投稿
首页 文章资讯内容详情

MongoDB 3.0 用户创建

2026-06-01 4 花语

本文内容纲要:

摘要:

MongoDB3.0安全权限访问控制,在添加用户上面3.0版本和之前的版本有很大的区别,这里就说明下3.0的添加用户的方法。

环境、测试:

在安装MongoDB之后,先关闭auth认证,进入查看数据库,只有一个local库,admin库是不存在的:

root@zhoujinyi:/usr/local/mongo4#mongo--port=27020 MongoDBshellversion:3.0.4 connectingto:127.0.0.1:27020/test 2015-06-29T09:31:08.673-0400ICONTROL[initandlisten] >showdbs; local0.078GB

现在需要创建一个帐号,该账号需要有grant权限,即:账号管理的授权权限。注意一点,帐号是跟着库走的,所以在指定库里授权,必须也在指定库里验证(auth)。

>useadmin switchedtodbadmin >db.createUser( ...{ ...user:"dba", ...pwd:"dba", ...roles:[{role:"userAdminAnyDatabase",db:"admin"}] ...} ...) Successfullyaddeduser:{ "user":"dba", "roles":[ { "role":"userAdminAnyDatabase", "db":"admin" } ] }

上面加粗的就是执行的命令:

user:用户名

pwd:密码

roles:指定用户的角色,可以用一个空数组给新用户设定空角色;在roles字段,可以指定内置角色和用户定义的角色。role里的角色可以选:

Built-InRoles(内置角色): 1.数据库用户角色:read、readWrite; 2.数据库管理角色:dbAdmin、dbOwner、userAdmin; 3.集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager; 4.备份恢复角色:backup、restore; 5.所有数据库角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase 6.超级用户角色:root //这里还有几个角色间接或直接提供了系统超级用户的访问(dbOwner、userAdmin、userAdminAnyDatabase) 7.内部角色:__system

具体角色:

Read:允许用户读取指定数据库 readWrite:允许用户读写指定数据库 dbAdmin:允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile userAdmin:允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户 clusterAdmin:只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。 readAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读权限 readWriteAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读写权限 userAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的userAdmin权限 dbAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。 root:只在admin数据库中可用。超级账号,超级权限

刚建立了userAdminAnyDatabase角色,用来管理用户,可以通过这个角色来创建、删除用户。验证:需要开启auth参数。

root@zhoujinyi:/usr/local/mongo4#mongo--port=27020 MongoDBshellversion:3.0.4 connectingto:127.0.0.1:27020/test >showdbs;####没有验证,导致没权限。 2015-06-29T10:02:16.634-0400EQUERYError:listDatabasesfailed:{ "ok":0, "errmsg":"notauthorizedonadmintoexecutecommand{listDatabases:1.0}", "code":13 } atError(<anonymous>) atMongo.getDBs(src/mongo/shell/mongo.js:47:15) atshellHelper.show(src/mongo/shell/utils.js:630:33) atshellHelper(src/mongo/shell/utils.js:524:36) at(shellhelp2):1:1atsrc/mongo/shell/mongo.js:47 >useadmin#验证,因为在admin下面添加的帐号,所以要到admin下面验证。 switchedtodbadmin >db.auth(dba,dba) 1 >showdbs; admin0.078GB local0.078GB >usetest#在test库里创建帐号 switchedtodbtest >db.createUser( ...{ ...user:"zjyr", ...pwd:"zjyr", ...roles:[ ...{role:"read",db:"test"}#只读帐号 ...] ...} ...) Successfullyaddeduser:{ "user":"zjyr", "roles":[ { "role":"read", "db":"test" } ] } >db.createUser( ...{ ...user:"zjy", ...pwd:"zjy", ...roles:[ ...{role:"readWrite",db:"test"}#读写帐号 ...] ...} ...) Successfullyaddeduser:{ "user":"zjy", "roles":[ { "role":"readWrite",#读写账号 "db":"test" } ] } >showusers;#查看当前库下的用户 { "_id":"test.zjyr", "user":"zjyr", "db":"test", "roles":[ { "role":"read", "db":"test" } ] } { "_id":"test.zjy", "user":"zjy", "db":"test", "roles":[ { "role":"readWrite", "db":"test" } ] }

