和其他所有數據庫一樣,權限的管理都差不多一樣。mongodb存儲所有的用戶信息在admin 數據庫的集合system.users中,保存用戶名、密碼和數據庫信息。mongodb默認不啟用授權認證,只要能連接到該服務器,就可連接到mongod。若要啟用安全認證,需要更改配置文件參數auth。
以下測試理解
查看數據庫:
> show dbs發現 admin 竟然沒有!~
找了好久,找不到相關說明,於是直接創建用戶admin
use admin
db.createUser(
{
user: "admin",
pwd: "admin",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
成功創建,再查詢admin中的集合,有數據了!
> show collections system.indexes system.users system.version
> db.system.users.find();
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "cFISfpbm04pmIFpqiL340g==", "storedKey" : "WG1DSEEEHUZUBjsjsnEA4RFVY2M=", "serverKey" : "9Lm+IX6l9kfaE/4C25/ghsQpDkE=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
>
> db.system.indexes.find();
{ "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "admin.system.version" }
{ "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "admin.system.users" }
{ "v" : 1, "unique" : true, "key" : { "user" : 1, "db" : 1 }, "name" : "user_1_db_1", "ns" : "admin.system.users" }
>
> db.system.version.find();
{ "_id" : "authSchema", "currentVersion" : 5 }
>
auth=true
[root@localhost ~]# service mongod restart
直接默認登錄,查看集合,發現無權操作了:
[root@localhost ~]# mongo
[root@localhost ~]# mongo
MongoDB shell version: 3.0.2
connecting to: test
> show dbs
2015-05-09T21:57:03.176-0700 E QUERY Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
}
at Error ()
at Mongo.getDBs (src/mongo/shell/mongo.js:47:15)
at shellHelper.show (src/mongo/shell/utils.js:630:33)
at shellHelper (src/mongo/shell/utils.js:524:36)
at (shellhelp2):1:1 at src/mongo/shell/mongo.js:47
>
剛才在數據庫 admin 創建了一個賬戶 admin ,先到數據admin進來連接(其他db則失敗):
[root@localhost ~]# mongo
MongoDB shell version: 3.0.2
connecting to: test
>
> db.auth("admin","admin")
Error: 18 Authentication failed.
0
> use mydb
switched to db mydb
> db.auth("admin","admin")
Error: 18 Authentication failed.
0
> use admin
switched to db admin
> db.auth("admin","admin")
1
>
所以現在創建另一個用戶"myuser"
db.createUser(
{
user: "myuser",
pwd: "myuser",
roles: [ { role: "readWrite", db: "mydb" } ]
}
)
#授予角色:db.grantRolesToUser( "userName" , [ { role: "", db: "" } ])
db.grantRolesToUser( "myuser" , [ { role: "dbOwner", db: "mydb" } ])
#取消角色:db.grantRolesToUser( "userName" , [ { role: "", db: "" } ])
db.revokeRolesFromUser( "myuser" , [ { role: "readWrite", db: "mydb" } ])
> db.auth("myuser","myuser")
Error: 18 Authentication failed.
0
>
> db
mydb
> use admin
switched to db admin
> db.auth("myuser","myuser");
1
>
> use mydb
switched to db mydb
>
> db.tab.save({"id":999});
WriteResult({ "nInserted" : 1 })
>
> db.tab.find({"id":999});
{ "_id" : ObjectId("554ef5ac1b590330c00c7d02"), "id" : 999 }
>
> show collections
system.indexes
tab
>
use admin
db.auth("admin","admin")
use mydb
db.createUser(
{
user: "userkk",
pwd: "userkk",
roles: [ { role: "dbOwner", db: "mydb" } ]
}
)
db.auth("userkk","userkk")
------------------------------------------------------------------------------------------------------------------
華麗分割
------------------------------------------------------------------------------------------------------------------
現在授權測試:
#先訪問到admin數據庫
use admin
db.auth("admin","admin")
#切換到 mydb ,在數據庫 mydb 中創建角色
use mydb
db.createRole({
role: "testRole",
privileges: [{ resource: { db: "mydb", collection: "" }, actions: [ "find" ] }],
roles: []
})
> use admin
switched to db admin
>
> show collections
system.indexes
system.roles
system.users
system.version
>
> db.system.roles.find();
{ "_id" : "mydb.testRole", "role" : "testRole", "db" : "mydb", "privileges" : [ { "resource" : { "db" : "mydb", "collection" : "" }, "actions" : [ "find" ] } ], "roles" : [ ] }
>
use mydb
db.createUser(
{
user: "userkk",
pwd: "userkk",
roles: [ { role: "testRole", db: "mydb" } ]
