版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/sun_ashe/article/details/82842561
文章目录
- 权限管理
- 用户权限简介
- MongoDB支持的所有权限
- Query and Write Actions/读写权限
- Database Management Actions/数据库管理权限
- Deployment Management Actions/部署管理行为权限
- Change Stream Actions/改变流操作
- Replication Actions/复制相关
- Sharding Actions /分片相关
- Server Administration Actions //服务管理操作
- Session Actions /会话操作
- Free Monitoring Actions/监控相关
- 诊断性操作
- Internal Actions
- 自建库role对应的权限解析
权限管理
由于刚刚接触MongoDB,关于Mongodb权限相关的东西了解的少之又少,只能通过官方文档,或者网上的博客进行补足并加以验证。
mongodb 用户 权限 设置 详解
https://www.cnblogs.com/limit1/p/8136837.html
用户权限简介
Mongodb用role来划分规则,而MysQL5.7版本还不支持role的配置。说白了,就是将一些权限组成一个集合,然后再打包授权给某个用户。如果是一直从事MySQL相关的工作,忽然转到MongoDB,可能会有些不适应。但是没关系,多看看,多操作下就适应了。
role是归属于数据库的,也就是说,不同的数据库下,可能会有不通的role。对于admin库下的role有哪些呢?可以通过如下命令获取
shard_0:PRIMARY> use admin
switched to db admin
shard_0:PRIMARY> show roles
{
"role" : "__system",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "backup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
....
如果想知道其他库下面有哪些role,则先切换到对应的库下面,再执行对应的操作。比如说一个自建库ashe
shard_0:PRIMARY> use ashe
switched to db ashe
shard_0:PRIMARY> show tables;
ashe
system.profile
shard_0:PRIMARY> show roles;
{
"role" : "dbAdmin",
"db" : "ashe",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "dbOwner",
"db" : "ashe",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "read",
"db" : "ashe",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "readWrite",
"db" : "ashe",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "userAdmin",
"db" : "ashe",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
而如果想知道每一个role的具体权限需要再执行如下操作,比如说想知道dbAdminAnyDatabase这个规则到底是哪些权限的集合,则:
shard_0:PRIMARY> db.getRole("dbAdminAnyDatabase",{showPrivileges:true})
{
"role" : "dbAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"listDatabases"
]
},
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"collMod",
"collStats",
"compact",
"convertToCapped",
"createCollection",
"createIndex",
"dbStats",
"dropCollection",
"dropDatabase",
"dropIndex",
"enableProfiler",
"indexStats",
"listCollections",
"listIndexes",
"planCacheIndexFilter",
"planCacheRead",
"planCacheWrite",
"reIndex",
"renameCollectionSameDB",
"repairDatabase",
"storageDetails",
"validate"
]
},
{
"resource" : {
"db" : "",
"collection" : "system.indexes"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "",
"collection" : "system.namespaces"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "",
"collection" : "system.profile"
},
"actions" : [
"collStats",
"convertToCapped",
"createCollection",
"dbHash",
"dbStats",
"dropCollection",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"listDatabases"
]
},
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"collMod",
"collStats",
"compact",
"convertToCapped",
"createCollection",
"createIndex",
"dbStats",
"dropCollection",
"dropDatabase",
"dropIndex",
"enableProfiler",
"indexStats",
"listCollections",
"listIndexes",
"planCacheIndexFilter",
"planCacheRead",
"planCacheWrite",
"reIndex",
"renameCollectionSameDB",
"repairDatabase",
"storageDetails",
"validate"
]
},
{
"resource" : {
"db" : "",
"collection" : "system.indexes"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "",
"collection" : "system.namespaces"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "",
"collection" : "system.profile"
},
"actions" : [
"collStats",
"convertToCapped",
"createCollection",
"dbHash",
"dbStats",
"dropCollection",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
]
}
非常不喜欢这种权限展现方式,shit一样。
MongoDB支持的所有权限
这部分内容是通过官方文档获取的,文档将这些权限分为如下几类:
- Query and Write Actions 读写相关,类似于DML操作
- Database Management Actions
- Deployment Management Actions
- Change Stream Actions
- Replication Actions
- Sharding Actions
- Server Administration Actions
- Session Actions
- Free Monitoring Actions
- Diagnostic Actions
- Internal Actions
Query and Write Actions/读写权限
- find
拥有find权限的账号,可以在对应的目标(此名词需要斟酌,意思为一个库,或者一个表等)上执行如下操作
aggregate for all pipeline operations except $collStats, $out, and $indexStats.
checkShardingIndex
count
dataSize
distinct
filemd5
find
geoNear
geoSearch
getLastError
getMore
getPrevError
group
killCursors, provided that the cursor is associated with a currently authenticated user.
listCollections
listIndexes
mapReduce with the {out: inline} option.
parallelCollectionScan
repairCursor
resetError
- insert
User can perform the following commands and their equivalent methods:
insert
create
- remove
User can perform the delete command and equivalent helper method.
Required for the write portion of the findAndModify command and db.collection.findAndModify() method.
Required for the mapReduce command and db.collection.mapReduce() helper method when you specify the replace action when outputting to a collection.
Required for the aggregate command and db.collection.aggregate() helper method when using the $out pipeline operator.
Apply this action to database or collection resources.
- update
User can perform the update command and equivalent helper methods.
Required for the mapReduce command and db.collection.mapReduce() helper method when outputting to a collection without specifying the replace action.