上面创建了2个帐号,现在验证下:验证前提需要一个集合

>db.abc.insert({"a":1,"b":2})#插入失败,没有权限,userAdminAnyDatabase权限只是针对用户管理的,对其他是没有权限的。 WriteResult({ "writeError":{ "code":13, "errmsg":"notauthorizedontesttoexecutecommand{insert:\"abc\",documents:[{_id:ObjectId(55915185d629831d887ce2cb),a:1.0,b:2.0}],ordered:true}" } }) > bye root@zhoujinyi:/usr/local/mongo4#mongo--port=27020 MongoDBshellversion:3.0.4 connectingto:127.0.0.1:27020/test >usetest switchedtodbtest >db.auth(zjy,zjy)#用创建的readWrite帐号进行写入 1 >db.abc.insert({"a":1,"b":2}) WriteResult({"nInserted":1}) >db.abc.insert({"a":11,"b":22}) WriteResult({"nInserted":1}) >db.abc.insert({"a":111,"b":222}) WriteResult({"nInserted":1}) >db.abc.find() {"_id":ObjectId("559151a1b78649ebd8316853"),"a":1,"b":2} {"_id":ObjectId("559151cab78649ebd8316854"),"a":11,"b":22} {"_id":ObjectId("559151ceb78649ebd8316855"),"a":111,"b":222} >db.auth(zjyr,zjyr)#切换到只有read权限的帐号 1 >db.abc.insert({"a":1111,"b":2222})#不能写入 WriteResult({ "writeError":{ "code":13, "errmsg":"notauthorizedontesttoexecutecommand{insert:\"abc\",documents:[{_id:ObjectId(559151ebb78649ebd8316856),a:1111.0,b:2222.0}],ordered:true}" } }) >db.abc.find()#可以查看 {"_id":ObjectId("559151a1b78649ebd8316853"),"a":1,"b":2} {"_id":ObjectId("559151cab78649ebd8316854"),"a":11,"b":22} {"_id":ObjectId("559151ceb78649ebd8316855"),"a":111,"b":222}

有没有一个超级权限?不仅可以授权,而且也可以对集合进行任意操作?答案是肯定的,只是不建议使用。那就是role角色设置成root

>db.auth(dba,dba) 1 >db.createUser( ...{ ...user:"zhoujinyi", ...pwd:"zhoujinyi", ...roles:[ ...{role:"root",db:"admin"}#超级root帐号 ...] ...} ...) Successfullyaddeduser:{ "user":"zhoujinyi", "roles":[ { "role":"root", "db":"admin" } ] } > >showusers;#查看当前库下的用户 { "_id":"admin.dba", "user":"dba", "db":"admin", "roles":[ { "role":"userAdminAnyDatabase", "db":"admin" } ] } { "_id":"admin.zhoujinyi", "user":"zhoujinyi", "db":"admin", "roles":[ { "role":"root", "db":"admin" } ] } >useadmin switchedtodbadmin >db.auth(zhoujinyi,zhoujinyi) 1 >usetest switchedtodbtest >db.abc.insert({"a":1,"b":2}) WriteResult({"nInserted":1}) >db.abc.insert({"a":1111,"b":2222})#权限都有 WriteResult({"nInserted":1}) >db.abc.find() {"_id":ObjectId("5591539bb78649ebd8316857"),"a":1,"b":2} {"_id":ObjectId("559153a0b78649ebd8316858"),"a":1111,"b":2222} >db.abc.remove({}) WriteResult({"nRemoved":2})

因为帐号都是在当前需要授权的数据库下授权的,那要是不在当前数据库下会怎么样?

