Shulou(Shulou.com)06/01 Report--

I. user authentication

-- auth: add-- after auth,mongodb is started, the authorization module can be enabled in the mongod startup item

Although the local computer can log in to the database after the auth module is enabled, it does not have the permission to add, delete, modify and query, so you should create a super user before starting the auth module.

-- keyFile: mainly used for authorization between sharding cluster and replica set. As long as auth is used in a stand-alone case, if it is in a cluster (shard + replica set) environment,

This parameter must be used

You can control it through the configuration file, and the control statements are as follows:

Security.authorization: the function is more auth exactly the same. Since MongoDB 2.6, the startup configuration file of mongod/mongos has been written in YAML format, for example:

Security: authorization: enabledsecurity.keyFile: the function is the same as-- keyFile. Since MongoDB 2.6, the startup configuration file of mongod/mongos has been written in YAML format, for example:

Security: keyFile: / srv/mongodb/keyfile

Mongdb has built-in the root role after V3.0, that is, it combines the permissions of readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase and clusterAdmin, which is similar to the sysdba role of Oracle, but the Super Admin user name of MongoDB can be defined at will:

> use admin switched to db admin > db.createUser (. {... User: "ljaiadmin", Pwd: "123456", Roles: [{role: "root", db: "admin"}]...})

After restarting the mongod process, let's verify the permissions:

> use adminswitched to db admin > db.auth ('ljaiadmin','123456') (Note: switch to admin user for authorization verification) 1 > show dbs > use adminswitched to db admin > show users

Create a normal user:

Use reportingdb.createUser ({user: "reportsUser", pwd: "12345678", roles: [{role: "read", db: "reporting"}, {role: "read", db: "products"}, {role: "read", db: "sales"}, {role: "readWrite" Db: "accounts"}]})

II. Role

(1)。 Database user role

Control each database.

Read: provides reading of all non-system collections, as well as system.indexes, system.js, system.namespaces in system collections

ReadWrite: contains all read permissions, as well as permissions to modify all non-system collections and system.js in system collections.

(2)。 Database management role

Each database contains the following database administration roles.

DbOwner: the owner of the database, with full permissions for the database.

DbAdmin: some management operations of database objects, but no read and write permissions to the database. (reference: http://docs.mongodb.org/manual/reference/built-in-roles/#dbAdmin)

UserAdmin: create and modify users and roles for the current user. A user with userAdmin privileges can grant any permission to the database to any user.

(3)。 Cluster management authority

The admin database contains the following roles for users to manage the entire system rather than a single database. These permissions include administrative functions for replication sets and shared clusters.

ClusterAdmin: provides maximum cluster management capabilities. Equivalent to the combination of clusterManager, clusterMonitor, and hostManager and dropDatabase permissions.

ClusterManager: provides cluster and replication set management and monitoring operations. Users with this permission can operate config and local databases (that is, sharding and replication)

ClusterMonitor: only monitor clusters and replication sets.

HostManager: provides permissions to monitor and manage servers, including shutdown nodes, logrotate, repairDatabase, etc.

Backup and restore permissions: the role of backup and recovery data is included in the admin database. Including backup, restore and so on.

(4)。 All database roles

The admin database provides permission roles for all databases in a mongod instance:

ReadAnyDatabase: has permissions for every database in read. However, databases applied to the cluster are not included.

ReadWriteAnyDatabase: has permissions for every database in readWrite. However, databases applied to the cluster are not included.

UserAdminAnyDatabase: has userAdmin permissions for every database, but does not include databases applied to the cluster.

DbAdminAnyDatabase: provides permissions for every database in dbAdmin, but does not include databases applied to the cluster.

(5)。 Super Admin permissions

Root: dbadmin to admin database, useradmin to admin database, and UserAdminAnyDatabase. However, it does not have backup and restore permissions to directly manipulate system.* collections, but superusers with root permissions can grant these permissions to themselves.

(6)。 Backup and restore roles: backup, restore

(7)。 Internal role: _ _ system

III. Relevant orders

In addition to db.createUser (), the following functions are also common:

Create a role: db.createRole ()

Update role: db.updateRole ()

Delete role: db.dropRole ()

Get a role information: db.getRole ()

Change password: db.changeUserPassword ("userName", "newPwd")

Get all the user rights information for the current database: db.getUsers ()

Get the permission information for "a specified user": db.getUser ("userName")

Example:

> use companyswitched to db company > db.createUser (. {user: "user01", pwd: "123",... Roles: [{"role": "readWrite", db: "company"}]. }) Successfully added user: {"user": "user01", "roles": [{"role": "readWrite", "db": "company"} > db.getUsers () # View the current DB users. > db.auth ("user01") 1 > db.changeUserPassword ("user01", "456") # change user password > db.auth ("user01", "456") 1 >

Delete user: db.dropUser ()

Example:

> use companyswitched to db company > db.dropUser ("user01") # Delete the usertrue of the current library >

Delete all users: db.dropAllUsers ()

Assign the specified role to the user:

Db.grantRolesToUser ("userName", [{"role": "roleName1", "db": "dbName"}, {"role": "roleName2", "db": "dbName"}.])

Revoke a role permission for a user:

Db.revokeRolesFromUser ("userName", [{"role": "roleName1", "db": "dbName"}, {"role": "roleName2", "db": "dbName"}.])

4. Examples:

[root@meteor ~] # service mongod start

Starting mongod: [OK]

[root@meteor ~] # mongo localhost:27027

MongoDB shell version: 3.2.8

Connecting to: localhost:27027/test

Server has startup warnings:

> use admin

Switched to db admin

> db.createUser (

... {user: "admin", pwd: "123456"

... Roles: [{role: "root", db: "admin"}]

.)

