一、用戶驗證
創(chuàng)新互聯(lián)建站長期為1000多家客戶提供的網(wǎng)站建設(shè)服務(wù),團隊從業(yè)經(jīng)驗10年,關(guān)注不同地域、不同群體,并針對不同對象提供差異化的產(chǎn)品和服務(wù);打造開放共贏平臺,與合作伙伴共同營造健康的互聯(lián)網(wǎng)生態(tài)環(huán)境。為龍華企業(yè)提供專業(yè)的成都網(wǎng)站建設(shè)、網(wǎng)站建設(shè),龍華網(wǎng)站改版等技術(shù)服務(wù)。擁有十載豐富建站經(jīng)驗和眾多成功案例,為您定制開發(fā)。--auth: 在mongod啟動項中加入--auth,mongodb啟動后,就可以完成授權(quán)模塊的啟用;
雖然auth模塊啟用后本機還能否登陸到數(shù)據(jù)庫,但是不具備增刪改查的權(quán)限了,所以啟動auth模塊之前就應(yīng)該創(chuàng)建一個超級用戶
--keyFile
必須要用到該參數(shù);
可以通過配置文件控制,控制語句如下:
security.authorization: 功能更auth完全相同。在MongoDB 2.6版本開始,mongod/mongos的啟動配置文件增加了YAML格式的寫法,例:
security: authorization: enabledsecurity.keyFile: 功能與--keyFile相同。在MongoDB 2.6版本開始,mongod/mongos的啟動配置文件增加了YAML格式的寫法,例:
security: keyFile: /srv/mongodb/keyfilemongdb在V3.0版本之后內(nèi)置了root 角色,也就是結(jié)合了readWriteAnyDatabase、dbAdminAnyDatabase 、userAdminAnyDatabase、clusterAdmin 4個角色權(quán)限,類似于Oracle的sysdba角色,但是MongoDB的超級管理員用戶名稱是可以隨便定義的:
> use admin switched to db admin > db.createUser( ... { ... user: "ljaiadmin", ... pwd: "123456", ... roles: [ { role: "root", db: "admin" } ] ... } ... )重啟完mongod進程后,接下來做一下權(quán)限的驗證:
> use admin switched to db admin > db.auth('ljaiadmin','123456') (注:切換到admin用戶進行授權(quán)驗證) 1 > show dbs > use admin switched to db admin > show users創(chuàng)建普通用戶:
use reporting db.createUser( { user: "reportsUser", pwd: "12345678", roles: [ { role: "read", db: "reporting" }, { role: "read", db: "products" }, { role: "read", db: "sales" }, { role: "readWrite", db: "accounts" } ] } )二、角色
(1).數(shù)據(jù)庫用戶角色
針對每一個數(shù)據(jù)庫進行控制。
read :提供了讀取所有非系統(tǒng)集合,以及系統(tǒng)集合中的system.indexes, system.js, system.namespaces
readWrite: 包含了所有read權(quán)限,以及修改所有非系統(tǒng)集合的和系統(tǒng)集合中的system.js的權(quán)限.
