Notes -mongodb- users and roles
1. users
In fact mongodb supports multiple authentication methods, this article only mentioned the simplest and most common way.
1.1. Authentication Database
When adding a user, you create the user in a specific database. This database is the authentication database for the user.
A user can have privileges across different databases; that is, a user’s privileges are not limited to their authentication database. By assigning to the user roles in other databases, a user created in one database can have permissions to act on other databases. For more information on roles, see Role-Based Access Control.
The user’s name and authentication database serve as a unique identifier for that user. That is, if two users have the same name but are created in different databases, they are two separate users. If you intend to have a single user with permissions on multiple databases, create a single user with roles in the applicable databases instead of creating the user multiple times in different databases.
1. mongodb users is dependent on a database; a user may be described as username @ database, the user with the same name in different databases as different users;
2. User permissions can cross database, which depends on the role;
1.2. Authenticate a User
There are two ways to authenticate users:
mongod command
db.auth () method
1.3. create user
Create a user createUser () method.
use reporting
db.createUser(
{
user: "reportsUser",
pwd: "12345678",
roles: [
{ role: "read", db: "reporting" },
{ role: "read", db: "products" },
{ role: "read", db: "sales" },
{ role: "readWrite", db: "accounts" }
]
}
)
role on behalf of roles in the following section lists common role;
db represents the database.
1.4. Enable authentication enable auth
There are two ways:
- Command: mongod command with parameters -auth
- Profile: In the configuration file to add auth = true # concrete may be different because of the different versions
2. ROLE
mongodb built a number of roles, it can also be created by the user, with almost other databases;
2.1. Database User Roles
Every database includes the following roles:
The two most common roles.
Role |
Short Description |
Provides the ability to read data on all non-system collections and on the following system collections: system.indexes, system.js, and system.namespacescollections. For the specific privileges granted by the role, see read. |
|
Provides all the privileges of the read role and the ability to modify data on all non-system collections and the system.js collection. For the specific privileges granted by the role, see readWrite. |
2.2. Database Administration Roles
Every database includes the following database administration roles:
Role |
Short Description |
Provides the ability to perform administrative tasks such as schema-related tasks, indexing, gathering statistics. This role does not grant privileges for user and role management. For the specific privileges granted by the role, see dbAdmin. |
|
Provides the ability to perform any administrative action on the database. This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles. |
|
Provides the ability to create and modify roles and users on the current database. Since the userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster. For the specific privileges granted by the role, see userAdmin. |
2.3. All-Database Roles
Changed in version 3.4.
These roles in the admin database apply to all but the local and config databases in a mongod instance:
Role |
Short Description |
slightly |
|
slightly |
|
slightly |
|
slightly |
There is also a super role role called root, is above the four basic roles fit version.
2.4. collection-level access control
You can set privileges in the role attribute, which provides access control for a set level.
privileges: [
{ resource: { db: "products", collection: "inventory" }, actions: [ "find", "update", "insert" ] },
{ resource: { db: "products", collection: "orders" }, actions: [ "find" ] }
]
Creating a Role:
use admin
db.createRole(
{
role: "manageOpRole",
privileges: [
{ resource: { cluster: true }, actions: [ "killop", "inprog" ] },
{ resource: { db: "", collection: "" }, actions: [ "killCursors" ] }
],
roles: []
}
)