },{ role: "restore", db: "test" },{ role: "dbAdmin", db: "test" }
]
}
)

摘要:
MongoDB 3.0 安全權(quán)限訪問(wèn)控制,在添加用戶上面3.0版本和之前的版本有很大的區(qū)別,這里就說(shuō)明下3.0的添加用戶的方法。
環(huán)境、測(cè)試:
安裝MongoDB之后,先關(guān)閉auth認(rèn)證,進(jìn)入查看數(shù)據(jù)庫(kù),只有一個(gè)local庫(kù),admin庫(kù)是不存在的:
root@zhoujinyi:/usr/local/mongo4# mongo --port=27020MongoDB shell version: 3.0.4connecting to: 127.0.0.1:27020/test2015-06-29T09:31:08.673-0400 I CONTROL [initandlisten] > show dbs;local 0.078GB

現(xiàn)在需要?jiǎng)?chuàng)建一個(gè)帳號(hào),該賬號(hào)需要有g(shù)rant權(quán)限,即:賬號(hào)管理的授權(quán)權(quán)限。注意一點(diǎn),帳號(hào)是跟著庫(kù)走的,所以在指定庫(kù)里授權(quán),必須也在指定庫(kù)里驗(yàn)證(auth)。

> use adminswitched to db admin>
 db.createUser({ user: "dba", pwd: "dba",roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]****... }... )**Successfully added user: { "user" : "dba", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ]}

上面加粗的就是執(zhí)行的命令:
user:用戶名
pwd:密碼
roles:指定用戶的角色,可以用一個(gè)空數(shù)組給新用戶設(shè)定空角色;在roles字段,可以指定內(nèi)置角色和用戶定義的角色。role里的角色可以選:

復(fù)制代碼

Built-In Roles(內(nèi)置角色): 1. 數(shù)據(jù)庫(kù)用戶角色:read、readWrite; 2. 數(shù)據(jù)庫(kù)管理角色:dbAdmin、dbOwner、userAdmin; 3. 集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager; 4. 備份恢復(fù)角色:backup、restore; 5. 所有數(shù)據(jù)庫(kù)角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase 6. 超級(jí)用戶角色:root // 這里還有幾個(gè)角色間接或直接提供了系統(tǒng)超級(jí)用戶的訪問(wèn)(dbOwner 、userAdmin、userAdminAnyDatabase) 7. 內(nèi)部角色:__system
復(fù)制代碼

具體角色:

復(fù)制代碼

Read:允許用戶讀取指定數(shù)據(jù)庫(kù)readWrite:允許用戶讀寫指定數(shù)據(jù)庫(kù)dbAdmin:允許用戶在指定數(shù)據(jù)庫(kù)中執(zhí)行管理函數(shù),如索引創(chuàng)建、刪除,查看統(tǒng)計(jì)或訪問(wèn)system.profileuserAdmin:允許用戶向system.users集合寫入,可以找指定數(shù)據(jù)庫(kù)里創(chuàng)建、刪除和管理用戶clusterAdmin:只在admin數(shù)據(jù)庫(kù)中可用,賦予用戶所有分片和復(fù)制集相關(guān)函數(shù)的管理權(quán)限。readAnyDatabase:只在admin數(shù)據(jù)庫(kù)中可用,賦予用戶所有數(shù)據(jù)庫(kù)的讀權(quán)限readWriteAnyDatabase:只在admin數(shù)據(jù)庫(kù)中可用,賦予用戶所有數(shù)據(jù)庫(kù)的讀寫權(quán)限userAdminAnyDatabase:只在admin數(shù)據(jù)庫(kù)中可用,賦予用戶所有數(shù)據(jù)庫(kù)的userAdmin權(quán)限dbAdminAnyDatabase:只在admin數(shù)據(jù)庫(kù)中可用,賦予用戶所有數(shù)據(jù)庫(kù)的dbAdmin權(quán)限。root:只在admin數(shù)據(jù)庫(kù)中可用。超級(jí)賬號(hào),超級(jí)權(quán)限
復(fù)制代碼

