备注:
MongoDB 4.2 版本
一.身份认证
MongoDB安装完成后,默认是没有权限验证的,默认是不需要输入用户名密码即可登录的,但是往往数据库方面我们会出于安全性的考虑而设置用户名密码。
即任何客户端都可以使用mongo IP:27017/admin命令登录mongo服务
启用访问控制前,请确保在 admin 数据库中拥有 userAdmin 或 userAdminAnyDatabase 角色的用户。
该用户可以管理用户和角色,例如:创建用户,授予或撤销用户角色,以及创建或修改定义角色。
启用验证的方式:
/etc/mongodb.conf 将auth=true前面的注释拿掉,然后重启服务生效。
二.用户权限介绍
- mongodb是没有默认管理员账号,所以要先添加管理员账号,在开启权限认证。
- 切换到admin数据库,添加的账号才是管理员账号。
- 用户只能在用户所在数据库登录,包括管理员账号。
- mongo的用户是以数据库为单位来建立的,每个数据库有自己的管理员。
- 管理员可以管理所有数据库,但是不能直接管理其他数据库,要先在admin数据库认证后才可以。
注:帐号是跟着库走的,所以在指定库里授权,必须也在指定库里验证
权限说明:
Built-In Roles(内置角色):
1. 数据库用户角色:read、readWrite;
2. 数据库管理角色:dbAdmin、dbOwner、userAdmin;
3. 集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager;
4. 备份恢复角色:backup、restore;
5. 所有数据库角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase
6. 超级用户角色:root
// 这里还有几个角色间接或直接提供了系统超级用户的访问(dbOwner 、userAdmin、userAdminAnyDatabase)
| 权限 | 描述 |
|---|---|
| Read | 允许用户读取指定数据库 |
| readWrite | 允许用户读写指定数据库 |
| dbAdmin | 允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile |
| userAdmin | 允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户 |
| clusterAdmin | 只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。 |
| readAnyDatabase | 只在admin数据库中可用,赋予用户所有数据库的读权限 |
| readWriteAnyDatabase | 只在admin数据库中可用,赋予用户所有数据库的读写权限 |
| userAdminAnyDatabase | 只在admin数据库中可用,赋予用户所有数据库的userAdmin权限 |
| dbAdminAnyDatabase | 只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。 |
| root | 只在admin数据库中可用。超级账号,超级权限 |
三.用户权限维护
3.1 创建用户
3.1.1 创建admin
角色:userAdminAnyDatabase (这是一个账号管理员的角色)
admin用户用于管理账号,不能进行关闭数据库等操作,目标数据库是admin
> use admin
> db.createUser({user: "admin",pwd: "123456",roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]})
另一种格式:
> db.createUser(
{
user: "dba",
pwd: "dba",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
测试记录:
> use admin
switched to db admin
> db.createUser({user: "admin",pwd: "123456",roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]})
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
>
>
3.1.2 创建root
创建完admin管理员,创建一个超级管理员 root 角色:root
root角色用于 关闭数据库 db.shutdownServer()
> use admin
> db.createUser({user: "root",pwd: "123456",roles: [ { role: "root", db: "admin" } ]})
测试记录:
> use admin
switched to db admin
> db.createUser({user: "root",pwd: "123456",roles: [ { role: "root", db: "admin" } ]})
Successfully added user: {
"user" : "root",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
>
3.1.3 创建普通用户
zqs_user这个账户是zqs这个数据库的管理员
use zqs;
db.createUser({user: "zqs_user",pwd: "123456",roles: [ { role: "dbOwner", db: "zqs" } ]})
测试记录:
> use zqs;
switched to db zqs
> db.createUser({user: "zqs_user",pwd: "123456",roles: [ { role: "dbOwner", db: "zqs" } ]})
Successfully added user: {
"user" : "zqs_user",
"roles" : [
{
"role" : "dbOwner",
"db" : "zqs"
}
]
}
>
3.2 查看用户
use admin
db.auth('admin','123456')
show users;
db.system.users.find().pretty()
测试记录:
> use admin
switched to db admin
> db.auth('admin','123456')
1
>
> show users;
{
"_id" : "admin.admin",
"userId" : UUID("b350f043-f96d-4caa-89fe-fdb5e8f12bed"),
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
{
"_id" : "admin.root",
"userId" : UUID("80c4fad0-f344-4fec-aedf-4629d5ffdb47"),
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
>
> db.system.users.find().pretty()
{
"_id" : "admin.admin",
"userId" : UUID("b350f043-f96d-4caa-89fe-fdb5e8f12bed"),
"user" : "admin",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "qOsV0FwaJjz9w3+82nB7tQ==",
"storedKey" : "v05BKAFSr4iu4IocuNrFsvrdZOY=",
"serverKey" : "rWnzOkLGR0OO60s/O9BzY9KdQBk="
},
"SCRAM-SHA-256" : {
"iterationCount" : 15000,
"salt" : "JLvXPC4h0NE3DhTKAyv0cBSKPCYwyl9sm/EPAw==",
"storedKey" : "JdNJU2T8EOCCLbu+PmNMiy5qde2au00Y8z2T2U3h3Y8=",
"serverKey" : "X7KLzHWeSS1nb0Z1tGdMBvj/A38subQ2F/j7omstUQc="
}
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
{
"_id" : "admin.root",
"userId" : UUID("80c4fad0-f344-4fec-aedf-4629d5ffdb47"),
"user" : "root",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "dYwdSwCFjLi09emO5wQi9w==",
