zoukankan      html  css  js  c++  java
  • mongoDB-权限控制

    启动服务
    D:MongoDBServer3.6in>mongod.exe --dbpath D:MongoDBServer3.6data

    扩展
    无认证启动:mongod --port 27017 --dbpath /data/db
    认证启动:mongod --auth --port 27017 --dbpath /data/db
    连接:mongo --port 27017


    查看MongoDB所有Role定义

    $ ./mongo.exe MongoDB shell version v3.6.5 connecting to: mongodb://127.0.0.1:27017 MongoDB server version: 3.6.5 use admin switched to db admin db.getRoles( { rolesInfo: 1, showPrivileges:false, showBuiltinRoles: true } ) [ { "role" : "__queryableBackup", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "__system", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "backup", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "clusterAdmin", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "clusterManager", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "clusterMonitor", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "dbAdmin", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "dbAdminAnyDatabase", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "dbOwner", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "enableSharding", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "hostManager", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "read", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "readAnyDatabase", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "readWrite", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "readWriteAnyDatabase", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "restore", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "root", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "userAdmin", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] }, { "role" : "userAdminAnyDatabase", "db" : "admin", "isBuiltin" : true, "roles" : [ ], "inheritedRoles" : [ ] } ]

    创建一个用户(在数据库里新建用户,不指定db默认指向当前db

    创建 db.createUser(用户名,密码,拥有的角色。角色可以写多个)

    use test
    switched to db test
    db.createUser(
       {
         user: "banana",
         pwd: "123456",
         roles: [ "readWrite" ]
       }
    )
    Successfully added user: { "user" : "banana", "roles" : [ "readWrite" ] }
    db.getUsers()
    [
        {
            "_id" : "test.banana",
            "user" : "banana",
            "db" : "test",
            "roles" : [
                {
                    "role" : "readWrite",
                    "db" : "test"
                }
            ]
        }
    ]

    创建一个用户(在admin数据库里新建用户

    (可以写多个role-db组合)

    use admin
    switched to db admin
    db.createUser(
       {
         user: "apple",
         pwd: "qwer",
         roles: [ {role:"read",db:"test"} ]
       }
    )
    Successfully added user: {
        "user" : "apple",
        "roles" : [
            {
                "role" : "read",
                "db" : "test"
            }
        ]
    }
    db.getUsers()
    [
        {
            "_id" : "admin.apple",
            "user" : "apple",
            "db" : "admin",
            "roles" : [
                {
                    "role" : "read",
                    "db" : "test"
                }
            ]
        }
    ]

    修改密码

    db.changeUserPassword("apple", "niudun")

    删除用户(只会删除当前数据库里面的存在的用户

    db.dropUser("apple")
    true

     下面测试权限,再创建2个用户

    test

    use test
    switched to db test
    db.createUser(
       {
         user: "peach",
         pwd: "taozi",
         roles: [
            {role : "readWrite", db : "test"},
            {role : "readWrite", db : "test2"}
         ]
       }
    )
    Successfully added user: {
        "user" : "peach",
        "roles" : [
            {
                "role" : "readWrite",
                "db" : "test"
            },
            {
                "role" : "readWrite",
                "db" : "test2"
            }
        ]
    }
    db.getUsers()
    [
        {
            "_id" : "test.banana",
            "user" : "banana",
            "db" : "test",
            "roles" : [
                {
                    "role" : "readWrite",
                    "db" : "test"
                }
            ]
        },
        {
            "_id" : "test.peach",
            "user" : "peach",
            "db" : "test",
            "roles" : [
                {
                    "role" : "readWrite",
                    "db" : "test"
                },
                {
                    "role" : "readWrite",
                    "db" : "test2"
                }
            ]
        }
    ]

    admin

    use admin
    switched to db admin
    db.createUser( { user:
    "pineapple", pwd: "boluo", roles: [ "readWrite", "userAdmin" ] } ) Successfully added user: { "user" : "pineapple", "roles" : [ "readWrite", "userAdmin" ] } db.getUsers() [ { "_id" : "admin.apple", "user" : "apple", "db" : "admin", "roles" : [ { "role" : "read", "db" : "test" } ] }, { "_id" : "admin.pineapple", "user" : "pineapple", "db" : "admin", "roles" : [ { "role" : "readWrite", "db" : "admin" }, { "role" : "userAdmin", "db" : "admin" } ] } ]

    先把服务开启认证重启

    D:MongoDBServer3.6in>mongod.exe --auth --dbpath D:MongoDBServer3.6data

     第一种连接方法(先进去再认证)

