今天就跟大家聊聊有關(guān)MongoDB中怎么控制用戶權(quán)限���,可能很多人都不太了解,為了讓大家更加了解��,小編給大家總結(jié)了以下內(nèi)容��,希望大家根據(jù)這篇文章可以有所收獲�����。
成都創(chuàng)新互聯(lián)公司自2013年創(chuàng)立以來(lái)���,先為墊江等服務(wù)建站����,墊江等地企業(yè)��,進(jìn)行企業(yè)商務(wù)咨詢服務(wù)�����。為墊江企業(yè)網(wǎng)站制作PC+手機(jī)+微官網(wǎng)三網(wǎng)同步一站式服務(wù)解決您的所有建站問(wèn)題����。
Mongodb創(chuàng)建用戶的語(yǔ)法在不用的版本之間還是不一樣的。我這里使用的版本3.0.6���。版本3.0之前使用的是db.addUser(),但3.0之后使用的是db.createUser()�����。3.0后版本中再使用db.addUser()會(huì)報(bào)如下錯(cuò)誤:
> db.addUser('dba','dba')
2017-11-17T13:17:08.001+0800 E QUERY TypeError: Property 'addUser' of object admin is not a function如果數(shù)據(jù)庫(kù)中還沒(méi)有添加任何用戶����,要想新創(chuàng)建一個(gè)用戶,要先把a(bǔ)uth認(rèn)證停掉�,在進(jìn)入數(shù)據(jù)庫(kù),也就是讓auth=false���。
[root@MidApp mongodb]# cat mongodb.conf#配置文件
dbpath=/data/db
logpath=/usr/local/mongodb/logs/mongodb.log
logappend=true
port=27000
fork=true
auth=false
nohttpinterface=false
bind_ip=192.168.221.161
journal=false
quiet=true
登入數(shù)據(jù)庫(kù),只能看到一個(gè)庫(kù)��,看不到admin庫(kù):
[root@MidApp mongodb]# mongo 192.168.221.161:27000
MongoDB shell version: 3.0.6
connecting to: 192.168.221.161:27000/test
> show dbs
local 0.078GB
現(xiàn)在需要?jiǎng)?chuàng)建一個(gè)帳號(hào)�,該賬號(hào)需要有g(shù)rant權(quán)限,即:賬號(hào)管理的授權(quán)權(quán)限��。注意一點(diǎn)����,mongodb帳號(hào)是跟著庫(kù)走的,所以在指定庫(kù)里授權(quán)���,必須也在指定庫(kù)里驗(yàn)證(auth)
> use admin
switched to db admin
> db.createUser({user:"dba",pwd:"dba",roles:[{role:"userAdminAnyDatabase",db:"admin"}]})
Successfully added user: {
"user" : "dba",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
> db.system.users.find()
{ "_id" : "admin.dba", "user" : "dba", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "MXvU7oJanxW7gPw+NwI7rw==", "storedKey" : "lTPmK31qbk1YKmx5stmYiphsQZE=", "serverKey" : "gVovcstiwC0nuU6LTXZAiWkucfA=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
> db.system.users.find().pretty()
{
"_id" : "admin.dba",
"user" : "dba",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "MXvU7oJanxW7gPw+NwI7rw==",
"storedKey" : "lTPmK31qbk1YKmx5stmYiphsQZE=",
"serverKey" : "gVovcstiwC0nuU6LTXZAiWkucfA="
}
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}可以看到創(chuàng)建了一個(gè)用戶dba���,密碼dba��,擁有admin庫(kù)的userAdminAnyDatabase角色���。下面看一下mongodb中的內(nèi)置角色:
1. 數(shù)據(jù)庫(kù)用戶角色:read、readWrite;
2. 數(shù)據(jù)庫(kù)管理角色:dbAdmin�����、dbOwner���、userAdmin����;
3. 集群管理角色:clusterAdmin�、clusterManager、clusterMonitor�、hostManager;
4. 備份恢復(fù)角色:backup��、restore�����;
5. 所有數(shù)據(jù)庫(kù)角色:readAnyDatabase、readWriteAnyDatabase�����、userAdminAnyDatabase�����、dbAdminAnyDatabase
6. 超級(jí)用戶角色:root
// 這里還有幾個(gè)角色間接或直接提供了系統(tǒng)超級(jí)用戶的訪問(wèn)(dbOwner �、userAdmin、userAdminAnyDatabase)
7. 內(nèi)部角色:__system
看一下具體的角色定義:
Read:允許用戶讀取指定數(shù)據(jù)庫(kù)
readWrite:允許用戶讀寫指定數(shù)據(jù)庫(kù)
dbAdmin:允許用戶在指定數(shù)據(jù)庫(kù)中執(zhí)行管理函數(shù)�����,如索引創(chuàng)建�、刪除����,查看統(tǒng)計(jì)或訪問(wèn)system.profile
userAdmin:允許用戶向system.users集合寫入,可以找指定數(shù)據(jù)庫(kù)里創(chuàng)建���、刪除和管理用戶
clusterAdmin:只在admin數(shù)據(jù)庫(kù)中可用����,賦予用戶所有分片和復(fù)制集相關(guān)函數(shù)的管理權(quán)限。
readAnyDatabase:只在admin數(shù)據(jù)庫(kù)中可用�,賦予用戶所有數(shù)據(jù)庫(kù)的讀權(quán)限
readWriteAnyDatabase:只在admin數(shù)據(jù)庫(kù)中可用,賦予用戶所有數(shù)據(jù)庫(kù)的讀寫權(quán)限
userAdminAnyDatabase:只在admin數(shù)據(jù)庫(kù)中可用���,賦予用戶所有數(shù)據(jù)庫(kù)的userAdmin權(quán)限
dbAdminAnyDatabase:只在admin數(shù)據(jù)庫(kù)中可用�����,賦予用戶所有數(shù)據(jù)庫(kù)的dbAdmin權(quán)限���。
root:只在admin數(shù)據(jù)庫(kù)中可用。超級(jí)賬號(hào)�����,超級(jí)權(quán)限
我們打開(kāi)auth參數(shù)���,來(lái)驗(yàn)證一下��。
[root@MidApp mongodb]# mongo 192.168.221.161:27000
MongoDB shell version: 3.0.6
connecting to: 192.168.221.161:27000/test
