一、用户验证
--auth: 在mongod启动项中加入--auth,mongodb启动后,就可以完成授权模块的启用;
虽然auth模块启用后本机还能否登陆到数据库,但是不具备增删改查的权限了,所以启动auth模块之前就应该创建一个超级用户
--keyFile <file>: 主要用于分片集群与副本集相互之间的授权使用,在单机情况下只要用到auth,如果是在集群(分片+副本集)环境下,就
必须要用到该参数;
可以通过配置文件控制,控制语句如下:
security.authorization: 功能更auth完全相同。在MongoDB 2.6版本开始,mongod/mongos的启动配置文件增加了YAML格式的写法,例:
security:
authorization: enabled
security.keyFile: 功能与--keyFile相同。在MongoDB 2.6版本开始,mongod/mongos的启动配置文件增加了YAML格式的写法,例:
security:
keyFile: /srv/mongodb/keyfile
mongdb在V3.0版本之后内置了root 角色,也就是结合了 readWriteAnyDatabase、dbAdminAnyDatabase 、 userAdminAnyDatabase、clusterAdmin 4个角色权限,类似于Oracle的sysdba角色,但是MongoDB的超级管理员用户名称是可以随便定义的:
> use admin
switched to db admin
> db.createUser(
... {
... user: "ljaiadmin",
... pwd: "123456",
... roles: [ { role: "root", db: "admin" } ]
... }
... )
重启完mongod进程后,接下来做一下权限的验证:
> use admin
switched to db admin
> db.auth('ljaiadmin','123456') (注:切换到admin用户进行授权验证)
1
> show dbs
> use admin
switched to db admin
> show users
创建普通用户:
use reporting
db.createUser(
{
user: "reportsUser",
pwd: "12345678",
roles: [
{ role: "read", db: "reporting" },
{ role: "read", db: "products" },
{ role: "read", db: "sales" },
{ role: "readWrite", db: "accounts" }
]
}
)
二、角色
(1).数据库用户角色
针对每一个数据库进行控制。
read :提供了读取所有非系统集合,以及系统集合中的system.indexes, system.js, system.namespaces
readWrite: 包含了所有read权限,以及修改所有非系统集合的和系统集合中的system.js的权限.
(2).数据库管理角色
每一个数据库包含了下面的数据库管理角色。
dbOwner:该数据库的所有者,具有该数据库的全部权限。
dbAdmin:一些数据库对象的管理操作,但是没有数据库的读写权限。(参考:http://docs.mongodb.org/manual/reference/built-in-roles/#dbAdmin)
userAdmin:为当前用户创建、修改用户和角色。拥有userAdmin权限的用户可以将该数据库的任意权限赋予任意的用户。
(3).集群管理权限
admin数据库包含了下面的角色,用户管理整个系统,而非单个数据库。这些权限包含了复制集和共享集群的管理函数。
clusterAdmin:提供了最大的集群管理功能。相当于clusterManager, clusterMonitor, and hostManager和dropDatabase的权限组合。
clusterManager:提供了集群和复制集管理和监控操作。拥有该权限的用户可以操作config和local数据库(即分片和复制功能)
clusterMonitor:仅仅监控集群和复制集。
hostManager:提供了监控和管理服务器的权限,包括shutdown节点,logrotate, repairDatabase等。
备份恢复权限:admin数据库中包含了备份恢复数据的角色。包括backup、restore等等。
(4).所有数据库角色
admin数据库提供了一个mongod实例中所有数据库的权限角色:
readAnyDatabase:具有read每一个数据库权限。但是不包括应用到集群中的数据库。
readWriteAnyDatabase:具有readWrite每一个数据库权限。但是不包括应用到集群中的数据库。
userAdminAnyDatabase:具有userAdmin每一个数据库权限,但是不包括应用到集群中的数据库。
dbAdminAnyDatabase:提供了dbAdmin每一个数据库权限,但是不包括应用到集群中的数据库。
(5). 超级管理员权限
root: dbadmin到admin数据库、useradmin到admin数据库以及UserAdminAnyDatabase。但它不具有备份恢复、直接操作system.*集合的权限,但是拥有root权限的超级用户可以自己给自己赋予这些权限。
(6). 备份恢复角色:backup、restore;
(7). 内部角色:__system
三、相关命令
除了 db.createUser() , 下面几个函数也是常用的:
创建角色: db.createRole()
更新角色:db.updateRole()
删除角色:db.dropRole()
获得某个角色信息: db.getRole()
更改密码:db.changeUserPassword("userName","newPwd")
获得“当前数据库”的所有用户权限信息:db.getUsers()
获得“某个指定用户”的权限信息:db.getUser("userName")
例:
> use company
switched to db company
> db.createUser(
... {user:"user01",pwd:"123",
... roles:[{"role":"readWrite",db:"company"}]
... })
Successfully added user: {
"user" : "user01",
"roles" : [
{
"role" : "readWrite",
"db" : "company"
}
]
}
> db.getUsers() #查看当前DB的users
..............
