最近做Mongodb数据库迁移,在对shard集群迁移时,发现视图和函数无法迁移到目标端,需要手
工查询源端视图和函数的DDL定义到目标端重建视图和函数,但是在查询视图时提示权限不足。
Mongodb的shard集群视图DDL定义查询,报错信息如下:
[mongo@centos7 ~]$ mongo --port 50001 -usys -pzhulei --authenticationDatabase admin
MongoDB shell version v4.2.3
connecting to: mongodb://127.0.0.1:50001/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("d53970e1-edce-4811-b827-4386a0f3f707") }
MongoDB server version: 4.2.3
>
> use poc_mig_mongo1
switched to db poc_mig_mongo1
> show tables;
ceshi1
ceshi2
ceshi3
ceshi4
ceshi5
system.views
v_ceshi2
v_ceshi3
v_ceshi4
v_ceshi5
> db.system.views.find();
Error: error: {
"ok" : 0,
"errmsg" : "not authorized on poc_mig_mongo1 to execute command { find: \"system.views\", filter: {}, lsid: { id: UUID(\"e2d688de-b6e8-4bc9-9685-8344af3b9132\") }, $db: \"poc_mig_mongo1\" }",
"code" : 13,
"codeName" : "Unauthorized"
}
经查询,网上有人提示需要创建新角色对system.views的查询,因为mongodb内部创建的视图保存在相关数据库中
的system.views表中,普通用户并没有对该表的查询权限,需要手工创建对system.views的查询角色并赋予业务用户或者
其他普通管理用户,具体说法参考网址:https://dba.stackexchange.com/questions/247324/mongodb-admin-user-cannot-access-system-views-collection。
本次视图DDL查询异常处理过程如下:
第一步:非验证方式重启mongodb,免密方式登陆数据库创建角色并赋权
---创建视图查询角色
> use admin
switched to db admin
> db.runCommand({ createRole: "readViewCollection",
... privileges: [
... { resource: { db: "", collection: "system.views" }, actions: [ "find"] }],
... roles : []
... })
{ "ok" : 1 }
>
---查看数据库内部用户
> db.system.users.find();
{ "_id" : "admin.sys", "userId" : UUID("2b81f6a2-ffe9-44f9-8894-d7ded8af414c"), "user" : "sys", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "uoRvRSkMfQVw9uJKJKD2/Q==", "storedKey" : "5yLO4i4yVulN+kg1FwQHcAThLqM=", "serverKey" : "/3PPUXlxv3SZX7P5KgfQKwlXNzM=" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "cg5AAevAY4lXvgi+5zMRrbug4jTor3HKh2helg==", "storedKey" : "qU1INTjrtuvD+3S9PTmOzlnAV8+OEnsT/kjo34MavwI=", "serverKey" : "9XiUPP2X+4TSqFte4a17vJkHlD2eVXv3aorTCQQPdu8=" } }, "roles" : [ { "role" : "read", "db" : "poc_mig_mongo1" }, { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "dbAdmin", "db" : "poc_mig_mongo1" }, { "role" : "readWrite", "db" : "poc_mig_mongo1" } ] }
>
---赋予sys用户视图查看角色权限
> use admin
switched to db admin
> db.grantRolesToUser('sys',['readViewCollection']);
>
第二步:验证方式登陆测试
[mongo@centos7 ~]$ mongo --port 50001 -usys -pzhulei --authenticationDatabase admin
MongoDB shell version v4.2.3
connecting to: mongodb://127.0.0.1:50001/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("d53970e1-edce-4811-b827-4386a0f3f707") }
MongoDB server version: 4.2.3
>
> show dbs;
admin 0.000GB
config 0.000GB
dns_testdb 0.012GB
local 0.000GB
poc_mig_mongo1 0.000GB
> use poc_mig_mongo1
switched to db poc_mig_mongo1
> show tables;
ceshi1
ceshi2
ceshi3
ceshi4
ceshi5
system.views
v_ceshi2
v_ceshi3
v_ceshi4
v_ceshi5
> db.system.views.find();
{ "_id" : "poc_mig_mongo1.v_ceshi5", "viewOn" : "ceshi5", "pipeline" : [ { "$match" : { "name" : "nanjing" } } ] }
{ "_id" : "poc_mig_mongo1.v_ceshi3", "viewOn" : "ceshi13", "pipeline" : [ { "$match" : { "name" : "hubei" } } ] }
{ "_id" : "poc_mig_mongo1.v_ceshi4", "viewOn" : "ceshi42", "pipeline" : [ { "$match" : { "name" : "hunan" } } ] }
{ "_id" : "poc_mig_mongo1.v_ceshi2", "viewOn" : "ceshi2", "pipeline" : [ { "$match" : { "name" : "nanning" } } ] }
>
问题处理完成!