(2).數(shù)據(jù)庫管理角色
每一個數(shù)據(jù)庫包含了下面的數(shù)據(jù)庫管理角色。
dbOwner:該數(shù)據(jù)庫的所有者,具有該數(shù)據(jù)庫的全部權(quán)限。
dbAdmin:一些數(shù)據(jù)庫對象的管理操作,但是沒有數(shù)據(jù)庫的讀寫權(quán)限。(參考:http://docs.mongodb.org/manual/reference/built-in-roles/#dbAdmin)
userAdmin:為當前用戶創(chuàng)建、修改用戶和角色。擁有userAdmin權(quán)限的用戶可以將該數(shù)據(jù)庫的任意權(quán)限賦予任意的用戶。
(3).集群管理權(quán)限
admin數(shù)據(jù)庫包含了下面的角色,用戶管理整個系統(tǒng),而非單個數(shù)據(jù)庫。這些權(quán)限包含了復(fù)制集和共享集群的管理函數(shù)。
clusterAdmin:提供了大的集群管理功能。相當于clusterManager, clusterMonitor, and hostManager和dropDatabase的權(quán)限組合。
clusterManager:提供了集群和復(fù)制集管理和監(jiān)控操作。擁有該權(quán)限的用戶可以操作config和local數(shù)據(jù)庫(即分片和復(fù)制功能)
clusterMonitor:僅僅監(jiān)控集群和復(fù)制集。
hostManager:提供了監(jiān)控和管理服務(wù)器的權(quán)限,包括shutdown節(jié)點,logrotate, repairDatabase等。
備份恢復(fù)權(quán)限:admin數(shù)據(jù)庫中包含了備份恢復(fù)數(shù)據(jù)的角色。包括backup、restore等等。
(4).所有數(shù)據(jù)庫角色
admin數(shù)據(jù)庫提供了一個mongod實例中所有數(shù)據(jù)庫的權(quán)限角色:
readAnyDatabase:具有read每一個數(shù)據(jù)庫權(quán)限。但是不包括應(yīng)用到集群中的數(shù)據(jù)庫。
readWriteAnyDatabase:具有readWrite每一個數(shù)據(jù)庫權(quán)限。但是不包括應(yīng)用到集群中的數(shù)據(jù)庫。
userAdminAnyDatabase:具有userAdmin每一個數(shù)據(jù)庫權(quán)限,但是不包括應(yīng)用到集群中的數(shù)據(jù)庫。
dbAdminAnyDatabase:提供了dbAdmin每一個數(shù)據(jù)庫權(quán)限,但是不包括應(yīng)用到集群中的數(shù)據(jù)庫。
(5).超級管理員權(quán)限
root: dbadmin到admin數(shù)據(jù)庫、useradmin到admin數(shù)據(jù)庫以及UserAdminAnyDatabase。但它不具有備份恢復(fù)、直接操作system.*集合的權(quán)限,但是擁有root權(quán)限的超級用戶可以自己給自己賦予這些權(quán)限。
(6).備份恢復(fù)角色:backup、restore;
(7).內(nèi)部角色:__system
三、相關(guān)命令
除了 db.createUser(), 下面幾個函數(shù)也是常用的:
創(chuàng)建角色: db.createRole()
更新角色:db.updateRole()
刪除角色:db.dropRole()
獲得某個角色信息: db.getRole()
更改密碼:db.changeUserPassword("userName","newPwd")
獲得“當前數(shù)據(jù)庫”的所有用戶權(quán)限信息:db.getUsers()
獲得“某個指定用戶”的權(quán)限信息:db.getUser("userName")
例:
> use company switched to db company > db.createUser( ... {user:"user01",pwd:"123", ... roles:[{"role":"readWrite",db:"company"}] ... }) Successfully added user: { "user" : "user01", "roles" : [ { "role" : "readWrite", "db" : "company" } ] } > db.getUsers() #查看當前DB的users .............. > db.auth("user01","123") 1 > db.changeUserPassword("user01","456") #更改用戶密碼 > db.auth("user01","456") 1 >刪除用戶:db.dropUser()
例:
> use company switched to db company > db.dropUser("user01") #刪除當前庫的user true >刪除所有用戶: db.dropAllUsers()
將指定角色賦予給用戶:
db.grantRolesToUser("userName",[ {"role":"roleName1","db":"dbName"},{"role":"roleName2","db":"dbName"}... ])
撤銷某個用戶的某個角色權(quán)限:
db.revokeRolesFromUser("userName",[ {"role":"roleName1","db":"dbName"},{"role":"roleName2","db":"dbName"}... ])
四、實例:
[root@meteor ~]# service mongod start
Starting mongod: [確定]
[root@meteor ~]# mongo localhost:27027
MongoDB shell version: 3.2.8
connecting to: localhost:27027/test
Server has startup warnings:
> use admin
switched to db admin
> db.createUser(
... {user:"admin",pwd:"123456",
... roles:[{role:"root",db:"admin"}]
... })
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
} ] }
> use person
switched to db person
> db.p1.insert({name:"thompson",gender:"male",age:"24"})
WriteResult({ "nInserted" : 1 })
> db.p1.find()
{ "_id" : ObjectId("57a2a28aa6d4803a1c952529"), "name" : "thompson", "gender" : "male", "age" : "24" }
> exit
bye
[root@meteor ~]# mongo localhost:27027
MongoDB shell version: 3.2.8
connecting to: localhost:27027/test
> show dbs;
admin 0.000GB
