[root@fo169 bin]# ./mongo
MongoDB shell version: 3.0.7connecting to: test
Server has startup warnings:
2015-10-29T15:12:14.257+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, whichis not recommended.
2015-10-29T15:12:14.257+0800I CONTROL [initandlisten]
>show dbs
local 0.000GB
在没有配置的情况下,登录到数据库后,可以做任何操作。
配置认证模块及重启服务:
编写了一个启动配置文件:mongodb.conf(文件中标红部分就为auth的授权模块)
[root@fo169 bin]# catmongodb.conf
systemLog:
destination: filepath: "/data/auth/log/mongod.log"logAppend: truestorage:
journal:
enabled: truedbPath: "/data/auth/db"directoryPerDB: trueengine: wiredTiger
wiredTiger:
engineConfig:
cacheSizeGB: 4directoryForIndexes: truejournalCompressor: zlib
collectionConfig:
blockCompressor: zlib
indexConfig:
prefixCompression: truenet:
port: 27017processManagement:
fork: truesecurity:
authorization: enabled
创建授权用户(超级管理员):
MongoDB在V3.0版本之后内置了root 角色,也就是结合了readWriteAnyDatabase、dbAdminAnyDatabase、userAdminAnyDatabase、clusterAdmin4个角色权限,类似于Oracle的sysdba角色,但是MongoDB的超级管理员用户名称是可以随便定义的:
[root@fo169 bin]# ./mongo
MongoDB shell version:3.0.7connecting to: test
Server has startup warnings:2015-10-30T16:24:36.127+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, whichis not recommended.2015-10-30T16:24:36.127+0800I CONTROL [initandlisten]>use admin
switched to db admin>db.createUser(
... {
... user: "ljaiadmin",
... pwd: "123456",
... roles: [ { role: "root", db: "admin"} ]
... }
... )
Successfully added user: {"user" : "ljaiadmin","roles": [
{"role" : "root","db" : "admin"}
]
}
这样就创建好一个ljaiadmin的超级管理员用户,创建全局用户或者超级用户,需要在MongoDB的admin数据库中创建(在其他库也可以创建,但是没有该角色功能),重启完mongod进程后,接下来做一下权限的验证:
[root@fo169 bin]# ./mongo
MongoDB shell version:3.0.7connecting to: test>show dbs (注:此时查看已提示没有授权执行listDatabases命令了)2015-10-30T16:41:31.131+0800E QUERY Error: listDatabases failed:{"ok" : 0,"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }","code" : 13}
at Error ()
at Mongo.getDBs (src/mongo/shell/mongo.js:47:15)
at shellHelper.show (src/mongo/shell/utils.js:630:33)
at shellHelper (src/mongo/shell/utils.js:524:36)
at (shellhelp2):1:1 at src/mongo/shell/mongo.js:47
>use admin
switched to db admin> db.auth('ljaiadmin','123456') (注:切换到admin用户进行授权验证)1
>show dbs(注:验证完成后,就可以读写等操作)admin0.000GB
local0.000GB
test1000.000GB
test20.000GB>use test2
switched to db test2>show tables
test
test2> db.test2.find()
{"_id" : ObjectId("5632cf116207909a76446af7"), "name" : "1"}>db.test2.drop()true
>db.dropDatabase()
{"dropped" : "test2", "ok" : 1}>show dbs
admin0.000GB
local0.000GB
test1000.000GB>use test100
switched to db test100> db.test111.insert({"test":"test"})
WriteResult({"nInserted" : 1})> db.test111.find()
{"_id" : ObjectId("56332db373f771b3d95638bb"), "test" : "test"}>use admin
switched to db admin>show users
{"_id" : "admin.ljaiadmin","user" : "ljaiadmin","db" : "admin","roles": [
{"role" : "root","db" : "admin"}
]
}>
创建普通用户
用可以对test123数据库读写的rwtest123用户为例:
>use test123
switched to db test123>db.createUser(
... {
... user: "rwtest123",
... pwd: "123456",
... roles: [ { role: "readWrite", db: "test123"} ]
... }
... )
Successfully added user: {"user" : "rwtest123","roles": [
{"role" : "readWrite","db" : "test123"}
]
}#所建的rwtest123用户可以在test123数据库中进行增删改查操作,但是其他操作就不行了>db.auth('rwtest123','123456')
switched to db test123> db.test123.insert({"test":"test"})
WriteResult({"nInserted" : 1})> db.test123.find()
{"_id" : ObjectId("563332ebc8a59ae4fe96bbf5"), "test" : "test"}>db.test123.drop()true
>use test100
switched to db test100> db.test100.find()
Error: error: {"$err" : "not authorized for query on test100.test100", "code" : 13}>
配置参考:
MongoDB数据库的用户权限控制权限还是比较多的,有系统自带的,已经定义好的角色,也可以自己定义角色权限,需要根据业务需要进行权限分配:
自带角色的说明(一般内置的角色基本上就可以满足生产环境需求了):
https://docs.mongodb.org/manual/core/security-built-in-roles/
用户自行定义角色的说明:
https://docs.mongodb.org/manual/core/security-user-defined-roles/
用户管理配置的说明
https://docs.mongodb.org/manual/reference/method/#user-management-methods