Successfully added user: {

"user": "admin"

"roles": [

{

"role": "root"

"db": "admin"

}]}

> use person

Switched to db person

> db.p1.insert ({name: "thompson", gender: "male", age: "24"})

WriteResult ({"nInserted": 1})

> db.p1.find ()

{"_ id": ObjectId ("57a2a28aa6d4803a1c952529"), "name": "thompson", "gender": "male", "age": "24"}

> exit

Bye

[root@meteor ~] # mongo localhost:27027

MongoDB shell version: 3.2.8

Connecting to: localhost:27027/test

> show dbs

Admin 0.000GB

Local 0.000GB

Person 0.000GB

> exit

Bye

[root@meteor ~] # vim / etc/mongod.conf

[root@meteor ~] # sed-n '333 p' / etc/mongod.conf needs to enable authentication function

Security:

Authorization: enabled

[root@meteor ~] # service mongod restart must be restarted after modifying the configuration file to take effect

Stopping mongod: [OK]

Starting mongod: [OK]

[root@meteor ~] # mongo localhost:27027

MongoDB shell version: 3.2.8

Connecting to: localhost:27027/test

> if show dbs is not authenticated, the system prompts an error

2016-08-04T10:06:08.491+0800 E QUERY [thread1] Error: listDatabases failed: {

"ok": 0

"errmsg": "not authorized on admin to execute command {listDatabases: 1.0}"

"code": 13

}:

_ getErrorWithCode@src/mongo/shell/utils.js:25:13

Mongo.prototype.getDBs@src/mongo/shell/mongo.js:62:1

ShellHelper.show@src/mongo/shell/utils.js:761:19

ShellHelper@src/mongo/shell/utils.js:651:15

@ (shellhelp2): 1:1

> use admin

Switched to db admin

Db.auth ("admin", "123456") certification

one

> use person

Switched to db person

Db.createUser (create a new user

... {user: "person", pwd: "123"

... Roles: [{role: "readWrite", db: "person"}]

.)

Successfully added user: {

"user": "person"

"roles": [

{

"role": "readWrite"

"db": "person"

}]}

> use admin

Switched to db admin

> db.system.users.find ()

{"_ id": "admin.admin", "user": "admin", "db": "admin", "credentials": {"SCRAM-SHA-1": {"iterationCount": 10000, "salt": "KFiaKAkrDqCJ/H8uIIhwzA==", "storedKey": "faWxuPj1hZ4jV3VhL9Z0zylBL0Y=", "serverKey": "qYSi5BRZY/GPTuBeF60KCvB5dqg="}}, "roles": [{"role": "root" "db": "admin"}]}

{"_ id": "person.person", "user": "person", "db": "person", "credentials": {"SCRAM-SHA-1": {"iterationCount": 10000, "salt": "0tRiioYKdcxhammer On3uXgR swab =", "storedKey": "8M69xFSgniSeU7uvLqpzaclECs =", "serverKey": "Znu2x5fAzMgrMKlxpj2I//1lcWc="}}, "roles": [{"role": "readWrite" "db": "person"}]}

> use person

Switched to db person

> db.grantRolesToUser ("person", [{role: "dbAdmin", db: "person"}]) attach other roles to the user

> use admin

Switched to db admin

> db.system.users.find ()

{"_ id": "admin.admin", "user": "admin", "db": "admin", "credentials": {"SCRAM-SHA-1": {"iterationCount": 10000, "salt": "KFiaKAkrDqCJ/H8uIIhwzA==", "storedKey": "faWxuPj1hZ4jV3VhL9Z0zylBL0Y=", "serverKey": "qYSi5BRZY/GPTuBeF60KCvB5dqg="}}, "roles": [{"role": "root" "db": "admin"}]}

{"_ id": "person.person", "user": "person", "db": "person", "credentials": {"SCRAM-SHA-1": {"iterationCount": 10000, "salt": "0tRiioYKdcxhammer On3uXgR swab =", "storedKey": "8M69xFSgniSeU7uvLqpzaclECs =", "serverKey": "Znu2x5fAzMgrMKlxpj2I//1lcWc="}}, "roles": [{"role": "dbAdmin" "db": "person"}, {"role": "readWrite", "db": "person"}]}

> use person

Switched to db person

> db.revokeRolesFromUser ("person", [{role: "dbAdmin", db: "person"}]) user role recovery

> use admin

Switched to db admin

> db.system.users.find ()

{"_ id": "admin.admin", "user": "admin", "db": "admin", "credentials": {"SCRAM-SHA-1": {"iterationCount": 10000, "salt": "KFiaKAkrDqCJ/H8uIIhwzA==", "storedKey": "faWxuPj1hZ4jV3VhL9Z0zylBL0Y=", "serverKey": "qYSi5BRZY/GPTuBeF60KCvB5dqg="}}, "roles": [{"role": "root" "db": "admin"}]}

{"_ id": "person.person", "user": "person", "db": "person", "credentials": {"SCRAM-SHA-1": {"iterationCount": 10000, "salt": "0tRiioYKdcxhammer On3uXgR swab =", "storedKey": "8M69xFSgniSeU7uvLqpzaclECs =", "serverKey": "Znu2x5fAzMgrMKlxpj2I//1lcWc="}}, "roles": [{"role": "readWrite" "db": "person"}]}

> exit

Reference: https://docs.mongodb.com/manual/tutorial/create-users/

Https://docs.mongodb.com/manual/reference/configuration-options/#security.authorization

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.