MongoDB安装完成后,有两种启动方式:
这是默认启动方式,没有开启auth权限验证,或者
./mongod --auth --dbpath=/home/sfapp/dev/mongodb/mongodb-3.4.2/mongo_data --port=27017 --fork --logpath=/home/sfapp/dev/mongodb/mongodb-3.4.2/logs/mongodb.log
这是使用auth权限验证。在这种模式下,每次操作一个一个库前,必须做auth验证,而且每次默认首先进入的是test db,所以一旦开启验证,必须确保test添加了验证。如下是创建用户的简要过程。
先关闭auth验证启动MongoDB,创建一个有grant权限的用户,即账号管理,
> use admin switched to db admin > db.createUser( ... { ... user: "dba", ... pwd: "dba", ... roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] ... } ... ) Successfully added user: { "user" : "dba", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
这样user("dba","dba")创建完成,它保存在admin中,角色是userAdminAnyDatabase(用户级别的数据库管理权限),以后可以用来管理其他的用户账号,这里总结下MongoDB的roles角色。
Built-In Roles(内置角色) | 具体角色 |
1. 数据库用户角色:read、readWrite; 2. 数据库管理角色:dbAdmin、dbOwner、userAdmin; 3. 集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager; 4. 备份恢复角色:backup、restore; 5. 所有数据库角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase 6. 超级用户角色:root // 这里还有几个角色间接或直接提供了系统超级用户的访问(dbOwner 、userAdmin、userAdminAnyDatabase) 7. 内部角色:__system | Read:允许用户读取指定数据库 readWrite:允许用户读写指定数据库 dbAdmin:允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile userAdmin:允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户 clusterAdmin:只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。 readAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读权限 readWriteAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读写权限 userAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的userAdmin权限 dbAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。 root:只在admin数据库中可用。超级账号,超级权限 |
这样,先看下变化
> show dbs; admin 0.000GB jetty_session 0.010GB local 0.001GB test 0.000GB tong 0.002GB > use admin switched to db admin > show collections system.users system.version >
可以清楚的看到,数据库里面多了admin,查看admin中的集合,可以发现,我们新建的用户都保存在system.users这个集合中,通过命令查看刚才新建的命令:
接下来,我们分别为test创建一个具有readWrite权限的用户test:
> use test
switched to db test
> db.createUser( ... { ... user: "test", ... pwd: "test", ... roles: [ { role: "readWrite", db: "test" } ] ... } ... ) Successfully added user: { "user" : "test", "roles" : [ { "role" : "readWrite", "db" : "test" } ] } >
,为tong库创建readWrite权限的用户ton:
> use tong
switched to db tong
> db.createUser( ... { ... user: "ton", ... pwd: "1234", ... roles: [ { role: "readWrite", db: "tong" } ] ... } ... ) Successfully added user: { "user" : "ton", "roles" : [ { "role" : "readWrite", "db" : "tong" } ] } >
这样基本的用户创建完毕,最后总的来看一下刚才的所有的用户:
> use admin switched to db admin > db.system.users.find({},{_id:0,credentials:0}).pretty(); { "user" : "dba", "db" : "admin", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] } { "user" : "test", "db" : "test", "roles" : [ { "role" : "readWrite", "db" : "test" } ] } { "user" : "ton", "db" : "tong", "roles" : [ { "role" : "readWrite", "db" : "tong" } ] } >
至此,用户权限的创建完成。以开启auth权限验证启动MongoDB(mongod --auth),并做一些基本的操作:
[sfapp@cmos1 bin]$ ./mongo MongoDB shell version v3.4.2 connecting to: mongodb://127.0.0.1:27017 MongoDB server version: 3.4.2 > db.auth("test","test") 1 > use admin switched to db admin > db.auth("dba","dba") 1 > use tong switched to db tong > db.auth("ton","1234") 1 > show collections; Person fs.chunks fs.files system.profile system.users testdb tong user > db.tong.find({},{_id:0}).limit(1); { "test1" : "testval1" } >
查看3个集合信息:
> use admin switched to db admin > db.auth("dba","dba") 1 > db.system.users.find() { "_id" : "admin.dba", "user" : "dba", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "oE91+FyMn5AP6/dfbXjZFw==", "storedKey" : "sjWZjCfy3Qazu1o+YBd1PWOOJTg=", "serverKey" : "dX4Kpvvnno2pwSIfru0r0nk1ykU=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] } { "_id" : "test.test", "user" : "test", "db" : "test", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "IMoCGqFwsw1wcXMhltobDA==", "storedKey" : "t9AP09O/KmRrusAD3mNuWqtezuk=", "serverKey" : "9/8YO+6a7w1lXYZF1acSBX+JMyA=" } }, "roles" : [ { "role" : "readWrite", "db" : "test" } ] } { "_id" : "tong.ton", "user" : "ton", "db" : "tong", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "IM07khO/MZ5t2KFlaHstmQ==", "storedKey" : "FKu/m8lnb6nQWDLlFuUxH6jZvVo=", "serverKey" : "JCEEVz0bh+AuNjCgGqnTaAsj8aY=" } }, "roles" : [ { "role" : "readWrite", "db" : "tong" } ] } > db.system.users.find(); { "_id" : "admin.dba", "user" : "dba", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "oE91+FyMn5AP6/dfbXjZFw==", "storedKey" : "sjWZjCfy3Qazu1o+YBd1PWOOJTg=", "serverKey" : "dX4Kpvvnno2pwSIfru0r0nk1ykU=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] } { "_id" : "test.test", "user" : "test", "db" : "test", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "IMoCGqFwsw1wcXMhltobDA==", "storedKey" : "t9AP09O/KmRrusAD3mNuWqtezuk=", "serverKey" : "9/8YO+6a7w1lXYZF1acSBX+JMyA=" } }, "roles" : [ { "role" : "readWrite", "db" : "test" } ] } { "_id" : "tong.ton", "user" : "ton", "db" : "tong", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "IM07khO/MZ5t2KFlaHstmQ==", "storedKey" : "FKu/m8lnb6nQWDLlFuUxH6jZvVo=", "serverKey" : "JCEEVz0bh+AuNjCgGqnTaAsj8aY=" } }, "roles" : [ { "role" : "readWrite", "db" : "tong" } ] } > db.system.indexes.find(); Error: error: { "ok" : 0, "errmsg" : "not authorized on admin to execute command { find: \"system.indexes\", filter: {} }", "code" : 13, "codeName" : "Unauthorized" } > db.system.version.find(); { "_id" : "featureCompatibilityVersion", "version" : "3.4" } { "_id" : "authSchema", "currentVersion" : 5 } >