Required for the findAndModify command and db.collection.findAndModify() helper method.
Apply this action to database or collection resources.
- bypassDocumentValidation
New in version 3.2.
Users can bypass document validation on commands and methods that support the bypassDocumentValidation option. The following commands and their equivalent methods support bypassing document validation:
aggregate
applyOps
cloneCollection on the destination collection
clone on the destination
copydb on the destination
findAndModify
insert
mapReduce
update
Apply this action to database or collection resources.
- useUUID
New in version 3.6.
User can execute the following commands using a UUID as if it were a namespace:
find
listIndexes
parallelCollectionScan
For example, this privilege authorizes a user to run the following command which executes a find command on a collection with the given UUID. In order to be successful, this operation also requires that the user is authorized to execute the find command on the collection namespace corresponding to the given UUID.
copycopied
db.runCommand({find: UUID("123e4567-e89b-12d3-a456-426655440000")})
For more information on collection UUIDs, see Collections.
Apply this action to the cluster resource.
Database Management Actions/数据库管理权限
- changeCustomData
User can change the custom information of any user in the given database. Apply this action to database resources.
用户可以更改给定数据库中的任何用户的自定义信息。将此操作应用于数据库资源。
- changeOwnCustomData
- changeOwnPassword
- changePassword
- createCollection
- createIndex
- createRole
- createUser
- dropCollection
- dropRole
- dropUser
- enableProfiler
- grantRole
- killCursors
- killAnyCursor
- revokeRole
- setAuthenticationRestriction
- unlock
- viewRole
- viewUser
Deployment Management Actions/部署管理行为权限
- authSchemaUpgrade
- cleanupOrphaned
- cpuProfiler
- inprog
- invalidateUserCache
- killop
- planCacheRead
- planCacheWrite
- storageDetails
Change Stream Actions/改变流操作
- changeStream
关于changeStream更多的信息请看http://www.cnblogs.com/xybaby/p/9464328.html
Replication Actions/复制相关
- appendOplogNote
- replSetConfigure
- replSetGetConfig
- replSetGetStatus
- replSetHeartbeat
- replSetStateChange
- resync
Sharding Actions /分片相关
- addShard
- enableSharding
- flushRouterConfig
- getShardMap
- getShardVersion
- listShards
- moveChunk
- removeShard
- shardingState
- splitChunk
- splitVector
Server Administration Actions //服务管理操作
- applicationMessage
- closeAllDatabases
- collMod
- compact
- connPoolSync
- convertToCapped
- dropDatabase
- dropIndex
- forceUUID
- fsync
- getParameter
- hostInfo
- logRotate
- reIndex
- renameCollectionSameDB
- repairDatabase
- setParameter
- shutdown
- touch
Session Actions /会话操作
- impersonate
- listSessions
- killAnySession
Free Monitoring Actions/监控相关
- checkFreeMonitoringStatus
- setFreeMonitoring
诊断性操作
- collStats
- connPoolStats
- cursorInfo
- dbHash
- dbStats
- getCmdLineOpts
- getLog
- indexStats
- listDatabases
- listCollections
- listIndexes
- netstat
- serverStatus
- validate
- top
Internal Actions
- anyAction
- internal
自建库role对应的权限解析
shard_0:PRIMARY> show roles;
{
"role" : "dbAdmin",
"db" : "ashe",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "dbOwner",
"db" : "ashe",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "read",
"db" : "ashe",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "readWrite",
"db" : "ashe",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
{
"role" : "userAdmin",
"db" : "ashe",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
dbAdmin
通过命令db.getRole 可以查看某个role的具体权限,如下
shard_0:PRIMARY> db.getRole("dbAdmin",{showPrivileges:true})
{
"role" : "dbAdmin",
"db" : "ashe",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "ashe",
"collection" : ""
},
"actions" : [
"collMod",
"collStats",
"compact",
"convertToCapped",
"createCollection",
"createIndex",
"dbStats",
"dropCollection",
"dropDatabase",
"dropIndex",
"enableProfiler",
"indexStats",
"listCollections",
"listIndexes",
"planCacheIndexFilter",
"planCacheRead",
"planCacheWrite",
"reIndex",
"renameCollectionSameDB",
"repairDatabase",
"storageDetails",
"validate"
]
},
{
"resource" : {
"db" : "ashe",
"collection" : "system.indexes"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "ashe",
"collection" : "system.namespaces"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "ashe",
"collection" : "system.profile"
},
"actions" : [
"collStats",
"convertToCapped",
"createCollection",
"dbHash",
"dbStats",
"dropCollection",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "ashe",
"collection" : ""
},
"actions" : [
"collMod",
"collStats",
"compact",
"convertToCapped",
"createCollection",
"createIndex",
"dbStats",
"dropCollection",
"dropDatabase",
"dropIndex",
"enableProfiler",
"indexStats",
"listCollections",
"listIndexes",
"planCacheIndexFilter",
"planCacheRead",
"planCacheWrite",
"reIndex",
"renameCollectionSameDB",
"repairDatabase",
"storageDetails",
"validate"
]
},
{
"resource" : {
"db" : "ashe",
"collection" : "system.indexes"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "ashe",
"collection" : "system.namespaces"
},
"actions" : [
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "ashe",
"collection" : "system.profile"
},
"actions" : [
"collStats",
"convertToCapped",
"createCollection",
"dbHash",
"dbStats",
"dropCollection",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
]
}