>db admin >db.createUser( ...{ ...user:"dxy", ...pwd:"dxy", ...roles:[ ...{role:"readWrite",db:"test"},#在当前库下创建其他库的帐号,在admin库下创建test、abc库的帐号 ...{role:"readWrite",db:"abc"} ...] ...} ...) Successfullyaddeduser:{ "user":"dxy", "roles":[ { "role":"readWrite", "db":"test" }, { "role":"readWrite", "db":"abc" } ] } > >showusers; { "_id":"admin.dba", "user":"dba", "db":"admin", "roles":[ { "role":"userAdminAnyDatabase", "db":"admin" } ] } { "_id":"admin.zhoujinyi", "user":"zhoujinyi", "db":"admin", "roles":[ { "role":"root", "db":"admin" } ] } { "_id":"admin.dxy", "user":"dxy", "db":"admin", "roles":[ { "role":"readWrite", "db":"test" }, { "role":"readWrite", "db":"abc" } ] } >usetest switchedtodbtest >db.auth(dxy,dxy)#在admin下创建的帐号,不能直接在其他库验证, Error:18Authenticationfailed. 0 >useadmin switchedtodbadmin#只能在帐号创建库下认证,再去其他库进行操作。 >db.auth(dxy,dxy) 1 >usetest switchedtodbtest >db.abc.insert({"a":1111,"b":2222}) WriteResult({"nInserted":1}) >useabc switchedtodbabc >db.abc.insert({"a":1111,"b":2222}) WriteResult({"nInserted":1})

上面更加进一步说明数据库帐号是跟着数据库来走的,哪里创建哪里认证。

创建了这么多帐号,怎么查看所有帐号

>useadmin switchedtodbadmin >db.auth(dba,dba) 1 >db.system.users.find().pretty() { "_id":"admin.dba", "user":"dba", "db":"admin", "credentials":{ "SCRAM-SHA-1":{ "iterationCount":10000, "salt":"KfDUzCOIUo7WVjFr64ZOcQ==", "storedKey":"t4sPsKG2dXnZztVYj5EgdUzT9sc=", "serverKey":"2vCGiq9NIc1zKqeEL6VvO4rP26A=" } }, "roles":[ { "role":"userAdminAnyDatabase", "db":"admin" } ] } { "_id":"test.zjyr", "user":"zjyr", "db":"test", "credentials":{ "SCRAM-SHA-1":{ "iterationCount":10000, "salt":"h1gOW3J7wzJuTqgmmQgJKQ==", "storedKey":"7lkoANdxM2py0qiDBzFaZYPp1cM=", "serverKey":"Qyu6IRNyaKLUvqJ2CAa/tQYY36c=" } }, "roles":[ { "role":"read", "db":"test" } ] } { "_id":"test.zjy", "user":"zjy", "db":"test", "credentials":{ "SCRAM-SHA-1":{ "iterationCount":10000, "salt":"afwaKuTYPWwbDBduQ4Hm7g==", "storedKey":"ebb2LYLn4hiOVlZqgrAKBdStfn8=", "serverKey":"LG2qWwuuV+FNMmr9lWs+Rb3DIhQ=" } }, "roles":[ { "role":"readWrite", "db":"test" } ] } { "_id":"admin.zhoujinyi", "user":"zhoujinyi", "db":"admin", "credentials":{ "SCRAM-SHA-1":{ "iterationCount":10000, "salt":"pE2cSOYtBOYevk8tqrwbSQ==", "storedKey":"TwMxdnlB5Eiaqg4tNh9ByNuUp9A=", "serverKey":"Mofr9ohVlFfR6/md4LMRkOhXouc=" } }, "roles":[ { "role":"root", "db":"admin" } ] } { "_id":"admin.dxy", "user":"dxy", "db":"admin", "credentials":{ "SCRAM-SHA-1":{ "iterationCount":10000, "salt":"XD6smcWX4tdg/ZJPoLxxRg==", "storedKey":"F4uiayykHDp/r9krAKZjdr+gqjM=", "serverKey":"Kf51IU9J3RIrB8CFn5Z5hEKMSkw=" } }, "roles":[ { "role":"readWrite", "db":"test" }, { "role":"readWrite", "db":"abc" } ] } >db.system.users.find().count() 5

