溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

mongodb的訪問控制

發(fā)布時(shí)間:2020-07-08 02:55:45 來源:網(wǎng)絡(luò) 閱讀:540 作者:ziwenzhou 欄目:系統(tǒng)運(yùn)維

內(nèi)建角色,具體參考:https://docs.mongodb.com/manual/reference/built-in-roles

Read:允許用戶讀取指定數(shù)據(jù)庫
readWrite:允許用戶讀寫指定數(shù)據(jù)庫
dbAdmin:允許用戶在指定數(shù)據(jù)庫中執(zhí)行管理函數(shù),如索引創(chuàng)建、刪除,查看統(tǒng)計(jì)或訪問system.profile
userAdmin:允許用戶向system.users集合寫入,可以找指定數(shù)據(jù)庫里創(chuàng)建、刪除和管理用戶
clusterAdmin:只在admin數(shù)據(jù)庫中可用,賦予用戶所有分片和復(fù)制集相關(guān)函數(shù)的管理權(quán)限。
readAnyDatabase:只在admin數(shù)據(jù)庫中可用,賦予用戶所有數(shù)據(jù)庫的讀權(quán)限
readWriteAnyDatabase:只在admin數(shù)據(jù)庫中可用,賦予用戶所有數(shù)據(jù)庫的讀寫權(quán)限
userAdminAnyDatabase:只在admin數(shù)據(jù)庫中可用,賦予用戶所有數(shù)據(jù)庫的userAdmin權(quán)限
dbAdminAnyDatabase:只在admin數(shù)據(jù)庫中可用,賦予用戶所有數(shù)據(jù)庫的dbAdmin權(quán)限。
root:只在admin數(shù)據(jù)庫中可用。超級(jí)賬號(hào),超級(jí)權(quán)限

用戶文件在admin庫下的system.users表里,默認(rèn)MongoDB沒有訪問密碼,不太安全

1.添加數(shù)據(jù)庫管理員用戶adminUser和普通用戶herrywen

mongo --port 27017
use admin
db.createUser(
{
user: "adminUser",
pwd: "adminPass",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)

use herrywen
db.createUser(
  {
    user: "herrywen",
    pwd: "herrywen",
    roles: [ { role: "readWrite", db: "herrywen" },
             { role: "read", db: "admin" } ]
  }
)

2.在192.168.255.134增加配置文件,開啟驗(yàn)證

cat /etc/mongod.conf
security:
  authorization: enabled

3.重啟mongdb服務(wù)
systemctl restart mongdb

4.測(cè)試看下是否可以訪問了

[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017  -u adminUser -p adminPass --authenticationDatabase "admin"
MongoDB shell version v4.2.1
connecting to: mongodb://192.168.255.134:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("f5114890-0b2e-43a2-8a60-a8b265e68a44") }
MongoDB server version: 4.2.1
MongoDB Enterprise > use admin;
switched to db admin
MongoDB Enterprise > show collections;
system.users
system.version
MongoDB Enterprise > exit
bye

5.如果直接登陸,在切換admin庫時(shí),提示沒有任何權(quán)限。需要使用db.auth()進(jìn)行驗(yàn)證

[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017
MongoDB shell version v4.2.1
connecting to: mongodb://192.168.255.134:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("9bcb1b37-7cfa-4aff-8947-6d633eee01be") }
MongoDB server version: 4.2.1
MongoDB Enterprise > use admin
switched to db admin
MongoDB Enterprise > show collections;
Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus
MongoDB Enterprise > show collections;
Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus
MongoDB Enterprise > db.auth("adminUser","adminPass")
1
MongoDB Enterprise > show collections;
system.users
system.version

6.直接登陸herrywen庫

[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017  -u herrywen -p herrywen --authenticationDatabase "herrywen"
MongoDB shell version v4.2.1
connecting to: mongodb://192.168.255.134:27017/?authSource=herrywen&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("9d906997-681a-43b4-b541-dbe5d197cd1f") }
MongoDB server version: 4.2.1
MongoDB Enterprise > use herrywen
switched to db herrywen
MongoDB Enterprise > show collections;
MongoDB Enterprise > db.test3.insert({title: 'MongoDB',
...     description: 'hello,world',
...     by: 'herrywen',
...     url: 'http://www.51cto.com',
...     tags: ['mongodb', 'database', 'NoSQL'],
...     likes: 100})
WriteResult({ "nInserted" : 1 })
MongoDB Enterprise > show collections;

7.給adminUser用戶增加對(duì)herrywen庫的讀寫權(quán)限

use admin
db.grantRolesToUser(     "adminUser",     [       { role: "readWrite", db: "herrywen" }     ] )
db.system.users.find().pretty();

8.給herrywen用戶增加herrywen1庫的讀寫權(quán)限和admin數(shù)據(jù)庫的讀權(quán)限

use herrywen
db.grantRolesToUser(     "herrywen",     [       { role: "readWrite", db: "herrywen1" } ,{ role: "read", db: "admin" }   ] )

9.撤銷herrywen對(duì)herrywen1庫的讀寫權(quán)限和admin數(shù)據(jù)庫的讀權(quán)限

db.revokeRolesFromUser(
    "herrywen",
    [
                {
                        "role" : "read",
                        "db" : "admin"
                },
                {
                        "role" : "readWrite",
                        "db" : "herrywen1"
                }
     ]
)

10.查看當(dāng)前herrywen用戶的權(quán)限,也可以切換heryrwen數(shù)據(jù)庫下,使用db.getUser('herrywen')查看,但是比較麻煩,可以直接使用show users

MongoDB Enterprise > show users
{
        "_id" : "herrywen.herrywen",
        "userId" : UUID("68fc696d-9825-43b6-9afb-d4a040b480a3"),
        "user" : "herrywen",
        "db" : "herrywen",
        "roles" : [
                {
                        "role" : "readWrite",
                        "db" : "herrywen"
                }
        ],
        "mechanisms" : [
                "SCRAM-SHA-1",
                "SCRAM-SHA-256"
        ]
}

11.修改herrywen用戶的密碼
db.changeUserPassword("herrywen","herrywen-2")

12.刪除herrywen用戶
db.dropUser("herrywen")

向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI