Shulou(Shulou.com)06/01 Report--

Official document

Https://docs.mongodb.com/v3.6/reference/built-in-roles/

Https://docs.mongodb.com/v3.6/reference/method/db.auth/

Summary

1. If the-auth parameter is added when mongodb starts, an operation such as show dbs will be reported after the mongo command connects to the mongodb database. You need to execute db.auth ("user", "PWD") to verify that the user's password is correct before the operation can be performed, and the user can only perform what permissions it has.

2. Authorization operations can be authorized when the user db.createUser is created, or you can use db.grantRolesToUser to authorize existing users.

3. Users of mongodb are placed in individual databases. For example, db.system.users.find () shows that _ id is db1.user1, which means creating a user in db1 library. User1,_id, db2.user1, means creating a user user1 in db2 library, which is similar to mysql user mode user@host.

4. Users of roles such as root and readWriteAnyDatabase must be bound to the admin library. This does not mean that users of the root role can only be created in the admin library. Create a user with a user name of root in the test1 library and bind the admin library with the root role. You can perform any operation after performing auth normally in the test1 library. Of course, the root user established in the test1 library will error Error: Authentication failed when executing auth in the admin library, because this user is not a user in the admin library.

> use test1

> db.createUser ({user: "root", pwd: "123456", roles: [{role: "root", db: "admin"}]})

5. The admin database in mongodb is a special database. Some roles can only be used in the admin library, but it does not mean that the users in the admin library have all permissions. Create a user admin_user in the admin library as follows. This user only has read permission in the admin library, but cannot read other databases.

> use admin

> db.createUser ({user: "admin_user", pwd: "123456", roles: ["read"]})

6. When db.auth ("user", "PWD") verifies, the user user must exist in the current database. If it does not exist in the current database, the user will report an error. It cannot be said that a user with the root role can perform db.auth authentication in any database, only that user 1 with the root role can access all other databases after performing db.auth authentication in the database specified by user 1

7. When a different machine uses the mongo command to connect to the database of the mongodb database server, it must specify the user name and password that exists in the database. The following 192.168.0.10/test1 inventory shows that the root password of a user in the role of root Super Admin is 123456. All databases can be accessed after executing db.auth ("root", "123456") in the test1 library, but there is no such user in the 192.168.0.10/test123 library. Then the previous statement can connect normally, while the latter statement reports an error: Error: Authentication failed cannot connect.

Mongo 192.168.0.10/test1-u root-p "123456"-normal, can be connected

Mongo 192.168.0.10/test123-u root-p "123456"-error, authentication failure, unable to connect

8. Mongodb view the current user using the command db.runCommand ({connectionStatus:1}), just as oracle executes show users to display the user of the current session

Authorize db.createUser when creating a user

> use test1

> db.createUser ({user: "A1", pwd: "123456", roles: [{role: "clusterAdmin", db: "admin"}, {role: "readAnyDatabase", db: "admin"}, {role: "readWrite", db: "test"}, "readWrite"]})

A user A1 is created in the test1 database, which has cluster management permissions, access to query any database, read and write test database, and read and write test1 database permissions. The last readwrite does not indicate that the database indicates the permissions in the local database, that is, in the test1 database.

This user A1 show users can only be seen in the test1 database. If you execute show users in the admin database, you cannot see this user A1, because this user is not a user under admin.

The readAnyDatabase role must be bound to the admin library, otherwise an error will be reported

> db.createUser ({user: "a2", pwd: "123456", roles: [{role: "readAnyDatabase", db: "test"}]})

Error [thread1] Error: couldn't add user: No role named readAnyDatabase@test

ReadAnyDatabase is only available in admin. Change db: "test" to db: "admin".

Grant permissions db.grantRolesToUser

> use test1

> db.grantRolesToUser ("A1", [{role: "readWrite", db: "test2"}])

Grant read and write permissions to the test2 database to A1 users in database test1

Revoke permission db.revokeRolesFromUser

> use test1

> db.revokeRolesFromUser ("A1", [{role: "readWrite", db: "test2"}])

Cancel the read and write permissions to the test2 database for A1 users in the database test1

Three methods of querying users

> show users-- you can only view users under the current database

> use admin

> db.system.users.find ()-- you must enter the admin database to execute and query all users under all databases.

> db.system.users.find () .pretty ()-- must be executed in the admin database and can query all users under all databases. The result shows that the interface is friendlier than db.system.users.find ().

If you do not enter the admin database but access other databases such as A to execute the above two, no results are returned, even if there are users in this database A.

Delete user

> db.dropAllUsers ();-- Delete all users under the current library. Users of other libraries will not be affected.

> db.dropUser ('A3');-- Delete A3 users under the current library

Authenticate user

> use test1

> db.auth ("A1", "123456")

To verify the A1 user in the database test1, first of all, in the test1 library, the A1 user must exist, and secondly, the password of the A1 user must be 123456 before the authentication can be successful.

If the result returns 1, it is successful.

The-- auth parameter is not used when mongodb starts, and db.auth can also be executed after the mongo command is connected.

Use db

Db.createUser ({user: "admin2", pwd: "123456", roles: [{role: "userAdminAnyDatabase", db: "admin"}]})

Db.auth ("admin2", "admin2")-- error Error: Authentication failed

Db.auth ("admin2", "123456")

Role list

Read: allows the user to read the specified database

ReadWrite: allows users to read and write to a specified database

DbAdmin: allows users to have all the permissions of a specified database, such as database or collection or index creation, deletion, viewing

UserAdmin: allows users to write to the system.users collection. You can create, delete, and manage users and roles in a specified database.

ClusterAdmin: available only in the admin database, giving users administrative rights to all shard and replication set related functions.

ReadAnyDatabase: available only in admin databases, giving users read access to all databases

ReadWriteAnyDatabase: available only in admin databases, giving users read and write permissions to all databases

UserAdminAnyDatabase: available only in admin databases, giving users userAdmin permissions for all databases

DbAdminAnyDatabase: available only in admin databases, giving users dbAdmin permissions for all databases.

Root: available only in the admin database. Super account, super privilege

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.