备份还原使用那个角色的帐号?之前创建的帐号zjy:test库读写权限;zjyr:test库读权限

root@zhoujinyi:~#mongodump--port=27020-uzjyr-pzjyr--db=test-obackup#只要读权限就可以备份 2015-06-29T11:20:04.864-0400writingtest.abctobackup/test/abc.bson 2015-06-29T11:20:04.865-0400writingtest.abcmetadatatobackup/test/abc.metadata.json 2015-06-29T11:20:04.866-0400donedumpingtest.abc 2015-06-29T11:20:04.867-0400writingtest.system.indexestobackup/test/system.indexes.bson root@zhoujinyi:~#mongorestore--port=27020-uzjy-pzjy--db=testbackup/test/#读写权限可以进行还原 2015-06-29T11:20:26.607-0400buildingalistofcollectionstorestorefrombackup/test/dir 2015-06-29T11:20:26.609-0400readingmetadatafilefrombackup/test/abc.metadata.json 2015-06-29T11:20:26.609-0400restoringtest.abcfromfilebackup/test/abc.bson 2015-06-29T11:20:26.611-0400error:E11000duplicatekeyerrorindex:test.abc.$_id_dupkey:{:ObjectId(559154efb78649ebd831685a)} 2015-06-29T11:20:26.611-0400restoringindexesforcollectiontest.abcfrommetadata 2015-06-29T11:20:26.612-0400finishedrestoringtest.abc 2015-06-29T11:20:26.612-0400done

相关连接:

MongoDB权限控制系统简介

本文内容总结:

原文链接:https://www.cnblogs.com/zhoujinyi/p/4610050.html

相关推荐

C ++中的K个逆对数组

C ++中的K个逆对数组

假设我们有两个整数n和k,我们必须找到多少个不同的数组,这些数组由1到n的数字组成,因此恰好有k个逆对。逆对适用于数组中的第ith个元素和第j个元素,如果i<j和a[...

连字符到驼峰JavaScript中的字符串

连字符到驼峰JavaScript中的字符串

假设我们有一个字符串,其中包含由连字符分隔的单词,如下所示:const str = this-is-an-example;...

C / C ++程序,用于查找第n个项为n ^ 2 –(n-1)^ 2的级数之和

C / C ++程序,用于查找第n个项为n ^ 2 –(n-1)^ 2的级数之和

数学中有许多类型的级数,可以在C编程中轻松解决。该程序是在C程序中找到系列后继的和。Tn = n2 - (n-1 2...

从MySQL表格的整个四列中找到最低分

从MySQL表格的整个四列中找到最低分

要从全部四列中找到最低分,请使用MySQLLEAST( 函数。让我们首先创建一个表-create table DemoTable( Score1 int,...

比较两个数组并获取与JavaScript不匹配的那些值

比较两个数组并获取与JavaScript不匹配的那些值

我们有两个包含一些公共值的文字数组,我们的工作是编写一个函数,该函数返回一个数组,其中包含两个数组中所有不常见的元素。...

如何通过在Java中使用JsonConfig排除某些属性来将bean转换为JSON对象?

如何通过在Java中使用JsonConfig排除某些属性来将bean转换为JSON对象?

该JsonConfig 类是一个工具类,它可帮助您配置序列化过程。我们可以使用...

JavaScript:用数组替换对象键

JavaScript:用数组替换对象键

我们需要编写一个JavaScript函数,该函数接受一个对象和一组文字。...

C#中的Boolean.GetTypeCode()方法(带示例)

C#中的Boolean.GetTypeCode()方法(带示例)

C#中的Boolean.GetTypeCode( 方法用于返回布尔值类型的类型代码。...

 网站地图 

豫ICP备2023040377号