Shulou(Shulou.com)06/01 Report--

Basic concepts of mongodb rights management

Conceptual interpretation

1. Database user role

Read: this role has read-only access to data, except for system collections and system.indexes,system.js,system.namespaces collections.

ReadWrite: this role has read and write permissions to the corresponding database, except for system collections and system.js collections.

two。 Database management role

DbAdmin: this role has the specified database management permissions, including operation permissions for system.indexes, system.namespaces, and system.profile collections. The role does not have read permissions for all non-system collections.

DbOwner: this role has all the permissions for the specified database, including: readWrite, dbAdmin, userAdmin.

UserAdmin: this role has administrative privileges for the specified database user and role. Including the creation of users, etc.

3. Cluster administrative role

ClusterAdmin: this role has all the permissions of the cluster. This role contains clusterManager,clusterMonitor,hostManager role permissions. At the same time, the permissions of the database should be deleted.

ClusterManager: this role has administrative and monitoring permissions for the cluster, including access to local and config databases. At the same time, the role has administrative permissions for sharding and replication sets.

ClusterMonitor: this role has monitoring permissions for the cluster.

HostManager: this role has monitoring and service administration permissions for the cluster.

/ / Note: these roles can only be created under the Admin database

4. Backup restore role

Backup: this role has permission to back up data.

Restore: this role has permission to restore backup data.

/ / Note: these roles can only be created under the Admin database

5. All database roles

The role permissions under this category are the same as database role permissions, except that it has permissions for all databases rather than those under the specified database. But do not have permissions for system.*-related collections, local, config databases.

ReadAnyDatabase

ReadWriteAnyDatabase

UserAdminAnyDatabase

DbAdminAnyDatabase

/ / Note: these roles can only be created under the Admin database

6. Super privilege role

Root: this role has all permissions, and this role includes readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase, clusterAdmin roles, restore, and backup roles.

Note: this role can only be created in the Admin library

7. Internal role

_ _ system: this role is an internal role of the system, such as replica set member, mongos usage.

Reference link: we need to sort out a summary of the whole process

Summary of MongoDB 4.X user and role Rights Management

Https://www.cnblogs.com/dbabd/p/10811523.html

/ / it is feasible to refer to this link completely.

The summary is as follows:

1. Remember: create a user without enabling authentication, then disable the service, and then enable authentication before it takes effect.

2. We build the mongodb normally, and then create a custom role

Create a custom user dbabd in the admin database with find,update permission on the collection city and only find permission on the collection user_operation. )

/ / my guess is that we can verify without creating this later.

3. Users, you must first create "create user managed users".

/ / before enabling access control login, you first need to create a user with the role of userAdmin or userAdminAnyDatabase as a user in the admin database, and then you can create a user with other roles through this user, who acts as the manager of all other users.

4. Enable access control. Here we add-- auth when we start mongodb (note that we did not succeed when we added auth=true in the configuration file)

/ / [root@prd3-mysql-0-36] # mongod-f / ivargo/app/mongodb/conf/mongo.conf-- auth

5. User management user authentication you can log in using the user of the administrative user we created. In this case, user_admin is the user to log in.

/ / it can be understood as the person with the highest authority in mongodb at present

6. The next step is to create an ordinary user and give him read and write access to a certain library.

/ / that is, you must first create a user who manages an ordinary user, and then create the user that civilization wants to create under the user who logs in to the administrative user.

7. After the ordinary user is created, the role is added for the user (as far as I understand it, role means permission)

For example, add the read role (permissions) of the dbabd database to the user dbabd_user.

Next, we can experiment again according to the summary I wrote.

In the above test, the role of creating an administrative user name is userAdminAnyDatabase. His permissions are assigned as follows: users can be created and modified in the specified database (except for the databases config and local).

If it is the role of root, then it is the super maximum permission. Let's try it next, the highest root permission.

