权限误区 并不是说下面的排序就证明权限越来越大除了readWrite权限用户外(root权限用户也包括),其它用户都不具备对数据库的写入权限,除 read 权限外,其它用户都不具备对数据库中的读权限,每个权限的功能各不一样(除root外)
普通用户
普通用户只是拥有下面的读写权限
权限 | 说明 |
---|---|
Read | 允许用户读取指定数据库 |
readWrite | 允许用户读写指定数据库 |
管理用户
管理用户具备下面说明的一些操作权限
权限 | 说明 |
---|---|
dbAdmin | 允许用户在指定数据库中指定管理函数,如(索引创建、删除、查看统计访问system.profile) |
userAdmin | 允许用户向system.users集合写入,可以找指定数据里面创建、删除和管理用户 |
clusterAdmin | 只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限 |
授权用户
以下用户主要是为其它用户赋予相应的权限
权限 | 说明 |
---|---|
readAnyDatabase | 只在admin数据库中可用,赋予用户所有数据库的读权限 |
readWriteAnyDatabase | 只在admin数据库中可用,赋予用户所有数据库的读写权限 |
userWriteAnyDatabase | 只在admin数据库中可用,赋予用户所有数据库的userAdmin权限 |
dbAdminAnyDatabase | 只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限 |
超级管理员
可以无所不能,为所欲为
权限 | 说明 |
---|---|
root | 只在admin数据库中可用,超级管理员 |
mongodb | 安装好后第一次进入是不需要密码的,也没有任何用户,直接连接进入即可 |
/usr/local/mongodb/bin/mongo —host 192.168.31.215 —port 27018
创建管理用户
> use admin
switched to db admin
> db.createUser ( {
user: "manage",
pwd: "123456",
roles: [ { role: "root", db: "admin" } ]
}
)
#返回以下信息代表创建成功
Successfully added user: {
"user": "manage",
"roles": [
{
"role": "root",
"db": "admin"
}
]
}
退出登录,然后在mongodb配置文件中开启认证
vim /usr/local/mongodb/27018/conf/mongod.conf
security:
authorization: enabled
javascriptEnabled: true
重启mongodb
/usr/local/mongodb/bin/mongod --shutdown -f /usr/local/mongodb/27018/conf/mongod.conf
/usr/local/mongodb/bin/mongod -f /usr/local/mongodb/27018/conf/mongod.conf
连接mongodb
/usr/local/mongodb/bin/mongo --host 192.168.31.215 --port 27018
MongoDB shell version v4.2.0
connecting to: mongodb: //192.168.31.215: 27018/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id": UUID("fc77266a-b2ff-4eb0-b6ca-c493c7c29143") }
MongoDB server version: 4.2.0
> use admin #进入admin库中先进行账号认证
switched to db admin
> db.auth('manage','123456') #认证账号,值返回1代表认证成功1
mongdb库创建读写用户
> db.createUser( {
... user: "zhangsan",
... pwd: "zhangsan",
... roles: [ { role: "readWrite", db: "mongdb" } ]
... }
... )
Successfully added user: {
"user": "zhangsan",
"roles": [
{
"role": "readWrite",
"db": "mongdb"
}
]
}
验证创建的zhangsan用户(不需要退出登录)
> use admin
switched to db admin
> db.auth('zhangsan','zhangsan')
1
> show dbs #查看数据库,因为mongdb数据库存储数据,所以看不到
> use mongdb #直接 use 到mongdb数据库中
switched to db mongdb
#插入 json 格式文档到 coll 集合中
> db.coll.insert({"name": "Zhangsan","url": "http: //abcops.cn","age": 25,"isNonProfit": true,})
WriteResult({ "nInserted": 1 })
> show collections #查看已存在集合
coll
> db.coll.find() #读取集合中的数据
{ "_id": ObjectId("5d8b24c2f1c33f4950f2c5df"), "name": "Zhangsan", "url": "http: //abcops.cn", "age": 25, "isNonProfit": true }
以上完成了读写权限的验证
一个用户多个权限
为 lisi 用户授权 01db read权限 02db readWrite 03db dbAdmin权限 04db userAdmin权限
