MongoDB 用户角色授权与AUTH启用

MongoDB中几种常用用户角色:

dbAdmin 在db范围内包括下面的权限:

  • collStats
  • dbHash
  • dbStats
  • find
  • killCursors
  • listIndexes
  • listCollections
  • dropCollection 和 createCollection on system.profile only

userAdmin在db范围内包括如下权限:

  • changeCustomData
  • changePassword
  • createRole
  • createUser
  • dropRole
  • dropUser
  • grantRole
  • revokeRole
  • viewRole
  • viewUser

readAnyDatabase  对所有数据库中的collection可读,同时包含listDatabases权限

readWriteAnyDatabase  对所有数据库中的collection可读且可写,同时包含listDatabases权限

userAdminAnyDatabase 对所有数据库拥有userAdmin角色,同时包含listDatabases权限

dbAdminAnyDatabase 对所有数据库拥有dbAdmin角色,同时包含listDatabases权限

cluster相关的权限  clusterMonitor、hostManager、clusterManager、clusterAdmin

root权限, 包含 readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase 和 clusterAdmin 等角色。 但不能访问system. 开头的collection(root does not include any access to collections that begin with the system. prefix.)

__system 超级角色

相关官方文档:
http://docs.mongodb.org/manual/reference/built-in-roles/#__system

__system包含下面这些权限:

 

> use admin
switched to db admin
> db.createUser(
...   {
...     user: "maclean_dbdao2",
...     pwd: "maclean_dbdao2",
...     roles: [ { role: "__system", db: "admin" } ]
...   }
... )
Successfully added user: {
	"user" : "maclean_dbdao2",
	"roles" : [
		{
			"role" : "__system",
			"db" : "admin"
		}
	]
}
> 
> 
> 
bye
10:~ maclean$ mongo localhost:35002/admin -u maclean_dbdao2  -p
MongoDB shell version: 3.0.2
Enter password: 
connecting to: localhost:35002/admin
> show roles
{
	"role" : "__system",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "backup",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "clusterAdmin",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "clusterManager",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "clusterMonitor",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "dbAdmin",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "dbAdminAnyDatabase",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "dbOwner",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "hostManager",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "read",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "readAnyDatabase",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "readWrite",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "readWriteAnyDatabase",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "restore",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "root",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "userAdmin",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}
{
	"role" : "userAdminAnyDatabase",
	"db" : "admin",
	"isBuiltin" : true,
	"roles" : [ ],
	"inheritedRoles" : [ ]
}


mongodb 3.0中db.getUsers() 获得db中的用户信息


> db.getUsers();
[
	{
		"_id" : "admin.maclean",
		"user" : "maclean",
		"db" : "admin",
		"roles" : [
			{
				"role" : "userAdminAnyDatabase",
				"db" : "admin"
			}
		]
	},
	{
		"_id" : "admin.maclean1",
		"user" : "maclean1",
		"db" : "admin",
		"roles" : [
			{
				"role" : "__system",
				"db" : "admin"
			}
		]
	},
	{
		"_id" : "admin.maclean_dbdao2",
		"user" : "maclean_dbdao2",
		"db" : "admin",
		"roles" : [
			{
				"role" : "__system",
				"db" : "admin"
			}
		]
	}
]

 

 

启用mongodb授权认证的方法:

1、以–auth 启动mongod

2、在配置文件mongod.conf 中加入 auth = true

第一次启用–auth时会出现:

2015-05-13T11:20:22.296+0800 I ACCESS   [conn1] note: no users configured in admin.system.users, allowing localhost access

2015-05-13T11:20:22.297+0800 I ACCESS   [conn1] Unauthorized not authorized on admin to execute command { getLog: “startupWarnings” }

2015-05-13T12:07:08.680+0800 I INDEX    [conn1] build index on: admin.system.users properties: { v: 1, unique: true, key: { user: 1, db: 1 }, name: “user_1_db_1”, ns: “admin.system.users” }

即之前未定义过用户,所以mongod将允许本地直接访问

mongo 登陆后 创建一个合适的超级用户

 

use admin
db.createUser(
  {
    user: "maclean",
    pwd: "maclean",
    roles: [ { role: "__system", db: "admin" } ]
  }
)

http://docs.mongodb.org/manual/reference/method/db.createUser/


给一个用户授权 :

use admin
db.grantRolesToUser(
  "macleanz",
  [
    { role: "readAnyDatabase", db:"admin" }
  ]
)


http://docs.mongodb.org/manual/tutorial/assign-role-to-user/

启用replica set 时需要做的授权:

use admin
db.createUser( {
    user: "siteUserAdmin",
    pwd: "",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  });
db.createUser( {
    user: "siteRootAdmin",
    pwd: "",
    roles: [ { role: "root", db: "admin" } ]
  });


http://docs.mongodb.org/manual/tutorial/deploy-replica-set-with-auth/

Comment

*

沪ICP备14014813号

沪公网安备 31010802001379号