MongoDB中几种常用用户角色:
dbAdmin 在db范围内包括下面的权限:
- collStats
- dbHash
- dbStats
- find
- killCursors
- listIndexes
- listCollections
- dropCollection 和 createCollection on system.profile only
userAdmin在db范围内包括如下权限:
- changeCustomData
- changePassword
- createRole
- createUser
- dropRole
- dropUser
- grantRole
- revokeRole
- viewRole
- viewUser
readAnyDatabase 对所有数据库中的collection可读,同时包含listDatabases权限
readWriteAnyDatabase 对所有数据库中的collection可读且可写,同时包含listDatabases权限
userAdminAnyDatabase 对所有数据库拥有userAdmin角色,同时包含listDatabases权限
dbAdminAnyDatabase 对所有数据库拥有dbAdmin角色,同时包含listDatabases权限
cluster相关的权限 clusterMonitor、hostManager、clusterManager、clusterAdmin
root权限, 包含 readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase 和 clusterAdmin 等角色。 但不能访问system. 开头的collection(root does not include any access to collections that begin with the system. prefix.)
__system 超级角色
相关官方文档:
http://docs.mongodb.org/manual/reference/built-in-roles/#__system
__system包含下面这些权限:
> use admin switched to db admin > db.createUser( ... { ... user: "maclean_dbdao2", ... pwd: "maclean_dbdao2", ... roles: [ { role: "__system", db: "admin" } ] ... } ... ) Successfully added user: { "user" : "maclean_dbdao2", "roles" : [ { "role" : "__system", "db" : "admin" } ] } > > > bye 10:~ maclean$ mongo localhost:35002/admin -u maclean_dbdao2 -p MongoDB shell version: 3.0.2 Enter password: connecting to: localhost:35002/admin > show roles { "role" : "__system", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "backup", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "clusterAdmin", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "clusterManager", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "clusterMonitor", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "dbAdmin", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "dbAdminAnyDatabase", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "dbOwner", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "hostManager", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "read", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "readAnyDatabase", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "readWrite", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "readWriteAnyDatabase", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "restore", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "root", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "userAdmin", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } { "role" : "userAdminAnyDatabase", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } mongodb 3.0中db.getUsers() 获得db中的用户信息 > db.getUsers(); [ { "_id" : "admin.maclean", "user" : "maclean", "db" : "admin", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }, { "_id" : "admin.maclean1", "user" : "maclean1", "db" : "admin", "roles" : [ { "role" : "__system", "db" : "admin" } ] }, { "_id" : "admin.maclean_dbdao2", "user" : "maclean_dbdao2", "db" : "admin", "roles" : [ { "role" : "__system", "db" : "admin" } ] } ]
启用mongodb授权认证的方法:
1、以–auth 启动mongod
2、在配置文件mongod.conf 中加入 auth = true
第一次启用–auth时会出现:
2015-05-13T11:20:22.296+0800 I ACCESS [conn1] note: no users configured in admin.system.users, allowing localhost access
2015-05-13T11:20:22.297+0800 I ACCESS [conn1] Unauthorized not authorized on admin to execute command { getLog: “startupWarnings” }
2015-05-13T12:07:08.680+0800 I INDEX [conn1] build index on: admin.system.users properties: { v: 1, unique: true, key: { user: 1, db: 1 }, name: “user_1_db_1”, ns: “admin.system.users” }
即之前未定义过用户,所以mongod将允许本地直接访问
mongo 登陆后 创建一个合适的超级用户
use admin db.createUser( { user: "maclean", pwd: "maclean", roles: [ { role: "__system", db: "admin" } ] } ) http://docs.mongodb.org/manual/reference/method/db.createUser/
给一个用户授权 :
use admin db.grantRolesToUser( "macleanz", [ { role: "readAnyDatabase", db:"admin" } ] ) http://docs.mongodb.org/manual/tutorial/assign-role-to-user/
启用replica set 时需要做的授权:
use admin db.createUser( { user: "siteUserAdmin", pwd: "", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] }); db.createUser( { user: "siteRootAdmin", pwd: "", roles: [ { role: "root", db: "admin" } ] }); http://docs.mongodb.org/manual/tutorial/deploy-replica-set-with-auth/
Comment