mongodb的访问控制
内建角色,具体参考:https://docs.mongodb.com/manual/reference/built-in-roles
Read:允许用户读取指定数据库
readWrite:允许用户读写指定数据库
dbAdmin:允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile
userAdmin:允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户
clusterAdmin:只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。
readAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读权限
readWriteAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读写权限
userAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的userAdmin权限
dbAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。
root:只在admin数据库中可用。超级账号,超级权限
用户文件在admin库下的system.users表里,默认MongoDB没有访问密码,不太安全
1.添加数据库管理员用户adminUser和普通用户herrywen
mongo --port 27017use admindb.createUser({user: "adminUser",pwd: "adminPass",roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]})use herrywendb.createUser( { user: "herrywen", pwd: "herrywen", roles: [ { role: "readWrite", db: "herrywen" }, { role: "read", db: "admin" } ] })2.在192.168.255.134增加配置文件,开启验证
cat /etc/mongod.confsecurity: authorization: enabled3.重启mongdb服务systemctl restart mongdb
4.测试看下是否可以访问了
[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017 -u adminUser -p adminPass --authenticationDatabase "admin"MongoDB shell version v4.2.1connecting to: mongodb://192.168.255.134:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodbImplicit session: session { "id" : UUID("f5114890-0b2e-43a2-8a60-a8b265e68a44") }MongoDB server version: 4.2.1MongoDB Enterprise > use admin;switched to db adminMongoDB Enterprise > show collections;system.userssystem.versionMongoDB Enterprise > exitbye5.如果直接登陆,在切换admin库时,提示没有任何权限。需要使用db.auth()进行验证
[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017MongoDB shell version v4.2.1connecting to: mongodb://192.168.255.134:27017/?compressors=disabled&gssapiServiceName=mongodbImplicit session: session { "id" : UUID("9bcb1b37-7cfa-4aff-8947-6d633eee01be") }MongoDB server version: 4.2.1MongoDB Enterprise > use adminswitched to db adminMongoDB Enterprise > show collections;Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatusMongoDB Enterprise > show collections;Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatusMongoDB Enterprise > db.auth("adminUser","adminPass")1MongoDB Enterprise > show collections;system.userssystem.version6.直接登陆herrywen库
[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017 -u herrywen -p herrywen --authenticationDatabase "herrywen"MongoDB shell version v4.2.1connecting to: mongodb://192.168.255.134:27017/?authSource=herrywen&compressors=disabled&gssapiServiceName=mongodbImplicit session: session { "id" : UUID("9d906997-681a-43b4-b541-dbe5d197cd1f") }MongoDB server version: 4.2.1MongoDB Enterprise > use herrywenswitched to db herrywenMongoDB Enterprise > show collections;MongoDB Enterprise > db.test3.insert({title: 'MongoDB',... description: 'hello,world',... by: 'herrywen',... url: 'http://www.51cto.com',... tags: ['mongodb', 'database', 'NoSQL'],... likes: 100})WriteResult({ "nInserted" : 1 })MongoDB Enterprise > show collections;7.给adminUser用户增加对herrywen库的读写权限
use admindb.grantRolesToUser( "adminUser", [ { role: "readWrite", db: "herrywen" } ] )db.system.users.find().pretty(); 8.给herrywen用户增加herrywen1库的读写权限和admin数据库的读权限
use herrywendb.grantRolesToUser( "herrywen", [ { role: "readWrite", db: "herrywen1" } ,{ role: "read", db: "admin" } ] )9.撤销herrywen对herrywen1库的读写权限和admin数据库的读权限
db.revokeRolesFromUser( "herrywen", [ { "role" : "read", "db" : "admin" }, { "role" : "readWrite", "db" : "herrywen1" } ])10.查看当前herrywen用户的权限,也可以切换heryrwen数据库下,使用db.getUser('herrywen')查看,但是比较麻烦,可以直接使用show users
MongoDB Enterprise > show users{ "_id" : "herrywen.herrywen", "userId" : UUID("68fc696d-9825-43b6-9afb-d4a040b480a3"), "user" : "herrywen", "db" : "herrywen", "roles" : [ { "role" : "readWrite", "db" : "herrywen" } ], "mechanisms" : [ "SCRAM-SHA-1", "SCRAM-SHA-256" ]}11.修改herrywen用户的密码db.changeUserPassword("herrywen","herrywen-2")
12.删除herrywen用户db.dropUser("herrywen")