> show dbs#沒(méi)有驗(yàn)證���,不會(huì)有權(quán)限
2017-11-17T13:04:35.357-0800 E QUERY Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
}
at Error ()
at Mongo.getDBs (src/mongo/shell/mongo.js:47:15)
at shellHelper.show (src/mongo/shell/utils.js:630:33)
at shellHelper (src/mongo/shell/utils.js:524:36)
at (shellhelp2):1:1 at src/mongo/shell/mongo.js:47
> use admin#在admin庫(kù)下面添加的賬號(hào)���,所以要切到admin下面認(rèn)證
switched to db admin
> db.auth('dba','dba')
1
> show dbs
admin 0.078GB
local 0.078GB可以看到,創(chuàng)建的dba用戶已經(jīng)驗(yàn)證成功�����。接下來(lái)我在創(chuàng)建兩個(gè)用戶��,驗(yàn)證一下其他角色權(quán)限����。創(chuàng)建一個(gè)只讀用戶,一個(gè)讀寫用戶��。
> use test;
switched to db test
> db.createUser({user:"zduser",pwd:"zduser",roles:[{role:"read",db:"test"}]})
Successfully added user: {
"user" : "zduser",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
> db.createUser({user:"dxuser",pwd:"dxuser",roles:[{role:"readWrite",db:"test"}]})
Successfully added user: {
"user" : "dxuser",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
> show users;
{
"_id" : "test.zduser",
"user" : "zduser",
"db" : "test",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
{
"_id" : "test.dxuser",
"user" : "dxuser",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
>在test庫(kù)中創(chuàng)建一個(gè)集合���,驗(yàn)證一下這兩個(gè)用戶權(quán)限:
> show tables;#userAdminAnyDatabase權(quán)限只針對(duì)用戶管理���,沒(méi)有其他的權(quán)限
2017-11-17T13:47:39.845-0800 E QUERY Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on test to execute command { listCollections: 1.0 }",
"code" : 13
}
at Error ()
at DB._getCollectionInfosCommand (src/mongo/shell/db.js:646:15)
at DB.getCollectionInfos (src/mongo/shell/db.js:658:20)
at DB.getCollectionNames (src/mongo/shell/db.js:669:17)
at shellHelper.show (src/mongo/shell/utils.js:625:12)
at shellHelper (src/mongo/shell/utils.js:524:36)
at (shellhelp2):1:1 at src/mongo/shell/db.js:646
> exit
bye
[root@MidApp mongodb]# mongo 192.168.221.161:27000 #重新登錄一下
MongoDB shell version: 3.0.6
connecting to: 192.168.221.161:27000/test
> use test
switched to db test
> db.tb1.insert({"a":1,"b":2})#先試著插入數(shù)據(jù)看看
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on test to execute command { insert: \"tb1\", documents: [ { _id: ObjectId('5a0f595b3b6523dcb81d4f76'), a: 1.0, b: 2.0 } ], ordered: true }"
}
})
> db.auth('dxuser','dxuser')#用可讀寫的用戶認(rèn)證
1
> db.tb1.insert({"a":1,"b":2})#可以插入數(shù)據(jù)
WriteResult({ "nInserted" : 1 })
> db.tb1.insert({"a":11,"b":22})
WriteResult({ "nInserted" : 1 })
> db.tb1.insert({"a":111,"b":222})
WriteResult({ "nInserted" : 1 })
> db.tb1.find()
{ "_id" : ObjectId("5a0f597f3b6523dcb81d4f77"), "a" : 1, "b" : 2 }
{ "_id" : ObjectId("5a0f59933b6523dcb81d4f78"), "a" : 11, "b" : 22 }
{ "_id" : ObjectId("5a0f59983b6523dcb81d4f79"), "a" : 111, "b" : 222 }
> db.auth('zduser','zduser')#切換只讀用戶
1
> db.tb1.insert({"a":1111,"b":2222})#沒(méi)有權(quán)限插入數(shù)據(jù)
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on test to execute command { insert: \"tb1\", documents: [ { _id: ObjectId('5a0f59c63b6523dcb81d4f7a'), a: 1111.0, b: 2222.0 } ], ordered: true }"
}
})
> db.tb1.find()#可以查看數(shù)據(jù)
{ "_id" : ObjectId("5a0f597f3b6523dcb81d4f77"), "a" : 1, "b" : 2 }
{ "_id" : ObjectId("5a0f59933b6523dcb81d4f78"), "a" : 11, "b" : 22 }
{ "_id" : ObjectId("5a0f59983b6523dcb81d4f79"), "a" : 111, "b" : 222 }
>看完上述內(nèi)容,你們對(duì)MongoDb中怎么控制用戶權(quán)限有進(jìn)一步的了解嗎���?如果還想了解更多知識(shí)或者相關(guān)內(nèi)容,請(qǐng)關(guān)注創(chuàng)新互聯(lián)行業(yè)資訊頻道���,感謝大家的支持���。
網(wǎng)站題目:MongoDb中怎么控制用戶權(quán)限
URL鏈接:
http://weahome.cn/article/ipicos.html
重慶分公司
重慶分公司
