Access Control of mongodb 01/16 Update SLTechnology News&Howtos

Access Control of mongodb

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/02 Report--

内建角色，具体参考：https://docs.mongodb.com/manual/reference/built-in-roles

Read：允许用户读取指定数据库

readWrite：允许用户读写指定数据库

dbAdmin：允许用户在指定数据库中执行管理函数，如索引创建、删除，查看统计或访问system.profile

userAdmin：允许用户向system.users集合写入，可以找指定数据库里创建、删除和管理用户

clusterAdmin：只在admin数据库中可用，赋予用户所有分片和复制集相关函数的管理权限。

readAnyDatabase：只在admin数据库中可用，赋予用户所有数据库的读权限

readWriteAnyDatabase：只在admin数据库中可用，赋予用户所有数据库的读写权限

userAdminAnyDatabase：只在admin数据库中可用，赋予用户所有数据库的userAdmin权限

dbAdminAnyDatabase：只在admin数据库中可用，赋予用户所有数据库的dbAdmin权限。

root：只在admin数据库中可用。超级账号，超级权限

用户文件在admin库下的system.users表里，默认MongoDB没有访问密码，不太安全

1.添加数据库管理员用户adminUser和普通用户herrywen

mongo --port 27017use admindb.createUser({user: "adminUser",pwd: "adminPass",roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]})use herrywendb.createUser( { user: "herrywen", pwd: "herrywen", roles: [ { role: "readWrite", db: "herrywen" }, { role: "read", db: "admin" } ] })

2.在192.168.255.134增加配置文件，开启验证

cat /etc/mongod.confsecurity: authorization: enabled

3.重启mongdb服务

systemctl restart mongdb

4.测试看下是否可以访问了

[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017 -u adminUser -p adminPass --authenticationDatabase "admin"MongoDB shell version v4.2.1connecting to: mongodb://192.168.255.134:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodbImplicit session: session { "id" : UUID("f5114890-0b2e-43a2-8a60-a8b265e68a44") }MongoDB server version: 4.2.1MongoDB Enterprise > use admin;switched to db adminMongoDB Enterprise > show collections;system.userssystem.versionMongoDB Enterprise > exitbye

5.如果直接登陆，在切换admin库时，提示没有任何权限。需要使用db.auth()进行验证

[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017MongoDB shell version v4.2.1connecting to: mongodb://192.168.255.134:27017/?compressors=disabled&gssapiServiceName=mongodbImplicit session: session { "id" : UUID("9bcb1b37-7cfa-4aff-8947-6d633eee01be") }MongoDB server version: 4.2.1MongoDB Enterprise > use adminswitched to db adminMongoDB Enterprise > show collections;Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatusMongoDB Enterprise > show collections;Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatusMongoDB Enterprise > db.auth("adminUser","adminPass")1MongoDB Enterprise > show collections;system.userssystem.version

6.直接登陆herrywen库

[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017 -u herrywen -p herrywen --authenticationDatabase "herrywen"MongoDB shell version v4.2.1connecting to: mongodb://192.168.255.134:27017/?authSource=herrywen&compressors=disabled&gssapiServiceName=mongodbImplicit session: session { "id" : UUID("9d906997-681a-43b4-b541-dbe5d197cd1f") }MongoDB server version: 4.2.1MongoDB Enterprise > use herrywenswitched to db herrywenMongoDB Enterprise > show collections;MongoDB Enterprise > db.test3.insert({title: 'MongoDB',... description: 'hello,world',... by: 'herrywen',... url: 'http://www.51cto.com',... tags: ['mongodb', 'database', 'NoSQL'],... likes: 100})WriteResult({ "nInserted" : 1 })MongoDB Enterprise > show collections;

7.给adminUser用户增加对herrywen库的读写权限

use admindb.grantRolesToUser( "adminUser", [ { role: "readWrite", db: "herrywen" } ] )db.system.users.find().pretty();

8.给herrywen用户增加herrywen1库的读写权限和admin数据库的读权限

use herrywendb.grantRolesToUser( "herrywen", [ { role: "readWrite", db: "herrywen1" } ,{ role: "read", db: "admin" } ] )

9.撤销herrywen对herrywen1库的读写权限和admin数据库的读权限

db.revokeRolesFromUser( "herrywen", [ { "role" : "read", "db" : "admin" }, { "role" : "readWrite", "db" : "herrywen1" } ])

10.查看当前herrywen用户的权限，也可以切换heryrwen数据库下，使用db.getUser('herrywen')查看，但是比较麻烦,可以直接使用show users

MongoDB Enterprise > show users{ "_id" : "herrywen.herrywen", "userId" : UUID("68fc696d-9825-43b6-9afb-d4a040b480a3"), "user" : "herrywen", "db" : "herrywen", "roles" : [ { "role" : "readWrite", "db" : "herrywen" } ], "mechanisms" : [ "SCRAM-SHA-1", "SCRAM-SHA-256" ]}

11.修改herrywen用户的密码

db.changeUserPassword("herrywen","herrywen-2")

12.删除herrywen用户

db.dropUser("herrywen")

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.