MongoDB采用角色-用户型访问控制
核心操作1
db.createRole(role, writeConcern) //在当前数据库中新建角色
参数 | 类型 | 描述 |
---|---|---|
role | document | 名字+定义(详见下文) |
writeConcern | document | 写入关注(writeConcern)等级,即写入时的保障等级 |
其中role文档格式如下
{
role: "<name>", //角色名
privileges: [
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
], //权限数组,包括资源和权限操作 (详见附件)
roles: [
{ role: "<role>", db: "<database>" } | "<role>",
...
], //父类角色数组,对于该数据库角色可直接用role字符串表示
authenticationRestrictions: [
{
clientSource: ["<IP>" | "<CIDR range>", ...],
serverAddress: ["<IP>" | "<CIDR range>", ...]
},
...
] //认证限制数组,可选,确定一组可连接IP地址、CIDR范围
}
注:
- 若一个角色继承多个限制不同的角色,如IP不同,则用户不可认证
- 如果角色不是在admin数据库中创建的,则该用户只能设置此数据库下的权限且只能继承此数据库下角色
- 创建角色必须有该数据库的createRole action和grantRole action,要设置新角色的authenticationRestrictions,还必须拥有此数据库的 setAuthenticationRestriction action权限
- resource格式分三类,Database and/or Collection Resource, Cluster Resource 以及 anyResource,详见附件
例子:
use admin
db.createRole(
{
role: "myClusterwideAdmin",
privileges: [
{ resource: { cluster: true }, actions: [ "addShard" ] },
{ resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert", "remove" ] },
{ resource: { db: "users", collection: "usersCollection" }, actions: [ "update", "insert", "remove" ] },
{ resource: { db: "", collection: "" }, actions: [ "find" ] }
],
roles: [
{ role: "read", db: "admin" }
]
},
{ w: "majority" , wtimeout: 5000 }
)
核心操作2
db.createUser(user, writeConcern) //为当前数据库创建用户
参数 | 类型 | 描述 |
---|---|---|
user | document | 验证和访问信息 |
writeConcern | document | 写入关注(writeConcern)等级,即写入时的保障等级 |
其中user文档格式如下:
{
user: "<name>", //用户名
pwd: "<cleartext password>", //用户密码
customData: { <any information> }, //备注信息,可选
roles: [
{ role: "<role>", db: "<database>" } | "<role>",
...
], //角色数组,授权给此用户的角色,[]表示无角色
authenticationRestrictions: [
{
clientSource: ["<IP>" | "<CIDR range>", ...]
serverAddress: ["<IP>" | "<CIDR range>", ...]
},
...
], //限制数组,可选
mechanisms: [ "<SCRAM-SHA-1|SCRAM-SHA-256>", ... ], //指定用于创建SCRAM用户凭据的特定SCRAM机制,可选。3.6默认SCRAM-SHA-1
passwordDigestor: "<server|client>"
} //密码摘要,可选,指定用户端/服务器是否生成密码摘要
注:
- 对于该数据库下的角色,可直接用role字符串表示,否则需要用document格式指明数据库
- 同角色注意1
- 创建用户需要当前数据库 createUser action权限,授予角色需要各自数据库的 grantRole action权限
例子:
use products
db.createUser( { user: "accountAdmin01",
pwd: "changeMe",
customData: { employeeId: 12345 },
roles: [ { role: "clusterAdmin", db: "admin" },
{ role: "readAnyDatabase", db: "admin" },
"readWrite"] },
{ w: "majority" , wtimeout: 5000 } )
参考:
db.createRole()
db.createUser()
附件:
Resource Document
Privilege Actions
Built-in Role & Actions