/ / create an administrative user whose username is user_admin and password is admin

Db.createUser (

{

User: "user_admin"

Pwd: "admin"

Roles: [{role: "userAdminAnyDatabase", db: "admin"}]

}

)

/ / Summary

Use admin

Switched to db admin

Db.system.users.find ()

{"_ id": "admin.user_admin", "user": "user_admin", "db": "admin", "credentials": {"SCRAM-SHA-1": {"iterationCount": 10000, "salt": "YVnHB6u4l4kxyVkAG9h7bQ==", "storedKey": "u0bVa7oIMBQpyD8vzv9HQHAHBGk =", "serverKey": "XE9j9YQKKWi8/1CdXchLWILs6Ds="}, "SCRAM-SHA-256": {"iterationCount": 15000 "salt": "q1riE6iDxYrY3ROeVAw59q8DXg47B5DeGxtw6w =", "storedKey": "OVbdZPfC7CsmHGZKKiW2jH50cqMgPX8OfTgfcTg3MXM=", "serverKey": "0TjC2lObSJ7lmzwwTMNXWeG6leHpzK9nVReDUrKEs="}, "roles": [{"role": "userAdminAnyDatabase", "db": "admin"}]}

{"_ id": "admin.dbabd_user", "user": "dbabd_user", "db": "admin", "credentials": {"SCRAM-SHA-1": {"iterationCount": 10000, "salt": "Uvls4hIsjxHctMK8etQRQA==", "storedKey": "/ KAF4Zl7nOmeMEy+UBnpLVNPhvw=", "serverKey": "/ g85OaGcrfWAfisbllqAdqjUTP8 ="}, "SCRAM-SHA-256": {"iterationCount": 15000 "salt": "vCoqeEVfao5T6Rv6dMlw7J6zDFU0KoqDjRxXyA==", "storedKey": "IL1NENjImUYXiRuxxSA3uz4ein8OPNx/VJZVag0BcV0=", "serverKey": "GCRyzJ8siZEgAL6qURfuY4GQn7VYz4+o2PmtmT4rqmc="}, "customData": {"info": "user for dbabd"}, "roles": [{"role": "read", "db": "dbabd"}, {"role": "dbabd", "db": "admin"} {"role": "read", "db": "admin"}]}

Show users

{

"_ id": "admin.dbabd_user"

"user": "dbabd_user", / / this is an ordinary user created

"db": "admin"

"customData": {

"info": "user for dbabd"

}

"roles": [

{

"role": "read", / / the role is read-only

"db": "dbabd" / / for the database dbadb

}

{

"role": "dbabd", / / this role is created by our own custom role dbabd

"db": "admin"

}

{

"role": "read"

"db": "admin"

}

]

"mechanisms": [

"SCRAM-SHA-1"

"SCRAM-SHA-256"

]

}

{

"_ id": "admin.user_admin", / / users who manage ordinary users

"user": "user_admin"

"db": "admin"

"roles": [

{

"role": "userAdminAnyDatabase"

"db": "admin"

}

]

"mechanisms": [

"SCRAM-SHA-1"

"SCRAM-SHA-256"

]

}

Custom experiment * is very important. After reading the questions given to yourself by https://www.cnblogs.com/dbabd/p/10811523.html, it is very important.

The title is:

In mongodb, you need to first create a user who manages the user. The vargo password is assigned to vargo123 and the permission assigned to him is root.

The normal user password of creating a majihui is majihui123, which only has read-only access to the library dbabd.

In order to maintain the reliability of the experiment, please reinstall mongodb to do the experiment completely clean.

