mongodb 认证的方式有多种,如password认证,kerberos认证,ldap认证等等,这里主要讲的是密码认证,也是用的最多的,使用–auth选项开启认证。
创建管理员用户
在开启验证之前必须创建一个管理员用户,管理员用户拥有userAdminAnyDatabase角色.此角色拥有管理用户的权限,注意此角色并不是最大权限的角色。
use admin
switched to db admin
db.createUser(
... {
... user: 'admin',
... pwd: 'admin',
... roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
... }
... )
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}内置角色:
1. 数据库用户角色:read、readWrite;
2. 数据库管理角色:dbAdmin、dbOwner、userAdmin;
3. 集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager;
4. 备份恢复角色:backup、restore;
5. 所有数据库角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase
6. 超级用户角色:root (如果用户同时有dbOwner 、userAdmin、userAdminAnyDatabase三个角色,就间接或直接提供了系统超级用户的访问)
每个角色具体权限:
Read:允许用户读取指定数据库
readWrite:允许用户读写指定数据库
dbAdmin:允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile
userAdmin:允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户
clusterAdmin:只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。
readAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读权限
readWriteAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读写权限
userAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的userAdmin权限
dbAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。
root:只在admin数据库中可用。超级账号,超级权限
重新启动mongod,开启auth选项
mongod --auth进入mongo shell,查看数据库报错,提示没有权限。
[mongo@mongo ~]$ mongodb/bin/mongo
MongoDB shell version v3.4.1
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.4.1
> show dbs
2016-12-26T12:18:56.060+0800 E QUERY [main] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13,
"codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:755:19
shellHelper@src/mongo/shell/utils.js:645:15
@(shellhelp2):1:1切换到admin数据库,对admin用户进行认证,1表示认证成功。
> use admin
switched to db admin
> db.auth('admin','123456')
1切换到test数据库,新建用户
> use test
switched to db test
> db
test
> db.createUser({
... user:'weiyang',
... pwd:'weiyang',
... roles:[{role:'readWrite',db:'test'}]
... })
Successfully added user: {
"user" : "weiyang",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}查看当前数据的用户
> show users
{
"_id" : "test.weiyang",
"user" : "weiyang",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}在test数据库中插入数据
> db.test.insert({a:'1'})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on test to execute command { insert: \"test\", documents: [ { _id: ObjectId('58609da684679bee11c966b4'), a: \"1\" } ], ordered: true }"
}
})插入数据时报错,提示没有权限,只是因为虽然新建用户并给了合适的权限,但是该新用户并没有在当前数据库经过认证。接着认证用户,并插入读取刚插入的文档。
> db.auth('weiyang','weiyang')
1
> db.test.insert({a:'1'})
WriteResult({ "nInserted" : 1 })
> db.test.find()
{ "_id" : ObjectId("58609ef384679bee11c966b5"), "a" : "1" }在admin下创建的帐号,不能直接在其他库验证,只能在帐号创建库下认证,再去其他库进行操作
> use admin
switched to db admin
> db.createUser({
... ... ... user:'dba',
... ... ... pwd:'dba',
... roles:[{role:'readWrite',db:'test'}]
... })
Successfully added user: {
"user" : "dba",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
> use test
switched to db test
> db.auth('ada','dba')
Error: Authentication failed.
0在admin数据库中添加的dba用户在test数据库下无法认证。
说明数据库帐号与数据库关联,哪里创建哪里认证。
查看所有用户
> use admin
switched to db admin
> db.system.users.find().pretty()
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "eRoNrRq46X3/v8OVQuUeYg==",
"storedKey" : "LIWYhSFf410huy6q51o0riJGOj4=",
"serverKey" : "NH1ORreaf6ZirMQQaV7XaEHZ3ys="
}
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
{
"_id" : "sample.wei.yang",
"user" : "wei.yang",
"db" : "sample",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "8q+5f2aJocedFdT7QvxWCg==",
"storedKey" : "OgczIU984kXv63sN99gWQjdfpgs=",
"serverKey" : "q6DkTIYuWTZwZhrkm9CLnuAz0ps="
}
},
"roles" : [
{
"role" : "readWrite",
"db" : "sample"
}
]
}
{
"_id" : "admin.test",
"user" : "test",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "OXd4mRMDW7Hjmv0yfffGZQ==",
"storedKey" : "MCNYJuS3L1GXOcH2Xmh0yd/7ta0=",
"serverKey" : "y0xBeQlsV0Aj7OZ8IGRPl/ZbuOA="
}
},
"roles" : [
{
"role" : "read",
"db" : "sample"
},
{
"role" : "readWrite",
"db" : "admin"
}
]
}
{
"_id" : "test.weiyang",
"user" : "weiyang",
"db" : "test",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "ld1LSq7L+Q8EF22hzpgK3w==",
"storedKey" : "8rrE+/0V+QIjfRcVKGE+LSE5iyU=",
"serverKey" : "7S93z95RBxcQDEyx85MFK1QFhYE="
}
},
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
{
"_id" : "admin.dba",
"user" : "dba",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "O0SpJWwT5Md7IQD7cCD/pw==",
"storedKey" : "7lXc1VBmBJ+WNQFyLtlBo/oEMK4=",
"serverKey" : "+PCmRcu2WuWTLUiA2xOYDFtqTGc="
}
},
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}用户和角色方法
详细参见官方文档:
https://docs.mongodb.com/manual/reference/method/#role-management
Role Management
Name Description
db.createRole() Creates a role and specifies its privileges.
db.updateRole() Updates a user-defined role.
db.dropRole() Deletes a user-defined role.
db.dropAllRoles() Deletes all user-defined roles associated with a database.
db.grantPrivilegesToRole() Assigns privileges to a user-defined role.
db.revokePrivilegesFromRole() Removes the specified privileges from a user-defined role.
db.grantRolesToRole() Specifies roles from which a user-defined role inherits privileges.
db.revokeRolesFromRole() Removes inherited roles from a role.
db.getRole() Returns information for the specified role.
db.getRoles() Returns information for all the user-defined roles in a database.
User Management
Name Description
db.auth() Authenticates a user to a database.
db.createUser() Creates a new user.
db.updateUser() Updates user data.
db.changeUserPassword() Changes an existing user’s password.
db.removeUser() Deprecated. Removes a user from a database.
db.dropAllUsers() Deletes all users associated with a database.
db.dropUser() Removes a single user.
db.grantRolesToUser() Grants a role and its privileges to a user.
db.revokeRolesFromUser() Removes a role from a user.
db.getUser() Returns information about the specified user.
db.getUsers() Returns information about all users associated with a database.