剛建立了 userAdminAnyDatabase 角色,用來(lái)管理用戶,可以通過(guò)這個(gè)角色來(lái)創(chuàng)建、刪除用戶。驗(yàn)證:需要開(kāi)啟auth參數(shù)。

復(fù)制代碼

root@zhoujinyi:/usr/local/mongo4# mongo --port=27020MongoDB shell version: 3.0.4connecting to: 127.0.0.1:27020/test> show dbs; ####沒(méi)有驗(yàn)證,導(dǎo)致沒(méi)權(quán)限。2015-06-29T10:02:16.634-0400 E QUERY Error: listDatabases failed:{ "ok" : 0, "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }", "code" : 13} at Error (<anonymous>) at Mongo.getDBs (src/mongo/shell/mongo.js:47:15) at shellHelper.show (src/mongo/shell/utils.js:630:33) at shellHelper (src/mongo/shell/utils.js:524:36) at (shellhelp2):1:1 at src/mongo/shell/mongo.js:47> use admin #驗(yàn)證,因?yàn)樵赼dmin下面添加的帳號(hào),所以要到admin下面驗(yàn)證。switched to db admin> db.auth('dba','dba')1> show dbs;admin 0.078GBlocal 0.078GB> use test #在test庫(kù)里創(chuàng)建帳號(hào)switched to db test> db.createUser(... {... user: "zjyr",... pwd: "zjyr",... roles: [... { role: "read", db: "test" } #只讀帳號(hào)... ]... }... )Successfully added user: { "user" : "zjyr", "roles" : [ { "role" : "read", "db" : "test" } ]}>** db.createUser(... {... user: "zjy",... pwd: "zjy",... roles: [... { role: "readWrite", db: "test" } #讀寫帳號(hào)... ]... }... )Successfully added user: { "user" : "zjy", "roles" : [ { "role" : "readWrite", ** #讀寫賬號(hào) "db" : "test" } ]}> show users; #查看當(dāng)前庫(kù)下的用戶{ "_id" : "test.zjyr", "user" : "zjyr", "db" : "test", "roles" : [ { "role" : "read", "db" : "test" } ]}{ "_id" : "test.zjy", "user" : "zjy", "db" : "test", "roles" : [ { "role" : "readWrite", "db" : "test" } ]}
復(fù)制代碼

上面創(chuàng)建了2個(gè)帳號(hào),現(xiàn)在驗(yàn)證下:驗(yàn)證前提需要一個(gè)集合


復(fù)制代碼

db.abc.insert({"a":1,"b":2}) ** #插入失敗,沒(méi)有權(quán)限,userAdminAnyDatabase 權(quán)限只是針對(duì)用戶管理的,對(duì)其他是沒(méi)有權(quán)限的。WriteResult({ "writeError" : { "code" : 13, "errmsg" : "not authorized on test to execute command { insert: "abc", documents: [ { _id: ObjectId('55915185d629831d887ce2cb'), a: 1.0, b: 2.0 } ], ordered: true }" }})> byeroot@zhoujinyi:/usr/local/mongo4# mongo --port=27020MongoDB shell version: 3.0.4connecting to: 127.0.0.1:27020/test> use testswitched to db test> db.auth('zjy','zjy') ** #用創(chuàng)建的readWrite帳號(hào)進(jìn)行寫入1> db.abc.insert({"a":1,"b":2})WriteResult({ "nInserted" : 1 })> db.abc.insert({"a":11,"b":22})WriteResult({ "nInserted" : 1 })> db.abc.insert({"a":111,"b":222})WriteResult({ "nInserted" : 1 })> db.abc.find(){ "_id" : ObjectId("559151a1b78649ebd8316853"), "a" : 1, "b" : 2 }{ "_id" : ObjectId("559151cab78649ebd8316854"), "a" : 11, "b" : 22 }{ "_id" : ObjectId("559151ceb78649ebd8316855"), "a" : 111, "b" : 222 }> db.auth('zjyr','zjyr') ** #切換到只有read權(quán)限的帳號(hào)**1> db.abc.insert({"a":1111,"b":2222}) #不能寫入WriteResult({ "writeError" : { "code" : 13, "errmsg" : "not authorized on test to execute command { insert: "abc", documents: [ { _id: ObjectId('559151ebb78649ebd8316856'), a: 1111.0, b: 2222.0 } ], ordered: true }" }})> db.abc.find() #可以查看{ "_id" : ObjectId("559151a1b78649ebd8316853"), "a" : 1, "b" : 2 }{ "_id" : ObjectId("559151cab78649ebd8316854"), "a" : 11, "b" : 22 }{ "_id" : ObjectId("559151ceb78649ebd8316855"), "a" : 111, "b" : 222 }

