Previous: MongoDB (12) - to build a cluster fragmentation
1.MongoDB roles and permissions |
Roles | Competence |
---|---|
root | Super accounts, super powers |
read | It allows the user to specify the database to read |
readWrite | It allows the user to specify the database to read and write |
dbAdmin | It allows users to perform the specified database management functions, such as indexing to create, delete, view statistics or access system.profile |
userAdmin | Allowing a user to write to system.users, you can find specify the database to create, delete, and manage users |
clusterAdmin | Admin only available in the database, the user gives permission to manage all the parts and functions related to replication sets. |
readAnyDatabase | Admin is only available in the database, giving users read access to all databases |
readWriteAnyDatabase | Admin is only available in the database, giving users read and write access to all databases |
userAdminAnyDatabase | Admin is only available in the database, the user gives permission to all databases userAdmin |
dbAdminAnyDatabase | Admin is only available in the database, the user gives permission dbAdmin all databases. |
root | Admin is only available in the database. Super account, super powers. |
restore | Restore data recovery MongoDB permission (except system.profile collection) from the backup file |
2. Create a role |
1. Turn on the MongoDB service
2. Use the windows command window connection MongoDB service
mongo --host=IP地址 --port=端口号(不写则默认27017)
3. Create an administrator user
Switch to the admin
library.
Create a super administrator account:
grammar:db.createUser({"user":"账号名称",“pwd”:"密码","roles":[{“role”:"角色类型","db":"数据库名"}]})
Back db:”数据库名"
if you do not write, the default is the current database
4. Create a library of specialized management admin account, only used for user rights management
5. Review the account information has been created
db.system.users.find()
6. Modify the account password
db.changeUserPassword("myroot","456123")
7. password test
db.auth("账号","密码")
Test fails (because the password is wrong)
test is successful
8. Delete Account
db.dropUser("myadmin")
Until then view account information:
it has only an account of the ......
9. Create a regular user
to create a normal user can not open at the time of certification added, can also be added after the open authentication, but after open authentication, the user must have admin database operations can be operated with a login authentication. We are talking about the underlying user information stored in the collection system.users admin database.
#展示数据库
> show dbs
admin 0.078GB
article_db 0.078GB
config 0.078GB
local 0.078GB
trade_db 0.078GB
>
>#切换到普通数据库 trade_db
> use trade_db
switched to db trade_db
>
>#创建一个拥有 读写 权限的普通账户
> db.createUser({user:"zhangsan",pwd:"123456",roles:[{role:"readWrite",db:"trade_db"}]})
Successfully added user: {
"user" : "zhangsan",
"roles" : [
{
"role" : "readWrite",
"db" : "trade_db"
}
]
}
>
3. Turn on user rights authentication |
1. Turn on the way to certification authority
Open User certification authority in two ways:
1: One is when you start to add MongoDB service --auth
parameters
/usr/local/mongodb-4.0.9/bin/mongod -f config/mongod.conf --auth
2: Another is to open the certification authority in the configuration file, so you can no longer add --auth
parameters a
security:
#开启权限认证
authorization: enabled
More generally use the second approach, once and for all.
storage:
# mongod 进程存储数据目录,此配置仅对 mongod 进程有效
dbPath: "/usr/local/mongodb-4.0.9/data/db"
#是否开启 journal 日志持久存储,journal 日志用来数据恢复,是 mongod 最基础的特性,通常用于故障恢复。64 位系统默认为 true,32 位默认为 false,建议开启,仅对 mongod 进>程有效。
journal:
enabled: true
#存储引擎类型,mongodb 3.0 之后支持 “mmapv1”、“wiredTiger” 两种引擎,默认值为“mmapv1”;官方宣称 wiredTiger 引擎更加优秀。
engine: mmapv1
systemLog:
# 日志输出目的地,可以指定为 “file” 或者“syslog”,表述输出到日志文件,如果不指定,则会输出到标准输出中(standard output)
destination: file
# 如果为 true,当 mongod/mongos 重启后,将在现有日志的尾部继续添加日志。否则,将会备份当前日志文件,然后创建一个新的日志文件;默认为 false。
logAppend: true
# 日志路径
path: "/usr/local/mongodb-4.0.9/log/mongod.log"
processManagement:
#启用在后台运行mongos或者mongod进程的守护进程模式
fork: true
net:
# 绑定外网 op 多个用逗号分隔,默认是localhost
bindIp: 0.0.0.0
#指定端口
port: 27017
security:
#开启权限认证
authorization: enabled
2. Open the certification authority to restart the service
inlinux
the original Mongo service will shut down, restart the MongoDB service
3. Use the windows command window connection MongoDB service
Now we use the command show dbs
will not show the database
4. login account
at this time we need to log users before it can operate within the limits of the allowable range database