转子:http://www.2cto.com/database/201511/448493.html
删除用户:
db.system.users.remove({user:"java1"});
mongoDB数据库默认情况下是没有做权限控制的,只要能够连接所开放的端口就能进行访问,而且拥有root级别的权限;对于生产环境而言是极不安全的,所以需要建立用户,进行授权控制。
单机环境下的用户授权模块配置:
MongoDB的社区版本中有两个模块可以控制用户的访问:
--auth: 在mongod启动项中加入--auth,mongodb启动后,就可以完成授权模块的启用);
PS:虽然auth模块启用后本机还能否登陆到数据库,但是不具备增删改查的权限了,所以启动auth模块之前就应该创建一个超级用户
--keyFile <file>: 主要用于分片集群与副本集相互之间的授权使用,在单机情况下只要用到auth,如果是在集群(分片+副本集)环境下,就必须要用到该参数;
security.authorization: 在MongoDB 2.6版本开始,mongod/mongos的启动配置文件增加了YAML格式的写法,功能更auth是一样的,后面的操作中,都是采用该格式
security.keyFile: 格式与security.authorization相同,功能与--keyFile相同。
首先验证下非配置认证模块的访问:
|
1
2
3
4
5
6
7
8
|
[root
@fo169
bin]# ./mongo
MongoDB shell version:
3.0
.
7
connecting to: test
Server has startup warnings:
2015
-
10
-29T15:
12
:
14.257
+
0800
I CONTROL [initandlisten] ** WARNING: You are running
this
process as the root user, which is not recommended.
2015
-
10
-29T15:
12
:
14.257
+
0800
I CONTROL [initandlisten]
> show dbs
local
0
.000GB
|
在没有配置的情况下,登录到数据库后,可以做任何操作。
配置认证模块及重启服务:
编写了一个启动配置文件:mongodb.conf(文件中标红部分就为auth的授权模块)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
[root
@fo169
bin]# cat mongodb.conf
systemLog:
destination: file
path:
"/data/auth/log/mongod.log"
logAppend:
true
storage:
journal:
enabled:
true
dbPath:
"/data/auth/db"
directoryPerDB:
true
engine: wiredTiger
wiredTiger:
engineConfig:
cacheSizeGB:
4
directoryForIndexes:
true
journalCompressor: zlib
collectionConfig:
blockCompressor: zlib
indexConfig:
prefixCompression:
true
net:
port:
27017
processManagement:
fork:
true
security:
authorization: enabled
|
创建授权用户(超级管理员):
MongoDB在V3.0版本之后内置了root 角色,也就是结合了readWriteAnyDatabase、dbAdminAnyDatabase、userAdminAnyDatabase、clusterAdmin4个角色权限,类似于ORACLE的sysdba角色,但是MongoDB的超级管理员用户名称是可以随便定义的:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
[root
@fo169
bin]# ./mongo
MongoDB shell version:
3.0
.
7
connecting to: test
Server has startup warnings:
2015
-
10
-30T16:
24
:
36.127
+
0800
I CONTROL [initandlisten] ** WARNING: You are running
this
process as the root user, which is not recommended.
2015
-
10
-30T16:
24
:
36.127
+
0800
I CONTROL [initandlisten]
> use admin
switched to db admin
> db.createUser(
... {
... user:
"ljaiadmin"
,
... pwd:
"123456"
,
... roles: [ { role:
"root"
, db:
"admin"
} ]
... }
... )
Successfully added user: {
"user"
:
"ljaiadmin"
,
"roles"
: [
{
"role"
:
"root"
,
"db"
:
"admin"
}
]
}
|
这样就创建好一个ljaiadmin的超级管理员用户,创建全局用户或者超级用户,需要在MongoDB的admin数据库中创建(在其他库也可以创建,但是没有该角色功能),重启完mongod进程后,接下来做一下权限的验证:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
[root
@fo169
bin]# ./mongo
MongoDB shell version:
3.0
.
7
connecting to: test
> show dbs (注:此时查看已提示没有授权执行listDatabases命令了)
2015
-
10
-30T16:
41
:
31.131
+
0800
E QUERY Error: listDatabases failed:{
"ok"
:
0
,
"errmsg"
:
"not authorized on admin to execute command { listDatabases: 1.0 }"
,
"code"
:
13
}
at Error (<anonymous>)
at Mongo.getDBs (src/mongo/shell/mongo.js:
47
:
15
)
at shellHelper.show (src/mongo/shell/utils.js:
630
:
33
)
at shellHelper (src/mongo/shell/utils.js:
524
:
36
)
at (shellhelp2):
1
:
1
at src/mongo/shell/mongo.js:
47
> use admin
switched to db admin
> db.auth(
'ljaiadmin'
,
'123456'
) (注:切换到admin用户进行授权验证)
1
> show dbs (注:验证完成后,就可以读写等操作)
admin
0
.000GB
local
0
.000GB
test100
0
.000GB
test2
0
.000GB
> use test2
switched to db test2
> show tables
test
test2
> db.test2.find()
{
"_id"
: ObjectId(
"5632cf116207909a76446af7"
),
"name"
:
"1"
}
> db.test2.drop()
true
> db.dropDatabase()
{
"dropped"
:
"test2"
,
"ok"
:
1
}
> show dbs
admin
0
.000GB
local
0
.000GB
test100
0
.000GB
> use test100
switched to db test100
> db.test111.insert({
"test"
:
"test"
})
WriteResult({
"nInserted"
:
1
})
> db.test111.find()
{
"_id"
: ObjectId(
"56332db373f771b3d95638bb"
),
"test"
:
"test"
}
> use admin
switched to db admin
> show users
{
"_id"
:
"admin.ljaiadmin"
,
"user"
:
"ljaiadmin"
,
"db"
:
"admin"
,
"roles"
: [
{
"role"
:
"root"
,
"db"
:
"admin"
}
]
}
>
|
创建普通用户
用可以对test123数据库读写的rwtest123用户为例:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
> use test123
switched to db test123
> db.createUser(
... {
... user:
"rwtest123"
,
... pwd:
"123456"
,
... roles: [ { role:
"readWrite"
, db:
"test123"
} ]
... }
... )
Successfully added user: {
"user"
:
"rwtest123"
,
"roles"
: [
{
"role"
:
"readWrite"
,
"db"
:
"test123"
}
]
}
#所建的rwtest123用户可以在test123数据库中进行增删改查操作,但是其他操作就不行了
>db.auth(
'rwtest123'
,
'123456'
)
switched to db test123
> db.test123.insert({
"test"
:
"test"
})
WriteResult({
"nInserted"
:
1
})
> db.test123.find()
{
"_id"
: ObjectId(
"563332ebc8a59ae4fe96bbf5"
),
"test"
:
"test"
}
> db.test123.drop()
true
> use test100
switched to db test100
> db.test100.find()
Error: error: {
"$err"
:
"not authorized for query on test100.test100"
,
"code"
:
13
}
>
|