復(fù)制代碼

有沒(méi)有一個(gè)超級(jí)權(quán)限?不僅可以授權(quán),而且也可以對(duì)集合進(jìn)行任意操作?答案是肯定的,只是不建議使用。那就是role角色設(shè)置成root。

復(fù)制代碼

db.auth('dba','dba')1>** db.createUser(... {... user: "zhoujinyi",... pwd: "zhoujinyi",... roles: [... { role: "root", db: "admin" } #超級(jí)root帳號(hào)... ]... }... )Successfully added user: { "user" : "zhoujinyi", "roles" : [ { "role" : "root", "db" : "admin" } ]}> > show users; #查看當(dāng)前庫(kù)下的用戶{ "_id" : "admin.dba", "user" : "dba", "db" : "admin", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ]}{ "_id" : "admin.zhoujinyi", "user" : "zhoujinyi", "db" : "admin", "roles" : [ { "role" : "root", "db" : "admin" } ]}> use adminswitched to db admin> db.auth('zhoujinyi','zhoujinyi')1> use testswitched to db test> db.abc.insert({"a":1,"b":2})WriteResult({ "nInserted" : 1 })> db.abc.insert({"a":1111,"b":2222}) ** #權(quán)限都有WriteResult({ "nInserted" : 1 })> db.abc.find(){ "_id" : ObjectId("5591539bb78649ebd8316857"), "a" : 1, "b" : 2 }{ "_id" : ObjectId("559153a0b78649ebd8316858"), "a" : 1111, "b" : 2222 }> db.abc.remove({})WriteResult({ "nRemoved" : 2 })

復(fù)制代碼

因?yàn)閹ぬ?hào)都是在當(dāng)前需要授權(quán)的數(shù)據(jù)庫(kù)下授權(quán)的,那要是不在當(dāng)前數(shù)據(jù)庫(kù)下會(huì)怎么樣?


復(fù)制代碼

dbadmin>** db.createUser(... {... user: "dxy",... pwd: "dxy",... roles: [... { role: "readWrite", db: "test" }, #在當(dāng)前庫(kù)下創(chuàng)建其他庫(kù)的帳號(hào),在admin庫(kù)下創(chuàng)建test、abc庫(kù)的帳號(hào)... { role: "readWrite", db: "abc" } ... ]... }... )Successfully added user: { "user" : "dxy", "roles" : [ { "role" : "readWrite", "db" : "test" }, { "role" : "readWrite", "db" : "abc" } ]}> > show users;{ "_id" : "admin.dba", "user" : "dba", "db" : "admin", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ]}{ "_id" : "admin.zhoujinyi", "user" : "zhoujinyi", "db" : "admin", "roles" : [ { "role" : "root", "db" : "admin" } ]}{ "_id" : "admin.dxy", "user" : "dxy", "db" : "admin", "roles" : [ { "role" : "readWrite", "db" : "test" }, { "role" : "readWrite", "db" : "abc" } ]}> use testswitched to db test> db.auth('dxy','dxy') ** #在admin下創(chuàng)建的帳號(hào),不能直接在其他庫(kù)驗(yàn)證,Error: 18 Authentication failed.0> use adminswitched to db admin ** #只能在帳號(hào)創(chuàng)建庫(kù)下認(rèn)證,再去其他庫(kù)進(jìn)行操作。**> db.auth('dxy','dxy')1> use testswitched to db test> db.abc.insert({"a":1111,"b":2222})WriteResult({ "nInserted" : 1 })> use abcswitched to db abc> db.abc.insert({"a":1111,"b":2222})WriteResult({ "nInserted" : 1 })

復(fù)制代碼

上面更加進(jìn)一步說(shuō)明數(shù)據(jù)庫(kù)帳號(hào)是跟著數(shù)據(jù)庫(kù)來(lái)走的,哪里創(chuàng)建哪里認(rèn)證。
創(chuàng)建了這么多帳號(hào),怎么查看所有帳號(hào)?