> db.auth("user01","123")
1
> db.changeUserPassword("user01","456") #更改用户密码
> db.auth("user01","456")
1
>
删除用户:db.dropUser()
例:
> use company
switched to db company
> db.dropUser("user01") #删除当前库的user
true
>
删除所有用户: db.dropAllUsers()
将指定角色赋予给用户:
db.grantRolesToUser("userName",[ {"role":"roleName1","db":"dbName"},{"role":"roleName2","db":"dbName"}... ])
撤销某个用户的某个角色权限:
db.revokeRolesFromUser("userName",[ {"role":"roleName1","db":"dbName"},{"role":"roleName2","db":"dbName"}... ])
四、实例:
[root@meteor ~]# service mongod start
Starting mongod: [确定]
[root@meteor ~]# mongo localhost:27027
MongoDB shell version: 3.2.8
connecting to: localhost:27027/test
Server has startup warnings:
> use admin
switched to db admin
> db.createUser(
... {user:"admin",pwd:"123456",
... roles:[{role:"root",db:"admin"}]
... })
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
} ] }
> use person
switched to db person
> db.p1.insert({name:"thompson",gender:"male",age:"24"})
WriteResult({ "nInserted" : 1 })
> db.p1.find()
{ "_id" : ObjectId("57a2a28aa6d4803a1c952529"), "name" : "thompson", "gender" : "male", "age" : "24" }
> exit
bye
[root@meteor ~]# mongo localhost:27027
MongoDB shell version: 3.2.8
connecting to: localhost:27027/test
> show dbs;
admin 0.000GB
local 0.000GB
person 0.000GB
> exit
bye
[root@meteor ~]# vim /etc/mongod.conf
[root@meteor ~]# sed -n '32,33p' /etc/mongod.conf 需要开启认证功能
security:
authorization: enabled
[root@meteor ~]# service mongod restart 修改完配置文件后必须重新启动才能生效
Stopping mongod: [确定]
Starting mongod: [确定]
[root@meteor ~]# mongo localhost:27027
MongoDB shell version: 3.2.8
connecting to: localhost:27027/test
> show dbs 如果未认证,系统提示错误
2016-08-04T10:06:08.491+0800 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
"code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1
shellHelper.show@src/mongo/shell/utils.js:761:19
shellHelper@src/mongo/shell/utils.js:651:15
@(shellhelp2):1:1
> use admin
switched to db admin
> db.auth("admin","123456") 认证
1
> use person
switched to db person
> db.createUser( 创建新用户
... {user:"person",pwd:"123",
... roles:[{role:"readWrite",db:"person"}]
... })
Successfully added user: {
"user" : "person",
"roles" : [
{
"role" : "readWrite",
"db" : "person"
} ] }
> use admin
switched to db admin
> db.system.users.find()
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "KFiaKAkrDqCJ/H8uIIhwzA==", "storedKey" : "faWxuPj1hZ4jV3VhL9Z0zylBL0Y=", "serverKey" : "qYSi5BRZY/GPTuBeF60KCvB5dqg=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
{ "_id" : "person.person", "user" : "person", "db" : "person", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "0tRiioYKdcx+On3uXgR/Sw==", "storedKey" : "8M69xFSgqniSeU7uvLqpzaclECs=", "serverKey" : "Znu2x5fAzMgrMKlxpj2I//1lcWc=" } }, "roles" : [ { "role" : "readWrite", "db" : "person" } ] }
> use person
switched to db person
> db.grantRolesToUser("person",[{role:"dbAdmin",db:"person"}]) 为用户附加其它角色
> use admin
switched to db admin
> db.system.users.find()
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "KFiaKAkrDqCJ/H8uIIhwzA==", "storedKey" : "faWxuPj1hZ4jV3VhL9Z0zylBL0Y=", "serverKey" : "qYSi5BRZY/GPTuBeF60KCvB5dqg=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
{ "_id" : "person.person", "user" : "person", "db" : "person", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "0tRiioYKdcx+On3uXgR/Sw==", "storedKey" : "8M69xFSgqniSeU7uvLqpzaclECs=", "serverKey" : "Znu2x5fAzMgrMKlxpj2I//1lcWc=" } }, "roles" : [ { "role" : "dbAdmin", "db" : "person" }, { "role" : "readWrite", "db" : "person" } ] }
> use person
switched to db person
> db.revokeRolesFromUser("person",[{role:"dbAdmin",db:"person"}]) 用户角色回收
> use admin
switched to db admin
> db.system.users.find()
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "KFiaKAkrDqCJ/H8uIIhwzA==", "storedKey" : "faWxuPj1hZ4jV3VhL9Z0zylBL0Y=", "serverKey" : "qYSi5BRZY/GPTuBeF60KCvB5dqg=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
{ "_id" : "person.person", "user" : "person", "db" : "person", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "0tRiioYKdcx+On3uXgR/Sw==", "storedKey" : "8M69xFSgqniSeU7uvLqpzaclECs=", "serverKey" : "Znu2x5fAzMgrMKlxpj2I//1lcWc=" } }, "roles" : [ { "role" : "readWrite", "db" : "person" } ] }
> exit
参考:https://docs.mongodb.com/manual/tutorial/create-users/
https://docs.mongodb.com/manual/reference/configuration-options/#security.authorization