About permissions for the mongodb

The so-called authority, is to open certification, in order to determine whether a user can visit a library, and users are inseparable. By default, mongodb certification is not open, there is no user. This is certainly not safe, so we have to open the certification, but also configure user.

user

mongodb users have about the following characteristics:

1. User roles are divided, there are built-in role, you can also customize roles
2. And library users are bound, when login authentication also certified in the corresponding library
3. Generally you need to create an administrator account, then turn the server authentication

Common built-in roles Description

1. Database user roles (Database User Roles)

   read: permission to authorized users read-only data, allowing users to read the specified database

   readWrite: Authorized User "read / write" permission data, allowing users to "read / write" specified database

2. Database administration roles (Database Admininstration Roles)

   dbAdmin: perform management operations in the current database, such as index creation, deletion, statistics, view, etc.
   dbOwner: perform any operations in the current database, add, delete, change, etc.
   userAdmin: manage users in the current database , create, delete and manage users.

3. Backup and restore the role of (Backup and Restoration Roles)

   backup: Backup Role
   restore: Restore role

4. Libraries across roles (All-Database Roles)

   readAnyDatabase: authorization rights to read all the data on the database, available only in the admin
   readWriteAnyDatabase: delegated authority on all read and write data in the database, available only in the admin
   userAdminAnyDatabase: Authorized users rights management on all database only available in the admin
   dbAdminAnyDatabase:, available only in the admin permissions for all authorized management database

5. Cluster Management role (Cluster Administration Roles)

   clusterAdmin: highest privilege authorization management cluster, only available in the admin
   clusterManager: authorized to manage and monitor cluster permissions
   clusterMonoitor: Authorizing monitoring cluster, have permission to readonly monitoring tools
   hostManager: management server

6. Super role (super master Roles)

   root: super accounts and privileges, are available only in the admin

Create a user

# 第二个参数是可选的
db.createUser(user, writeConcern)

The first parameter userformat is such that:

{
  user: "<name>",
  // Or  "<cleartext password>"
  pwd: passwordPrompt(),
  customData: { <any information> },
  roles: [
    { role: "<role>", db: "<database>" } | "<role>",
  ],
  authenticationRestrictions: [
     {
       clientSource: ["<IP>" | "<CIDR range>",],
       serverAddress: ["<IP>" | "<CIDR range>",]
     },
  ],
  mechanisms: [ "<SCRAM-SHA-1|SCRAM-SHA-256>",],
  passwordDigestor: "<server|client>"
}

Common CI are:

user: user name (string type)
pwd: user's password (string type)
the Roles: the user's role (array type)

Use Case 1:

# 切换到xxx数据库
use xxx;
# 创建一个用户，账号为ss，密码为：123456，角色为：xxx库的readWrite
db.createUser({
		user:"ss",
		pwd: "123456",
		roles:["readWrite"]
});

Use Case 2:

# 切换到yyy库
use yyy;
# 创建一个用户，账号为zs，密码为：654321，角色有多个，分别是：
# 1. yyy库中的readWrite角色
# 2. xxx库中的read角色
db.createUser({
    user : "zs",
    pwd : "654321",
    roles : [
    		# 这里虽然绑定的事xxx库，但是验证的时候也要在yyy库中进行
        { role : "read", db : "xxx" },
        "readWrite"
    ]
})

Open the verification

Method 1: Use Profiles

# 在配置文件中加入这段配置
auth=true

After changing the configuration do not forget to reboot the server

Method 2: Start time to join--auth

mongod --dbpath=/usr/local/mongodb/data/ --logpath=/usr/local/mongodb/logs/mongodb.log --logappend --port=27017 --fork --auth

Perform validation

Method 1: Verify the database

# 使用客户端连接到服务端
mongo

Perform validation

# 切换到对应的数据库
use xxx
# 使用账号和密码验证(返回值1表示通过,0表示未通过验证)
db.auth('ss','123456');

Note: Try to connect only once to verify a user, that is to say try not to be used multiple times db.auth(), or they may appear: too many users are authenticatederror encountered this error then reconnected to quit.

Method 2: the time of connection verification

mongo -u zs -p 654321 --authenticationDatabase yyy

The above parameters explained:

-u： 用户名
-p： 密码
--authenticationDatabase：在哪个数据库中验证（就是用户创建的那个数据库）
# 其它的参数还有，比如：--port

Appendix 1: Create an administrator

Under normal circumstances, we use some ordinary users can complete many operations, but, very often, in order that we can more easily manage the database, we will create an administrative account, such as creating a rootuser role:

use admin;
db.createUser({
		user:"smart",
		pwd: "123456",
		roles:["root"]
});

Annex II: Other Operational administrators

View all current users in the library

use xxx
# 查看当前库的所有用户
show users

Modify a user's information in the current library

# 成功后无返回值
db.updateUser('zs', {pwd: '666666'});

Modify a user's password in the current library

# 成功后无返回值
db.changeUserPassword('zs', '888888');

Delete a user in the current database

# 成功后返回true
db.dropUser('zs')

View all users of the system

# 要在admin库下操作
use admin
db.system.users.find()