    [d:MongoDBServer3.6in]$ mongo.exe
    MongoDB shell version v3.6.5
    connecting to: mongodb://127.0.0.1:27017
    MongoDB server version: 3.6.5
    db.stats()
    {
        "ok" : 0,
        "errmsg" : "not authorized on test to execute command { dbstats: 1.0, scale: undefined, $db: "test" }",
        "code" : 13,
        "codeName" : "Unauthorized"
    }

    你访问之前需要认证

    db.auth("banana","123456")
    1

     查看数据库状态

    db.stats()
    {
        "db" : "test",
        "collections" : 2,
        "views" : 0,
        "objects" : 4,
        "avgObjSize" : 73,
        "dataSize" : 292,
        "storageSize" : 32768,
        "numExtents" : 0,
        "indexes" : 2,
        "indexSize" : 32768,
        "fsUsedSize" : 41188569088,
        "fsTotalSize" : 332861009920,
        "ok" : 1
    }

    查看集合(也可以用show collections)

    show tables
    aaa
    my_collection

    查看集合里面的数据(已有的)

    db.aaa.find()
    { "_id" : NumberLong(1), "name" : "BBB", "_class" : "com.example.demo.entity.Book" }
    { "_id" : NumberLong(2), "name" : "CCC", "_class" : "com.example.demo.entity.Book" }

    切换admin数据库

    use admin
    switched to db admin
    show tables
    2018-08-10T12:59:43.551+0800 E QUERY    [thread1] Error: listCollections failed: {
        "ok" : 0,
        "errmsg" : "not authorized on admin to execute command { listCollections: 1.0, filter: {}, $db: "admin" }",
        "code" : 13,
        "codeName" : "Unauthorized"
    } :
    _getErrorWithCode@src/mongo/shell/utils.js:25:13
    DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:941:1
    DB.prototype.getCollectionInfos@src/mongo/shell/db.js:953:19
    DB.prototype.getCollectionNames@src/mongo/shell/db.js:964:16
    shellHelper.show@src/mongo/shell/utils.js:842:9
    shellHelper@src/mongo/shell/utils.js:739:15
    @(shellhelp2):1:1

    可以得出结论:用户存在哪一个数据库,就只能在那一个数据库上认证

    先用Apple认证(因为没有赋予高级角色,所以不能访问高级内容)

    db.auth("apple","niudun")
    1
    show dbs
    2018-08-10T13:07:10.786+0800 E QUERY    [thread1] Error: listDatabases failed:{
        "ok" : 0,
        "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, $db: "admin" }",
        "code" : 13,
        "codeName" : "Unauthorized"
    } :
    _getErrorWithCode@src/mongo/shell/utils.js:25:13
    Mongo.prototype.getDBs@src/mongo/shell/mongo.js:65:1
    shellHelper.show@src/mongo/shell/utils.js:849:19
    shellHelper@src/mongo/shell/utils.js:739:15
    @(shellhelp2):1:1

    我们知道这个apple是拥有test的读取权限的,但是它却存储在admin里,我们用它访问test试试

    use admin
    switched to db admin
    db.auth("apple","niudun")
    1
    use test
    switched to db test
    show tables
    aaa
    my_collection
    db.aaa.find()
    { "_id" : NumberLong(1), "name" : "BBB", "_class" : "com.example.demo.entity.Book" }
    { "_id" : NumberLong(2), "name" : "CCC", "_class" : "com.example.demo.entity.Book" }

    我们还有一个pineapple,没有与test的联系,看他能不能访问

    use admin
    switched to db admin
    db.auth("pineapple","boluo")
    1
    use test
    switched to db test
    show tables
    2018-08-10T13:51:49.650+0800 E QUERY    [thread1] Error: listCollections failed: {
        "ok" : 0,
        "errmsg" : "not authorized on test to execute command { listCollections: 1.0, filter: {}, $db: "test" }",
        "code" : 13,
        "codeName" : "Unauthorized"
    } :
    _getErrorWithCode@src/mongo/shell/utils.js:25:13
    DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:941:1
    DB.prototype.getCollectionInfos@src/mongo/shell/db.js:953:19
    DB.prototype.getCollectionNames@src/mongo/shell/db.js:964:16
    shellHelper.show@src/mongo/shell/utils.js:842:9
    shellHelper@src/mongo/shell/utils.js:739:15
    @(shellhelp2):1:1

     那么暂时得出结论:创建在admin里面的用户,如果赋予访问其他数据库的权限,则在admin上通过认证之后,可以访问它权限范围内的数据库;否则不能。

     那么普通数据库呢?

    use test
    switched to db test
    db.auth("peach","taozi")
    1
    db.stats()
    {
        "db" : "test",
        "collections" : 2,
        "views" : 0,
        "objects" : 4,
        "avgObjSize" : 73,
        "dataSize" : 292,
        "storageSize" : 32768,
        "numExtents" : 0,
        "indexes" : 2,
        "indexSize" : 32768,
        "fsUsedSize" : 41192714240,
        "fsTotalSize" : 332861009920,
        "ok" : 1
    }
    use test2
    switched to db test2
    show tables
    bbb
    db.bbb.find()
    { "_id" : ObjectId("5b6d29e778212a9cb2bbd958"), "name" : "test2.bbb.data" }

