Mongodb用户授权认证
一般情况下,mongoDB 数据库都要建立认证连接,这就需要用户对数据库创建管理员和用户认证,而对于mongoDB 而言,在创建管理员和用户时,而分配的roles 是决定用户操作数据库权限的关键,mongodb的用户信息是保存在system.users表中的
用户授权认证的步骤
1、新建用户赋予权限
2、验证授权
3、关闭数据库
4、配置文件开启认证
5、用认证用户登录
创建2个用户,一个赋予root角色权限,一个赋予dbOwner角色权限,这种方式需要先进入数据库
> use admin <---进入admin数据库
switched to db admin
> db.createUser({
"user":"root","pwd":"123","roles":["root"]})
Successfully added user: {
"user" : "root", "roles" : [ "root" ] }
> db.createUser({
"user":"shengjie","pwd":"123","roles":["dbOwner"]})
Successfully added user: {
"user" : "shengjie", "roles" : [ "dbOwner" ] }
> db.auth("root","123") <---启用认证之前需要先验证,结果为1表示执行成功
1
> db.auth("shengjie","123")
1
直接创建用户zhangsan,属于shool数据库
> db.createUser({
"user":"zhangsan","pwd":"123","roles":[{
"role":"dbOwner","db":"school"}]})
Successfully added user: {
"user" : "zhangsan",
"roles" : [
{
"role" : "dbOwner",
"db" : "school"
}
]
}
- db.createUser:创建用户
- db.auth:用户验证
- user:用户名
- pwd:密码
- roles:授权用户角色
修改用户密码(修改完密码需要重新运行db.auth验证授权)
> db.changeUserPassword('root','abc123') //修改密码
>
> db.auth("root","abc123")
1
删除用户
> use admin
switched to db admin
> db.dropUser('shengjie') //删除用户
true
查看用户的两种方式:
- show users
- db.system.users.find()
> show users
{
"_id" : "admin.root",
"userId" : UUID("2b85240b-9a85-4000-988d-d6f97667835d"),
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin" <----所属数据库,不指定默认是在admin中
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
{
"_id" : "admin.shengjie",
"userId" : UUID("217982a5-7599-48c0-9621-10944dc86b43"),
"user" : "shengjie",
"db" : "admin",
"roles" : [
{
"role" : "dbOwner",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
> db.system.users.find() //查看已有用户
{
"_id" : "admin.root", "userId" : UUID("2b85240b-9a85-4000-988d-d6f97667835d"), "user" : "root", "db" : "admin", "credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000, "salt" : "/n7wVaiqHazoYR0yC3SgaQ==", "storedKey" : "pZcCRgrhqzPXeDS5WjHfmmFYuF0=", "serverKey" : "esIkysqkOjYKb+tLKKj8PRDPAZ0=" }, "SCRAM-SHA-256" : {
"iterationCount" : 15000, "salt" : "2+uKNokdaS3G4gh24j3f/7YPWStF2BBzCzv8RQ==", "storedKey" : "o4Fg35Oxeuoxe35Wtmc5oHV0HVIlgpY3GW2FeHaO+FM=", "serverKey" : "GHhiCkLfY63vZx4QfkrNaxFmqsdmLl7KA33/1TV5Dx0=" } }, "roles" : [ {
"role" : "root", "db" : "admin" } ] }
{
"_id" : "admin.shengjie", "userId" : UUID("217982a5-7599-48c0-9621-10944dc86b43"), "user" : "shengjie", "db" : "admin", "credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000, "salt" : "6Yr0+CtSlQIsrPfTM+iD/Q==", "storedKey" : "ViNev/px+sdqNT2j7GaWzhQwTp0=", "serverKey" : "mVTuI0RYDi20VED4znjf1v2xyag=" }, "SCRAM-SHA-256" : {
"iterationCount" : 15000, "salt" : "vce2grLCn+bQf725O+QT/UkXpW3vCRE0z+x1Hg==", "storedKey" : "PjD0MKvPy+APOoBeGWattgJaTBNPJ9C0Tix4vKAkNag=", "serverKey" : "Slfv30MRwniG3vYUxjzcoaY6imHEbTrSWv0KwMVVg3A=" } }, "roles" : [ {
"role" : "dbOwner", "db" : "admin" } ] }
以比较友好的方式显示用户信息
db.system.users.find().pretty()
> db.system.users.find().pretty()
{
"_id" : "admin.root",
"userId" : UUID("3320dfaa-4f78-4673-9f05-d1f9a0f07efb"),
"user" : "root",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "tdgHTETa+GeSsY/gtPAEow==",
"storedKey" : "9QgbWVmFsBuS9YGLKIC+rWBNqxA=",
"serverKey" : "bpIcAQTVO7PfCR4p1o/hW/Ut3TY="
},
"SCRAM-SHA-256" : {
"iterationCount" : 15000,
"salt" : "LEyKTK1MqhfcaV/gQP/YRUwpELzWTuDLNzRQTw==",
"storedKey" : "hufu8fGJXWickdC6LoxXWNtsd2/Px4GRgzZStYW5L9Q=",
"serverKey" : "zXalpLoXy39yKi84amZz8x/XPglIc6cpLLqm914ZEy0="
}
},
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
roles里面是权限级别的设置
- 数据库用户角色(Database User Roles)
read : 授权User只读数据的权限,允许用户读取指定的数据库
readWrite 授权User读/写数据的权限,允许用户读/写指定的数据库
- 数据库管理角色(Database Admininstration Roles)
dbAdmin:在当前的数据库中执行管理操作,如索引的创建、删除、统计、查看等
dbOwner:在当前的数据库中执行任意操作,增、删、改、查等
userAdmin :在当前的数据库中管理User,创建、删除和管理用户。
- 备份和还原角色(Backup and Restoration Roles)
backup
restore
- 跨库角色(All-Database Roles)
readAnyDatabase:授权在所有的数据库上读取数据的权限,只在admin 中可用
readWriteAnyDatabase:授权在所有的数据库上读写数据的权限,只在admin 中可用
userAdminAnyDatabase:授权在所有的数据库上管理User的权限,只在admin中可用
dbAdminAnyDatabase: 授权管理所有数据库的权限,只在admin 中可用
- 集群管理角色(Cluster Administration Roles)
clusterAdmin:授权管理集群的最高权限,只在admin中可用
clusterManager:授权管理和监控集群的权限
clusterMonoitor:授权监控集群的权限,对监控工具具有readonly的权限
hostManager:管理server
- 超级角色(super master Roles)
root :超级账户和权限,只在admin中可用le
修改配置文件,开启认证
[root@mongodb ~]# vim /etc/mongod.conf
security: <----这行取消注释
authorization: enabled <----添加这一行开启授权
验证用用户名密码登陆(mongodb安装好后第一次进入是不需要密码的,也没有任何用户,通过shell命令可直接进入)
mongo -uroot -p
MongoDB shell version v4.0.20
Enter password:
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session {
"id" : UUID("05588de4-6f85-4506-a286-308ad7a6dff8") }
MongoDB server version: 4.0.20
Server has startup warnings:
……