mongodb的访问控制
内建角色,具体参考:https://docs.mongodb.com/manual/reference/built-in-roles
Read:允许用户读取指定数据库
readWrite:允许用户读写指定数据库
dbAdmin:允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile
userAdmin:允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户
clusterAdmin:只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。
readAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读权限
readWriteAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读写权限
userAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的userAdmin权限
dbAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。
root:只在admin数据库中可用。超级账号,超级权限
用户文件在admin库下的system.users表里,默认MongoDB没有访问密码,不太安全
1.添加数据库管理员用户adminUser和普通用户herrywen
mongo --port 27017
use admin
db.createUser(
{
user: "adminUser",
pwd: "adminPass",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
use herrywen
db.createUser(
{
user: "herrywen",
pwd: "herrywen",
roles: [ { role: "readWrite", db: "herrywen" },
{ role: "read", db: "admin" } ]
}
)2.在192.168.255.134增加配置文件,开启验证
cat /etc/mongod.conf
security:
authorization: enabled3.重启mongdb服务systemctl restart mongdb
4.测试看下是否可以访问了
[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017 -u adminUser -p adminPass --authenticationDatabase "admin"
MongoDB shell version v4.2.1
connecting to: mongodb://192.168.255.134:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("f5114890-0b2e-43a2-8a60-a8b265e68a44") }
MongoDB server version: 4.2.1
MongoDB Enterprise > use admin;
switched to db admin
MongoDB Enterprise > show collections;
system.users
system.version
MongoDB Enterprise > exit
bye5.如果直接登陆,在切换admin库时,提示没有任何权限。需要使用db.auth()进行验证
[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017
MongoDB shell version v4.2.1
connecting to: mongodb://192.168.255.134:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("9bcb1b37-7cfa-4aff-8947-6d633eee01be") }
MongoDB server version: 4.2.1
MongoDB Enterprise > use admin
switched to db admin
MongoDB Enterprise > show collections;
Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus
MongoDB Enterprise > show collections;
Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus
MongoDB Enterprise > db.auth("adminUser","adminPass")
1
MongoDB Enterprise > show collections;
system.users
system.version6.直接登陆herrywen库
[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017 -u herrywen -p herrywen --authenticationDatabase "herrywen"
MongoDB shell version v4.2.1
connecting to: mongodb://192.168.255.134:27017/?authSource=herrywen&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("9d906997-681a-43b4-b541-dbe5d197cd1f") }
MongoDB server version: 4.2.1
MongoDB Enterprise > use herrywen
switched to db herrywen
MongoDB Enterprise > show collections;
MongoDB Enterprise > db.test3.insert({title: 'MongoDB',
... description: 'hello,world',
... by: 'herrywen',
... url: 'http://www.51cto.com',
... tags: ['mongodb', 'database', 'NoSQL'],
... likes: 100})
WriteResult({ "nInserted" : 1 })
MongoDB Enterprise > show collections;7.给adminUser用户增加对herrywen库的读写权限
use admin
db.grantRolesToUser( "adminUser", [ { role: "readWrite", db: "herrywen" } ] )
db.system.users.find().pretty(); 8.给herrywen用户增加herrywen1库的读写权限和admin数据库的读权限
use herrywen
db.grantRolesToUser( "herrywen", [ { role: "readWrite", db: "herrywen1" } ,{ role: "read", db: "admin" } ] )9.撤销herrywen对herrywen1库的读写权限和admin数据库的读权限
db.revokeRolesFromUser(
"herrywen",
[
{
"role" : "read",
"db" : "admin"
},
{
"role" : "readWrite",
"db" : "herrywen1"
}
]
)10.查看当前herrywen用户的权限,也可以切换heryrwen数据库下,使用db.getUser('herrywen')查看,但是比较麻烦,可以直接使用show users
MongoDB Enterprise > show users
{
"_id" : "herrywen.herrywen",
"userId" : UUID("68fc696d-9825-43b6-9afb-d4a040b480a3"),
"user" : "herrywen",
"db" : "herrywen",
"roles" : [
{
"role" : "readWrite",
"db" : "herrywen"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}11.修改herrywen用户的密码db.changeUserPassword("herrywen","herrywen-2")
12.删除herrywen用户db.dropUser("herrywen")
上一篇:mongodb的监控