这次先把数据库创建出来
> use admin
switched to db admin
> db.auth('manage','123456')
1
> use 01db
switched to db 01db
> db.coll.insert({"name": "01db","url": "http: //abcops.cn","age": 25,"isNonProfit": true,})
WriteResult({ "nInserted": 1 })
> use 02db
switched to db 02db
> db.coll.insert({"name": "02db","url": "http: //abcops.cn","age": 25,"isNonProfit": true,})
WriteResult({ "nInserted": 1 })
> use 03db
switched to db 03db
> db.coll.insert({"name": "03db","url": "http: //abcops.cn","age": 25,"isNonProfit": true,})
WriteResult({ "nInserted": 1 })
> use 04db
switched to db 04db
> db.coll.insert({"name": "04db","url": "http: //abcops.cn","age": 25,"isNonProfit": true,})
WriteResult({ "nInserted": 1 })
创建用户并授权
> db.createUser( {
... user: "lisi",
... pwd: "123456",
... roles: [ { role: "read",db: "01db" },
... { role: "readWrite",db: "02db" },
... { role: "dbAdmin",db: "03db" },
... { role: "userAdmin",db: "04db" } ]
... }
... )
Successfully added user: {
"user": "lisi",
"roles": [
{
"role": "read",
"db": "01db"
},
{
"role": "readWrite",
"db": "02db"
},
{
"role": "dbAdmin",
"db": "03db"
},
{
"role": "userAdmin",
"db": "04db"
}
]
}
查看所有用户
> show users
{
"_id": "admin.admin",
"userId": UUID("9958faa5-7132-4146-8775-a001e47fe7f8"),
"user": "admin",
"db": "admin",
"roles": [
{
"role": "root",
"db": "admin"
}
],
"mechanisms": [
"SCRAM-SHA-1"
]
}
{
"_id": "admin.lisi",
"userId": UUID("bc8e5dc7-2f8c-40c1-8190-cea4951ae4a1"),
"user": "lisi",
"db": "admin",
"roles": [
{
"role": "read",
"db": "01db"
},
{
"role": "readWrite",
"db": "02db"
},
{
"role": "dbAdmin",
"db": "03db"
},
{
"role": "userAdmin",
"db": "04db"
}
],
"mechanisms": [
"SCRAM-SHA-1"
]
}
{
"_id": "admin.manage",
"userId": UUID("e1b34f57-06f2-4ef1-b23a-2d46a3964fbf"),
"user": "manage",
"db": "admin",
"roles": [
{
"role": "root",
"db": "admin"
}
],
"mechanisms": [
"SCRAM-SHA-1"
]
}
{
"_id": "admin.micvs",
"userId": UUID("1f4837c7-8c14-40d4-8a21-d621e0bcc278"),
"user": "micvs",
"db": "admin",
"roles": [
{
"role": "dbAdminAnyDatabase",
"db": "admin"
}
],
"mechanisms": [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
{
"_id": "admin.zhangsan",
"userId": UUID("1003726b-c7fc-44e6-b001-b5c828bfb40d"),
"user": "zhangsan",
"db": "admin",
"roles": [
{
"role": "readWrite",
"db": "mongdb"
}
],
"mechanisms": [
"SCRAM-SHA-1"
]
}
原创地址:https://mp.weixin.qq.com/s/YWcwaPIQDP6ln_6qtvnsOA
本文作者:
艾瑞可erik
本文链接: https://erik.xyz/2020/06/20/mongodb-user-rbc/
版权声明: 本作品采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议 进行许可。转载请注明出处!
本文链接: https://erik.xyz/2020/06/20/mongodb-user-rbc/
版权声明: 本作品采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议 进行许可。转载请注明出处!