"storedKey" : "v6dt6eRcqU2CxzT9MJCx73McWR8=",
"serverKey" : "vKu49tEkUSTL6LobFbd/SSpIt24="
},
"SCRAM-SHA-256" : {
"iterationCount" : 15000,
"salt" : "NvjslFU2Dw5vq1UUx8g8tvqVmtzxOj9+blmAuw==",
"storedKey" : "9Cqvs2H7k1IhzAPUjS7An21lS3jTftce9PI0ZCrDc/o=",
"serverKey" : "iEZSpujFWOwncOh9hLcmYqeFiJJWE/Eq9INQp6GOCUw="
}
},
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
{
"_id" : "zqs.zqs_user",
"userId" : UUID("175be7c0-dba2-44d9-a7fd-4b1d82e3e79b"),
"user" : "zqs_user",
"db" : "zqs",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "kMf6SSTUnoyPP8OkBg+gLA==",
"storedKey" : "3d3ifwhB0o1tWa85UTtiZHkiibM=",
"serverKey" : "zGuKawyQ1RxbJb8FYROOj+rHFBE="
},
"SCRAM-SHA-256" : {
"iterationCount" : 15000,
"salt" : "BK4iBrLycA9f/W4T0yb8+VRQBqEMYK4mhuLB0w==",
"storedKey" : "ivsStNk5Z+WrnXx4Huq20fomiNcEC5lCRuyKQEW80Hs=",
"serverKey" : "1ggF77RaJmQkopxYXyEAWubWteC7fqZhYqrfm1Aqhig="
}
},
"roles" : [
{
"role" : "dbOwner",
"db" : "zqs"
}
]
}
3.3 删除用户
-- 根据id删除用户
db.system.users.remove({_id:"XXX.XXX"})
-- 根据用户名删除用户
db.system.users.remove({user:"XXXXXX"})
测试记录:
[root@10-31-1-124 ~]# mongo
MongoDB shell version v4.2.10
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("4a4cf164-5f27-474c-bc56-07e98ff5c750") }
MongoDB server version: 4.2.10
>
> use zqs
switched to db zqs
> db.auth('zqs_user','123456')
1
> db.createUser({user: "zqs_user2",pwd: "123456",roles: [ { role: "dbOwner", db: "zqs" } ]})
Successfully added user: {
"user" : "zqs_user2",
"roles" : [
{
"role" : "dbOwner",
"db" : "zqs"
}
]
}
> db.createUser({user: "zqs_user3",pwd: "123456",roles: [ { role: "dbOwner", db: "zqs" } ]})
Successfully added user: {
"user" : "zqs_user3",
"roles" : [
{
"role" : "dbOwner",
"db" : "zqs"
}
]
}
>
-- 普通账户删除把偶从
> db.system.users.remove({_id:"zqs.zqs_user2"})
WriteCommandError({
"ok" : 0,
"errmsg" : "not authorized on zqs to execute command { delete: \"system.users\", ordered: true, lsid: { id: UUID(\"4a4cf164-5f27-474c-bc56-07e98ff5c750\") }, $db: \"zqs\" }",
"code" : 13,
"codeName" : "Unauthorized"
})
>
-- 此处改用root权限来删除
[root@10-31-1-124 ~]# mongo
MongoDB shell version v4.2.10
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("b5fbac38-ccb4-4d7c-919d-e994fdd2536c") }
MongoDB server version: 4.2.10
>
> use admin
switched to db admin
> db.auth('root','123456')
1
-- 授权给admin用户对system.version表执行命令的权限
> db.grantRolesToUser ( "root", [ { role: "__system", db: "admin" } ] )
>
> db.system.users.remove({_id:"zqs.zqs_user2"})
WriteResult({ "nRemoved" : 1 })
> db.system.users.remove({user:"zqs_user3"})
WriteResult({ "nRemoved" : 1 })
>
> use zqs;
switched to db zqs
> show users;
{
"_id" : "zqs.zqs_user",
"userId" : UUID("175be7c0-dba2-44d9-a7fd-4b1d82e3e79b"),
"user" : "zqs_user",
"db" : "zqs",
"roles" : [
{
"role" : "dbOwner",
"db" : "zqs"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
>
2.4 修改用户
对于分片集群,用户的更改将在命令运行的 mongos 上即时生效。但是,对于群集中的其他mongos 实例,用户缓存可能会等待10分钟才能刷新。
-- 回收权限
db.revokeRolesFromUser(
"zqs_user2",
[
{ role: "readWrite", db: "zqs" }
]
)
-- 修改密码
db.changeUserPassword("zqs_user3", "abc123")
测试记录:
> db.revokeRolesFromUser(
... "zqs_user2",
... [
... { role: "readWrite", db: "zqs" }
... ]
... )
> db.changeUserPassword("zqs_user3", "abc123")
>
> db.auth('zqs_user3','abc123')
1
>
4.通过认证登陆
-- 认证方式1 先登陆再验证
use zqs
db.auth('zqs_user3','abc123')
测试记录
> use zqs
switched to db zqs
> db.auth('zqs_user3','abc123')
1
>
-- 认证方式2 登陆的时候配置用户名、密码 及登陆的db
mongo -u zqs_user -p 123456 --authenticationDatabase "zqs"
测试记录:
[root@10-31-1-124 ~]# mongo -u zqs_user -p 123456 --authenticationDatabase "zqs"
MongoDB shell version v4.2.10
connecting to: mongodb://127.0.0.1:27017/?authSource=zqs&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("52ebde76-917b-42bc-a8fc-a473aafabfd0") }
MongoDB server version: 4.2.10
>
> show tables;
Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus
>
> use zqs
switched to db zqs
> show tables
emp
test1
网友评论