復(fù)制代碼

use adminswitched to db admin> db.auth('dba','dba')1>** db.system.users.find().pretty()**{ "_id" : "admin.dba", "user" : "dba", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "KfDUzCOIUo7WVjFr64ZOcQ==", "storedKey" : "t4sPsKG2dXnZztVYj5EgdUzT9sc=", "serverKey" : "2vCGiq9NIc1zKqeEL6VvO4rP26A=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ]}{ "_id" : "test.zjyr", "user" : "zjyr", "db" : "test", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "h1gOW3J7wzJuTqgmmQgJKQ==", "storedKey" : "7lkoANdxM2py0qiDBzFaZYPp1cM=", "serverKey" : "Qyu6IRNyaKLUvqJ2CAa/tQYY36c=" } }, "roles" : [ { "role" : "read", "db" : "test" } ]}{ "_id" : "test.zjy", "user" : "zjy", "db" : "test", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "afwaKuTYPWwbDBduQ4Hm7g==", "storedKey" : "ebb2LYLn4hiOVlZqgrAKBdStfn8=", "serverKey" : "LG2qWwuuV+FNMmr9lWs+Rb3DIhQ=" } }, "roles" : [ { "role" : "readWrite", "db" : "test" } ]}{ "_id" : "admin.zhoujinyi", "user" : "zhoujinyi", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "pE2cSOYtBOYevk8tqrwbSQ==", "storedKey" : "TwMxdnlB5Eiaqg4tNh9ByNuUp9A=", "serverKey" : "Mofr9ohVlFfR6/md4LMRkOhXouc=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ]}{ "_id" : "admin.dxy", "user" : "dxy", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "XD6smcWX4tdg/ZJPoLxxRg==", "storedKey" : "F4uiayykHDp/r9krAKZjdr+gqjM=", "serverKey" : "Kf51IU9J3RIrB8CFn5Z5hEKMSkw=" } }, "roles" : [ { "role" : "readWrite", "db" : "test" }, { "role" : "readWrite", "db" : "abc" } ]}> db.system.users.find().count()5


復(fù)制代碼

備份還原使用那個(gè)角色的帳號(hào)?之前創(chuàng)建的帳號(hào)zjy:test庫(kù)讀寫權(quán)限;zjyr:test庫(kù)讀權(quán)限

復(fù)制代碼

root@zhoujinyi:~# mongodump --port=27020 -uzjyr -pzjyr --db=test -o backup ** #只要讀權(quán)限就可以備份**2015-06-29T11:20:04.864-0400 writing test.abc to backup/test/abc.bson2015-06-29T11:20:04.865-0400 writing test.abc metadata to backup/test/abc.metadata.json2015-06-29T11:20:04.866-0400 done dumping test.abc2015-06-29T11:20:04.867-0400 writing test.system.indexes to backup/test/system.indexes.bsonroot@zhoujinyi:~# mongorestore --port=27020 -uzjy -pzjy --db=test backup/test/ #讀寫權(quán)限可以進(jìn)行還原2015-06-29T11:20:26.607-0400 building a list of collections to restore from backup/test/ dir2015-06-29T11:20:26.609-0400 reading metadata file from backup/test/abc.metadata.json2015-06-29T11:20:26.609-0400 restoring test.abc from file backup/test/abc.bson2015-06-29T11:20:26.611-0400 error: E11000 duplicate key error index: test.abc.$id dup key: { : ObjectId('559154efb78649ebd831685a') }2015-06-29T11:20:26.611-0400 restoring indexes for collection test.abc from metadata2015-06-29T11:20:26.612-0400 finished restoring test.abc2015-06-29T11:20:26.612-0400 done
復(fù)制代碼

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容