mongo -version :
➜ ~ mongo -version
MongoDB shell version v3.4.2
How to create a new account, assign roles, and how they relate to database
- How to start before the mongo notes ( mongodb download and install )
already mentioned, here to talk about how to authorize the authentication start
on the command to start basic services mongodb
mongod --dbpath [数据存放path] // 基本命令
mongod --dbpath [数据存放path] -auth //开启授权启动
So after opening authorized to start, you need to log in how it ??
If this machine, then:
mongo
mongo command will be able to log in directly, but:
first use the command to see the name of my database currently in use
>db
test
>
I currently use the library test library,
then we do a data insertion
> db.Hello.insert({name:'World'})
2017-03-07T00:25:03.163+0800 I ACCESS [conn1] Unauthorized: not authorized on test to execute command { insert: "Hello", documents: [ { _id: ObjectId('58bd8d5f7118aa18e6286ec8'), name: "World" } ], ordered: true }
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on test to execute command { insert: \"Hello\", documents: [ { _id: ObjectId('58bd8d5f7118aa18e6286ec8'), name: \"World\" } ], ordered: true }"
}
})
>
You can see the result, not authorized to perform the test on the inset command in the library (not authorized on test to execute ... ), that is to say, we do not have permission to operate
here simply to talk about all the roles in mongodb permission link
, just to mention the most basic, not described in detail, because I am also a learner, a link has been given specific details, please click on the link
| classification | role (role) | A brief description |
|---|---|---|
| Database user roles (DB User Roles) | read readWrite |
Create a user for a database, the database read and write power allocation |
| Database administrator role (DB Admin Roles) | dbAdmin dbOwner userAdmin |
We have the power to create the database, and create user |
| Cluster Management role (Culster Administration Roles) | clusterAdmin clusterManager clusterMonitor hostManager |
Administrators group, to manage for the entire system |
| The role of backup and restore (Backup and Restoration Roles) | backup restore |
Database backup, restore the database |
| All database role (All-Database Roles) | readAnyDatabase readWriteAnyDatabase userAdminAnyDatabase dbAdminAnyDatabase |
Admin has permission to operate |
| Superuser Roles (super administrator) | root |
dbOwner userAdmin userAdminAnyDatabaseThis role provides several roles capacity of any rights of any data of any user with this role can define their own rights on any database |
I do have a root role, we first use the root of our role to create a user database
- First, we need to switch to the admin database, and why? Because our root user roles are created in the admin data, you must go to the admin database to complete authorization
> use admin //切换到admin数据库
switched to db admin
> db.auth('admin'.'admin') // 使用db.auth('用户名','密码')进行授权
2017-03-07T23:47:06.603+0800 E QUERY [thread1] SyntaxError: missing name after . operator @(shell):1:16
> db.auth('admin','admin')
2017-03-07T23:47:25.142+0800 I ACCESS [conn1] Successfully authenticated as principal admin on admin
1 // 返回1 授权成功, 否则返回0, 并提示失败
- After completing authorization, we have to carry as root, we switch to the corresponding database, then take a look at what we have and then switch database
> show dbs //展示所有数据库
admin 0.000GB
local 0.000GB
testDB 0.000GB //这个是我新建的
> use testDB // 切换到数据库
switched to db testDB
>
- After switching database, we create a user testDB
>db.createUser({user:'test',pwd:'test',roles:[{role:'readWrite',db:'testDB'}]})
Successfully added user: {
"user" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "testDB"
}
]
}
>
- Then we switch to the admin library, look at the user we created here Let me talk about why you want to switch to this testDB create users, because users only created here is the user database in order to complete the authorization here , but the creation of user information stored in the database admin
> use admin
switched to db admin
> db.system.users.find({user:'test'})
{ "_id" : "testDB.test", "user" : "test", "db" : "testDB", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "CW0nvUZjVvlEqQPVbUAKpw==", "storedKey" : "zAPux5oBIOCb3PSZdMPDmFl1WkE=", "serverKey" : "aRFnK5cD1FQAkQeTU8eYvaZ0lQE=" } }, "roles" : [ { "role" : "readWrite", "db" : "testDB" } ] }
>
You can see _idthat we users testare part of testDBthe database. The database is allocated and testDB
that we have to test the user's reading and writing test it!
In order to avoid the effects of authorized root user before, let's quit the client, then landing authorization
> use testDB
switched to db testDB
> db.auth('test','test') // 进行test用户授权
2017-03-08T00:03:40.572+0800 I ACCESS [conn3] Successfully authenticated as principal test on testDB
1 //授权成功 // 下面提示没有在admin执行命令的权限 (不理会, 因为我们本来就没有权限)
2017-03-08T00:03:40.573+0800 I ACCESS [conn3] Unauthorized: not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
> db.Hello.insert({name:'World'})
WriteResult({ "nInserted" : 1 }) // 可以看到我插入了一条数据
> db.Hello.find() // 并且将其查出来了.
{ "_id" : ObjectId("58beda12ff72a6c747135225"), "name" : "World" }
>```
那么简单创建角色并且分配数据库等方法就说完了.
总结一下:
* 1) 一定要切换到对应的数据库去创建用户, 否则在进行认证的时候, 会提示找不到用户
* 2) 一定要到对应的数据库上去认证用户, 否则会认证授权失败
* 3) 不是所有人都能操作admin数据库, 分配给用户权限的时候,一定要谨慎
* 下面说说修改用户角色, 其实角色弄清楚了, 创建用户清楚了, 剩下都是命令简单介绍. 因为都一样
更新用户信息
```shell
>db.updateUser([用户名],{用户对象, 与创建时一样}) //其实后面还有一个可选参数, 一般不写. 需要自行百度writeConcern
This brief talk about, when you create and update the user when the user is required properties user pwd roles
without any prompting after successfully modified as follows:
> db.updateUser('test',{user:'test',pwd:'admin',roles:[{role:'read',db:'testDB'}]}) //修改密码 并且 //修改角色为只读
>
Note that the above is that rolesarray of data objects role dbboth need to give, otherwise an error
the rest have nothing to say anymore
- delete users
> use testDB
switched to db testDB
> db.dropUser('test')
true
>
Note Oh, modify and remove users, etc., and create a user, the need to switch to the database administrator, oh, that is, you need to switch to the adminlibrary, complete the certification to operate behind. Also need to go to the corresponding database user operation. because the user is followed by the library to go.