}
)
[root@localhost ~]# mongo
MongoDB shell version: 3.0.2
connecting to: test
> use mydb
switched to db mydb
>
> db.auth("userkk","userkk")
1
>
> db.tab.find({"id":999})
{ "_id" : ObjectId("554ef5ac1b590330c00c7d02"), "id" : 999 }
>
> db.tab.insert({"id":1000})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on mydb to execute command { insert: \"tab\", documents: [ { _id: ObjectId('554f145cdf782b42499d80e5'), id: 1000.0 } ], ordered: true }"
}
})
>
use admin
db.auth("admin","admin")
use mydb
#添加Privileges給角色
db.grantPrivilegesToRole("testRole",
[{ resource: { db: "mydb", collection: "" },actions: [ "update", "insert", "remove" ]}
])
exit #退出mongodb重新登錄
use mydb
db.auth("userkk","userkk")
#增刪數據可以操作了!~
db.tab.insert({"id":1000})
db.tab.find({"id":1000})
db.tab.remove({"id":1000})
#此時admin的角色記錄為:
> db.system.roles.find();
{ "_id" : "mydb.testRole", "role" : "testRole", "db" : "mydb", "privileges" : [ { "resource" : { "db" : "mydb", "collection" : "" }, "actions" : [ "find", "insert", "remove", "update" ] } ], "roles" : [ ] }
>
use admin
db.auth("admin","admin")
use mydb
db.updateRole("testRole",{ roles:[{ role: "readWrite",db: "mydb"}]},{ w:"majority" })
db.auth("userkk","userkk")
show dbs
關於角色,參考官方文檔提取總結如下:
角色分類
角色
權限及角色
(本文大小寫可能有些變化,使用時請參考官方文檔)
Database User Roles
read
CollStats,dbHash,dbStats,find,killCursors,listIndexes,listCollections
readWrite
CollStats,ConvertToCapped,CreateCollection,DbHash,DbStats,
DropCollection,CreateIndex,DropIndex,Emptycapped,Find,
Insert,KillCursors,ListIndexes,ListCollections,Remove,
RenameCollectionSameDB,update
Database Administration Roles
dbAdmin
collStats,dbHash,dbStats,find,killCursors,listIndexes,listCollections,
dropCollection 和 createCollection 在 system.profile
dbOwner
角色:readWrite, dbAdmin,userAdmin
userAdmin
ChangeCustomData,ChangePassword,CreateRole,CreateUser,
DropRole,DropUser,GrantRole,RevokeRole,ViewRole,viewUser
Cluster Administration Roles
clusterAdmin
角色:clusterManager, clusterMonitor, hostManager
clusterManager
AddShard,ApplicationMessage,CleanupOrphaned,FlushRouterConfig,
ListShards,RemoveShard,ReplSetConfigure,ReplSetGetStatus,
ReplSetStateChange,Resync,
EnableSharding,MoveChunk,SplitChunk,splitVector
clusterMonitor
connPoolStats,cursorInfo,getCmdLineOpts,getLog,getParameter,
getShardMap,hostInfo,inprog,listDatabases,listShards,netstat,
replSetGetStatus,serverStatus,shardingState,top
collStats,dbStats,getShardVersion
hostManager
applicationMessage,closeAllDatabases,connPoolSync,cpuProfiler,
diagLogging,flushRouterConfig,fsync,invalidateUserCache,killop,
logRotate,resync,setParameter,shutdown,touch,unlock
Backup and Restoration Roles
backup
提供在admin數據庫mms.backup文檔中insert,update權限
列出所有數據庫:listDatabases
列出所有集合索引:listIndexes
對以下提供查詢操作:find
*非系統集合
*系統集合:system.indexes, system.namespaces, system.js
*集合:admin.system.users 和 admin.system.roles
restore
非系統集合、system.js,admin.system.users 和 admin.system.roles 及2.6 版本的system.users提供以下權限:
collMod,createCollection,createIndex,dropCollection,insert
列出所有數據庫:listDatabases
system.users :find,remove,update
All-Database Roles
readAnyDatabase
提供所有數據庫中只讀權限:read
列出集群所有數據庫:listDatabases
readWriteAnyDatabase
提供所有數據庫讀寫權限:readWrite
列出集群所有數據庫:listDatabases
userAdminAnyDatabase
提供所有用戶數據管理權限:userAdmin
Cluster:authSchemaUpgrade,invalidateUserCache,listDatabases
admin.system.users和admin.system.roles:
collStats,dbHash,dbStats,find,killCursors,planCacheRead
createIndex,dropIndex
dbAdminAnyDatabase
提供所有數據庫管理員權限:dbAdmin
列出集群所有數據庫:listDatabases
Superuser Roles
root
角色:dbOwner,userAdmin,userAdminAnyDatabase
readWriteAnyDatabase, dbAdminAnyDatabase,
userAdminAnyDatabase,clusterAdmin
Internal Role
__system
集群中對任何數據庫采取任何操作
