MongoDB (13) --- Rights Management

Previous: MongoDB (12) - to build a cluster fragmentation

1.MongoDB roles and permissions

Roles	Competence
root	Super accounts, super powers
read	It allows the user to specify the database to read
readWrite	It allows the user to specify the database to read and write
dbAdmin	It allows users to perform the specified database management functions, such as indexing to create, delete, view statistics or access system.profile
userAdmin	Allowing a user to write to system.users, you can find specify the database to create, delete, and manage users
clusterAdmin	Admin only available in the database, the user gives permission to manage all the parts and functions related to replication sets.
readAnyDatabase	Admin is only available in the database, giving users read access to all databases
readWriteAnyDatabase	Admin is only available in the database, giving users read and write access to all databases
userAdminAnyDatabase	Admin is only available in the database, the user gives permission to all databases userAdmin
dbAdminAnyDatabase	Admin is only available in the database, the user gives permission dbAdmin all databases.
root	Admin is only available in the database. Super account, super powers.
restore	Restore data recovery MongoDB permission (except system.profile collection) from the backup file

2. Create a role

1. Turn on the MongoDB service

2. Use the windows command window connection MongoDB service

mongo --host=IP地址 --port=端口号（不写则默认27017）

3. Create an administrator user

Switch to the adminlibrary.

Create a super administrator account:

grammar:db.createUser({"user":"账号名称",“pwd”:"密码","roles":[{“role”:"角色类型","db":"数据库名"}]})

Back db:”数据库名"if you do not write, the default is the current database

4. Create a library of specialized management admin account, only used for user rights management

5. Review the account information has been created

db.system.users.find()

6. Modify the account password

db.changeUserPassword("myroot","456123")

7. password test

db.auth("账号","密码")

Test fails (because the password is wrong)

test is successful

8. Delete Account

db.dropUser("myadmin")

Until then view account information:

it has only an account of the ......

9. Create a regular user
  to create a normal user can not open at the time of certification added, can also be added after the open authentication, but after open authentication, the user must have admin database operations can be operated with a login authentication. We are talking about the underlying user information stored in the collection system.users admin database.

#展示数据库
> show dbs
admin       0.078GB
article_db  0.078GB
config      0.078GB
local       0.078GB
trade_db    0.078GB
>
>#切换到普通数据库  trade_db
> use trade_db
switched to db trade_db
>
>#创建一个拥有  读写 权限的普通账户
> db.createUser({user:"zhangsan",pwd:"123456",roles:[{role:"readWrite",db:"trade_db"}]})
Successfully added user: {
        "user" : "zhangsan",
        "roles" : [
                {
                        "role" : "readWrite",
                        "db" : "trade_db"
                }
        ]
}
>

3. Turn on user rights authentication

1. Turn on the way to certification authority

  Open User certification authority in two ways:
1: One is when you start to add MongoDB service --authparameters

/usr/local/mongodb-4.0.9/bin/mongod -f config/mongod.conf --auth

2: Another is to open the certification authority in the configuration file, so you can no longer add --authparameters a

security:
  #开启权限认证
  authorization: enabled

More generally use the second approach, once and for all.

storage:
  # mongod 进程存储数据目录，此配置仅对 mongod 进程有效
  dbPath: "/usr/local/mongodb-4.0.9/data/db"
  #是否开启 journal 日志持久存储，journal 日志用来数据恢复，是 mongod 最基础的特性，通常用于故障恢复。64 位系统默认为 true，32 位默认为 false，建议开启，仅对 mongod 进>程有效。
  journal:
    enabled: true
  #存储引擎类型，mongodb 3.0 之后支持 “mmapv1”、“wiredTiger” 两种引擎，默认值为“mmapv1”；官方宣称 wiredTiger 引擎更加优秀。
  engine: mmapv1

systemLog:
  # 日志输出目的地，可以指定为 “file” 或者“syslog”，表述输出到日志文件，如果不指定，则会输出到标准输出中（standard output）
  destination: file
  # 如果为 true，当 mongod/mongos 重启后，将在现有日志的尾部继续添加日志。否则，将会备份当前日志文件，然后创建一个新的日志文件；默认为 false。
  logAppend: true
  # 日志路径
  path: "/usr/local/mongodb-4.0.9/log/mongod.log"

processManagement:
  #启用在后台运行mongos或者mongod进程的守护进程模式
  fork: true

net:
  # 绑定外网 op 多个用逗号分隔,默认是localhost
  bindIp: 0.0.0.0
  #指定端口
  port: 27017

security:
  #开启权限认证
  authorization: enabled

2. Open the certification authority to restart the service
inlinuxthe original Mongo service will shut down, restart the MongoDB service

3. Use the windows command window connection MongoDB service

Now we use the command show dbswill not show the database

4. login account
at this time we need to log users before it can operate within the limits of the allowable range database