local 0.000GB
person 0.000GB
> exit
bye
[root@meteor ~]# vim /etc/mongod.conf
[root@meteor ~]# sed -n '32,33p' /etc/mongod.conf 需要開啟認證功能
security:
authorization: enabled
[root@meteor ~]# service mongod restart 修改完配置文件后必須重新啟動才能生效
Stopping mongod: [確定]
Starting mongod: [確定]
[root@meteor ~]# mongo localhost:27027
MongoDB shell version: 3.2.8
connecting to: localhost:27027/test
> show dbs 如果未認證,系統(tǒng)提示錯誤
2016-08-04T10:06:08.491+0800 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:761:19
shellHelper@src/mongo/shell/utils.js:651:15
@(shellhelp2):1:1
> use admin
switched to db admin
> db.auth("admin","123456") 認證
1
> use person
switched to db person
> db.createUser( 創(chuàng)建新用戶
... {user:"person",pwd:"123",
... roles:[{role:"readWrite",db:"person"}]
... })
Successfully added user: {
"user" : "person",
"roles" : [
{
"role" : "readWrite",
"db" : "person"
} ] }
> use admin
switched to db admin
> db.system.users.find()
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "KFiaKAkrDqCJ/H8uIIhwzA==", "storedKey" : "faWxuPj1hZ4jV3VhL9Z0zylBL0Y=", "serverKey" : "qYSi5BRZY/GPTuBeF60KCvB5dqg=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
{ "_id" : "person.person", "user" : "person", "db" : "person", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "0tRiioYKdcx+On3uXgR/Sw==", "storedKey" : "8M69xFSgqniSeU7uvLqpzaclECs=", "serverKey" : "Znu2x5fAzMgrMKlxpj2I//1lcWc=" } }, "roles" : [ { "role" : "readWrite", "db" : "person" } ] }
> use person
switched to db person
> db.grantRolesToUser("person",[{role:"dbAdmin",db:"person"}])為用戶附加其它角色
> use admin
switched to db admin
> db.system.users.find()
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "KFiaKAkrDqCJ/H8uIIhwzA==", "storedKey" : "faWxuPj1hZ4jV3VhL9Z0zylBL0Y=", "serverKey" : "qYSi5BRZY/GPTuBeF60KCvB5dqg=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
{ "_id" : "person.person", "user" : "person", "db" : "person", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "0tRiioYKdcx+On3uXgR/Sw==", "storedKey" : "8M69xFSgqniSeU7uvLqpzaclECs=", "serverKey" : "Znu2x5fAzMgrMKlxpj2I//1lcWc=" } }, "roles" : [ { "role" : "dbAdmin", "db" : "person" }, { "role" : "readWrite", "db" : "person" } ] }
> use person
switched to db person
> db.revokeRolesFromUser("person",[{role:"dbAdmin",db:"person"}])用戶角色回收
> use admin
switched to db admin
> db.system.users.find()
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "KFiaKAkrDqCJ/H8uIIhwzA==", "storedKey" : "faWxuPj1hZ4jV3VhL9Z0zylBL0Y=", "serverKey" : "qYSi5BRZY/GPTuBeF60KCvB5dqg=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
{ "_id" : "person.person", "user" : "person", "db" : "person", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "0tRiioYKdcx+On3uXgR/Sw==", "storedKey" : "8M69xFSgqniSeU7uvLqpzaclECs=", "serverKey" : "Znu2x5fAzMgrMKlxpj2I//1lcWc=" } }, "roles" : [ { "role" : "readWrite", "db" : "person" } ] }
> exit
參考:https://docs.mongodb.com/manual/tutorial/create-users/
https://docs.mongodb.com/manual/reference/configuration-options/#security.authorization
另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)cdcxhl.cn,海內(nèi)外云服務(wù)器15元起步,三天無理由+7*72小時售后在線,公司持有idc許可證,提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國服務(wù)器、虛擬主機、免備案服務(wù)器”等云主機租用服務(wù)以及企業(yè)上云的綜合解決方案,具有“安全穩(wěn)定、簡單易用、服務(wù)可用性高、性價比高”等特點與優(yōu)勢,專為企業(yè)上云打造定制,能夠滿足用戶豐富、多元化的應(yīng)用場景需求。