Next, we create a user called / / A user who needs to create an administrative user first in mongodb, the vargo password assigned to him by vargo123 is root, and the normal user password for creating a majihui is majihui123, which has read-only access to this library / / create an administrative user with the username vargo. Password vargo123use admindb.createUser ({user: "vargo", pwd: "vargo123", roles: [{role: "root", db: "admin"}]}) the actual operation is: > use adminswitched to db admin > db.createUser (. {. User: "vargo", Pwd: "vargo123", Roles: [{role: "root", db: "admin"}]. }) Successfully added user: {"user": "vargo", "roles": [{"role": "root", "db": "admin"}]} next, after we close mongodb and restart mongodb Then enable mongodb for user management user authentication [root@prd3-mysql-0-36 ~] # mongod-f / ivargo/app/mongodb/conf/mongo.conf-- authvargo is the highest privilege / / then the password of an ordinary user who creates a majihui is majihui123, which only has read-only access to the dbabd library use admindb.createUser ({user: "majihui", pwd: "majihui123" Roles: [{role: "read", db: "dbabd"}], customData: {info: "user for dbabd"}) actual operation > use adminswitched to db admin > db.createUser (. {. User: "majihui", Pwd: "majihui123", Roles: [{role: "read", db: "dbabd"}],... CustomData: {info: "user for dbabd"}...}) Successfully added user: {"user": "majihui", "roles": [{"role": "read", "db": "dbabd"}] "customData": {"info": "user for dbabd"}}

Let's verify it.

[root@prd3-mysql-0-36] # mongo

MongoDB shell version v4.0.2

Connecting to: mongodb://127.0.0.1:27017

MongoDB server version: 4.0.2

Use admin

Switched to db admin

Db.auWarning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus

Db.auth ('majihui','majihui123')

one

Show dbs

Dbabd 0.000GB

Use dbabd

Switched to db dbabd

Show collections

City

User_operation

Db.city.find ()

{"_ id": ObjectId ("5ce27f0484dc5c8b35081590"), "title": "MongoDB tutorial", "description": "MongoDB is a Nosql database", "by": "Rookie tutorial", "url": "http://www.runoob.com"," tags ": [" mongodb "," database "," NoSQL "]," likes ": 100}

{"_ id": ObjectId ("5ce27f1184dc5c8b35081591"), "title": "redis tutorial", "description": "MongoDB is a Nosql database", "by": "Rookie tutorial", "url": "http://www.runoob.com"," tags ": [" mongodb "," database "," NoSQL "]," likes ": 100}

{"_ id": ObjectId ("5ce27f1784dc5c8b35081592"), "title": "mysql tutorial", "description": "MongoDB is a Nosql database", "by": "Rookie tutorial", "url": "http://www.runoob.com"," tags ": [" mongodb "," database "," NoSQL "]," likes ": 100}

Db.user_operation.count ()

one

/ / We're going to try to insert a piece of data and try it.

Db.user_operation.insert ({title: 'majihui tutorial'

Description: 'MongoDB is a Nosql database'

By: 'rookie course'

Url: 'http://www.runoob.com',

Tags: ['mongodb',' database', 'NoSQL']

Likes: 300

})

Actual operation

Db.user_operation.insert ({title: 'majihui tutorial'

... Description: 'MongoDB is a Nosql database'

... By: 'rookie course'

... Url: 'http://www.runoob.com',

... Tags: ['mongodb',' database', 'NoSQL']

... Likes: 300

.)

WriteCommandError ({

"ok": 0

"errmsg": "not authorized on dbabd to execute command {insert:\" user_operation\ ", ordered: true, lsid: {id: UUID (\" 441b14ee-ab6e-44c3-9b23-7640ceeb6b1f\ ")}, $db:\" dbabd\ "}

"code": 13

"codeName": "Unauthorized"

})

There is an error, correct

/ / We'll try to delete a document next.

Db.user_operation.find ()

{"_ id": ObjectId ("5ce27f4684dc5c8b35081593"), "title": "mysql tutorial", "description": "MongoDB is a Nosql database", "by": "Rookie tutorial", "url": "http://www.runoob.com"," tags ": [" mongodb "," database "," NoSQL "]," likes ": 100}

Db.user_operation.deleteMany (title: "mysql tutorial")

2019-05-21T14:04:45.765+0800 E QUERY [js] SyntaxError: missing) after argument list @ (shell): 1:36

/ / an error is reported and cannot be deleted, by the way

Db.user_operation.find ()

{"_ id": ObjectId ("5ce27f4684dc5c8b35081593"), "title": "mysql tutorial", "description": "MongoDB is a Nosql database", "by": "Rookie tutorial", "url": "http://www.runoob.com"," tags ": [" mongodb "," database "," NoSQL "]," likes ": 100}

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.