MongoDB用户权限管理

作者: 庞巴哥 分类: Linux技术 发布时间: 2020-06-18 18:55

MongoDB权限说明

权限误区:并不是说下面的排序就证明权限越来越大除了 readWrite 权限用户外(root权限用户也包括),其它用户都不具备对数据库的写入权限,除 read 权限外,其它用户都不具备对数据库中的读权限,每个权限的功能各不一样(除root外)

普通用户

普通用户只是拥有下面的读写权限

权限说明
Read允许用户读取指定数据库
readWrite允许用户读写指定数据库

管理用户

管理用户具备下面说明的一些操作权限

权限说明
dbAdmin允许用户在指定数据库中指定管理函数,如(索引创建、删除、查看统计访问system.profile)
userAdmin允许用户向system.users集合写入,可以找指定数据里面创建、删除和管理用户
clusterAdmin只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限

授权用户

以下用户主要是为其它用户赋予相应的权限

权限说明
readAnyDatabase只在admin数据库中可用,赋予用户所有数据库的读权限
readWriteAnyDatabase只在admin数据库中可用,赋予用户所有数据库的读写权限
userWriteAnyDatabase只在admin数据库中可用,赋予用户所有数据库的userAdmin权限
dbAdminAnyDatabase只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限

超级管理员

可以无所不能,为所欲为

权限说明
root只在admin数据库中可用,超级管理员

mongodb安装好后第一次进入是不需要密码的,也没有任何用户,直接连接进入即可

/usr/local/mongodb/bin/mongo --host 192.168.31.215 --port 27018

创建管理用户

> use adminswitched to db admin> db.createUser ( {... user:"manage",... pwd:"123456",... roles:[ { role:"root", db:"admin" } ]...     }... )
#返回以下信息代表创建成功Successfully added user: { "user" : "manage", "roles" : [ { "role" : "root", "db" : "admin" } ]}

退出登录,然后在mongodb配置文件中开启认证

vim /usr/local/mongodb/27018/conf/mongod.confsecurity:   authorization: enabled  javascriptEnabled: true

重启mongodb

/usr/local/mongodb/bin/mongod --shutdown -f /usr/local/mongodb/27018/conf/mongod.conf /usr/local/mongodb/bin/mongod -f /usr/local/mongodb/27018/conf/mongod.conf

连接mongodb

/usr/local/mongodb/bin/mongo --host 192.168.31.215 --port 27018MongoDB shell version v4.2.0connecting to: mongodb://192.168.31.215:27018/?compressors=disabled&gssapiServiceName=mongodbImplicit session: session { "id" : UUID("fc77266a-b2ff-4eb0-b6ca-c493c7c29143") }MongoDB server version: 4.2.0> use admin                     #进入admin库中先进行账号认证switched to db admin        > db.auth('manage','123456')    #认证账号,值返回1代表认证成功1

mongdb库创建读写用户

> db.createUser( {... user:"zhangsan",... pwd:"zhangsan",... roles:[ { role:"readWrite", db:"mongdb" } ]...     }... )Successfully added user: {    "user" : "zhangsan",    "roles" : [        {            "role" : "readWrite",            "db" : "mongdb"        }    ]}

验证创建的zhangsan用户(不需要退出登录)

> use adminswitched to db admin> db.auth('zhangsan','zhangsan')1> show dbs              #查看数据库,因为mongdb数据库存储数据,所以看不到> use mongdb            #直接 use 到mongdb数据库中switched to db mongdb
#插入 json 格式文档到 coll 集合中> db.coll.insert({"name": "Zhangsan","url": "http://abcops.cn","age": 25,"isNonProfit": true,})WriteResult({ "nInserted" : 1 })> show collections #查看已存在集合coll> db.coll.find() #读取集合中的数据{ "_id" : ObjectId("5d8b24c2f1c33f4950f2c5df"), "name" : "Zhangsan", "url" : "http://abcops.cn", "age" : 25, "isNonProfit" : true }

以上完成了读写权限的验证

一个用户多个权限

为 lisi 用户授权 01db read权限 02db readWrite 03db dbAdmin权限 04db userAdmin权限

这次先把数据库创建出来

> use adminswitched to db admin> db.auth('manage','123456')1
> use 01dbswitched to db 01db> db.coll.insert({"name": "01db","url": "http://abcops.cn","age": 25,"isNonProfit": true,})WriteResult({ "nInserted" : 1 })
> use 02dbswitched to db 02db> db.coll.insert({"name": "02db","url": "http://abcops.cn","age": 25,"isNonProfit": true,})WriteResult({ "nInserted" : 1 })
> use 03dbswitched to db 03db> db.coll.insert({"name": "03db","url": "http://abcops.cn","age": 25,"isNonProfit": true,})WriteResult({ "nInserted" : 1 })
> use 04dbswitched to db 04db> db.coll.insert({"name": "04db","url": "http://abcops.cn","age": 25,"isNonProfit": true,})WriteResult({ "nInserted" : 1 })

创建用户并授权

> db.createUser( {... user:"lisi",... pwd:"123456",... roles: [ { role:"read",db:"01db" },... { role:"readWrite",db:"02db" },... { role:"dbAdmin",db:"03db" },... { role:"userAdmin",db:"04db" } ]...     }... )Successfully added user: {    "user" : "lisi",    "roles" : [        {            "role" : "read",            "db" : "01db"        },        {            "role" : "readWrite",            "db" : "02db"        },        {            "role" : "dbAdmin",            "db" : "03db"        },        {            "role" : "userAdmin",            "db" : "04db"        }    ]}

查看所有用户

> show users{    "_id" : "admin.admin",    "userId" : UUID("9958faa5-7132-4146-8775-a001e47fe7f8"),    "user" : "admin",    "db" : "admin",    "roles" : [        {            "role" : "root",            "db" : "admin"        }    ],    "mechanisms" : [        "SCRAM-SHA-1"    ]}{    "_id" : "admin.lisi",    "userId" : UUID("bc8e5dc7-2f8c-40c1-8190-cea4951ae4a1"),    "user" : "lisi",    "db" : "admin",    "roles" : [        {            "role" : "read",            "db" : "01db"        },        {            "role" : "readWrite",            "db" : "02db"        },        {            "role" : "dbAdmin",            "db" : "03db"        },        {            "role" : "userAdmin",            "db" : "04db"        }    ],    "mechanisms" : [        "SCRAM-SHA-1"    ]}{    "_id" : "admin.manage",    "userId" : UUID("e1b34f57-06f2-4ef1-b23a-2d46a3964fbf"),    "user" : "manage",    "db" : "admin",    "roles" : [        {            "role" : "root",            "db" : "admin"        }    ],    "mechanisms" : [        "SCRAM-SHA-1"    ]}{    "_id" : "admin.micvs",    "userId" : UUID("1f4837c7-8c14-40d4-8a21-d621e0bcc278"),    "user" : "micvs",    "db" : "admin",    "roles" : [        {            "role" : "dbAdminAnyDatabase",            "db" : "admin"        }    ],    "mechanisms" : [        "SCRAM-SHA-1",        "SCRAM-SHA-256"    ]}{    "_id" : "admin.zhangsan",    "userId" : UUID("1003726b-c7fc-44e6-b001-b5c828bfb40d"),    "user" : "zhangsan",    "db" : "admin",    "roles" : [        {            "role" : "readWrite",            "db" : "mongdb"        }    ],    "mechanisms" : [        "SCRAM-SHA-1"    ]}
标签云