笔记-mongodb-用户及角色
1. users
其实mongodb支持多种验证方式,本文只提及最简单也最常用的方式。
1.1. Authentication Database
When adding a user, you create the user in a specific database. This database is the authentication database for the user.
A user can have privileges across different databases; that is, a user’s privileges are not limited to their authentication database. By assigning to the user roles in other databases, a user created in one database can have permissions to act on other databases. For more information on roles, see Role-Based Access Control.
The user’s name and authentication database serve as a unique identifier for that user. That is, if two users have the same name but are created in different databases, they are two separate users. If you intend to have a single user with permissions on multiple databases, create a single user with roles in the applicable databases instead of creating the user multiple times in different databases.
1.mongodb的用户是依赖于database的;一个用户可以描述为username@database,不同数据库下的同名用户视为不同的用户;
2.用户的权限是可以跨database的,这依赖于role;
1.2. Authenticate a User
验证用户有两种方式:
mongod命令
db.auth()方法
1.3. create user
使用createUser()方法创建用户。
use reporting
db.createUser(
{
user: "reportsUser",
pwd: "12345678",
roles: [
{ role: "read", db: "reporting" },
{ role: "read", db: "products" },
{ role: "read", db: "sales" },
{ role: "readWrite", db: "accounts" }
]
}
)
role代表角色,在下面的章节中会列出常用role;
db代表数据库。
1.4. 启用验证enable auth
有两种方式:
- 命令:mongod 命令带上—auth参数
- 配置文件:在配置文件中添加auth=true #具体可能会因为版本不同有所差别
2. ROLE
mongodb内置了一些角色,也可以由用户创建,跟其它数据库差不多;
2.1. Database User Roles
Every database includes the following roles:
最常用的两种角色。
| Role |
Short Description |
| Provides the ability to read data on all non-system collections and on the following system collections: system.indexes, system.js, and system.namespacescollections. For the specific privileges granted by the role, see read. |
|
| Provides all the privileges of the read role and the ability to modify data on all non-system collections and the system.js collection. For the specific privileges granted by the role, see readWrite. |
2.2. Database Administration Roles
Every database includes the following database administration roles:
| Role |
Short Description |
| Provides the ability to perform administrative tasks such as schema-related tasks, indexing, gathering statistics. This role does not grant privileges for user and role management. For the specific privileges granted by the role, see dbAdmin. |
|
| Provides the ability to perform any administrative action on the database. This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles. |
|
| Provides the ability to create and modify roles and users on the current database. Since the userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster. For the specific privileges granted by the role, see userAdmin. |
2.3. All-Database Roles
Changed in version 3.4.
These roles in the admin database apply to all but the local and config databases in a mongod instance:
| Role |
Short Description |
| 略 |
|
| 略 |
|
| 略 |
|
| 略 |
还有一个super role角色叫root,基本就是上面四个角色的合体版。
2.4. collection-level access control
在角色中可以设置privileges属性,它提供了针对集合层级的权限控制。
privileges: [
{ resource: { db: "products", collection: "inventory" }, actions: [ "find", "update", "insert" ] },
{ resource: { db: "products", collection: "orders" }, actions: [ "find" ] }
]
创建角色:
use admin
db.createRole(
{
role: "manageOpRole",
privileges: [
{ resource: { cluster: true }, actions: [ "killop", "inprog" ] },
{ resource: { db: "", collection: "" }, actions: [ "killCursors" ] }
],
roles: []
}
)