    这个peach用户拥有对test2数据库的访问权限。那么说:无论admin还是普通数据库,只要对创建的用户赋予访问其它数据库的权限,都是可以访问的。

    如果说,我不想去指定用户能不能访问某个数据库,用户也可以访问。那可以通过赋予高级权限来搞定

    // 这里的pineapple拥有创建用户权限,所以这里可以直接创建新用户并赋予权限
    use admin
    switched to db admin
    db.auth("pineapple","boluo")
    1
    db.createUser( { user:
    "peach", pwd: "taozi", roles: ["dbAdminAnyDatabase"] } ) Successfully added user: { "user" : "peach", "roles" : [ "dbAdminAnyDatabase" ] } db.getUsers() [ { "_id" : "admin.apple", "user" : "apple", "db" : "admin", "roles" : [ { "role" : "read", "db" : "test" } ] }, { "_id" : "admin.peach", "user" : "peach", "db" : "admin", "roles" : [ { "role" : "dbAdminAnyDatabase", "db" : "admin" } ] }, { "_id" : "admin.pineapple", "user" : "pineapple", "db" : "admin", "roles" : [ { "role" : "readWrite", "db" : "admin" }, { "role" : "userAdmin", "db" : "admin" } ] } ] db.auth("peach","taozi") 1 use test switched to db test show tables aaa my_collection
    use test2
    switched to db test2
    show tables
    bbb

    无意间又发现:不同数据库的用户即使相同,它们之间也互不影响!因为我的peach用户在test数据库也有了,admin中也有。

    大概就这么多,有新的会补上

    第二种连接方法(登录的时候就认证)

    mongo.exe --port 27017 -u "用户名" -p "密码" --authenticationDatabase "认证数据库"

    ..

    [d:MongoDBServer3.6in]$ mongo.exe --port 27017 -u "peach" -p "taozi" --authenticationDatabase "admin"
    MongoDB shell version v3.6.5
    connecting to: mongodb://127.0.0.1:27017/
    MongoDB server version: 3.6.5
    db.stats()
    {
        "db" : "test",
        "collections" : 2,
        "views" : 0,
        "objects" : 4,
        "avgObjSize" : 73,
        "dataSize" : 292,
        "storageSize" : 32768,
        "numExtents" : 0,
        "indexes" : 2,
        "indexSize" : 32768,
        "fsUsedSize" : 41195212800,
        "fsTotalSize" : 332861009920,
        "ok" : 1
    }
    2018-08-10T14:42:32.210+0800 I CONTROL  [thread2] CTRL_CLOSE_EVENT signal
    2018-08-10T14:42:32.210+0800 I CONTROL  [consoleTerminate] got CTRL_CLOSE_EVENT, will terminate after current cmd ends
    2018-08-10T14:42:32.211+0800 I CONTROL  [consoleTerminate] shutting down with code:12
    
    [d:MongoDBServer3.6in]$ mongo.exe --port 27017 -u "pineapple" -p "boluo" --authenticationDatabase "admin"
    MongoDB shell version v3.6.5
    connecting to: mongodb://127.0.0.1:27017/
    MongoDB server version: 3.6.5
    db.stats()
    {
        "ok" : 0,
        "errmsg" : "not authorized on test to execute command { dbstats: 1.0, scale: undefined, $db: "test" }",
        "code" : 13,
        "codeName" : "Unauthorized"
    }

    我先用peach登录,因为它拥有所有数据库的权限,所以默认进来test,可以直接访问的。然而我用pineapple登录,它仅仅拥有admin的权限,所以进来test是不能访问的。

    我想说什么呢,我以为会自动进入你输入的证数据库,结果不是。

    最后总结一下用到的命令

    命令 说明
    mongod.exe --auth --dbpath D:MongoDBServer3.6data 启动服务(认证状态)
    use [db] 切换数据库,不存在即创建
    show dbs 查看数据库列表
    db.dropDatabase() 删除当前数据库
    db.stats() 查看数据库状态信息
    show tables/collections 查看当前数据库里的表(集合)
    mongo.exe --port 27017 -u "peach" -p "taozi" --authenticationDatabase "admin" 以用户名密码认证登录
    use admin
    db.createUser(
       {
         user: "peach",
         pwd: "taozi",
         roles:
           [
             { role: "readWrite", db: "test" },
             "userAdmin"
           ]
       }
    )
    创建用户,可以指定role-db。只有role-默认当前数据库

       use admin
       db.changeUserPassword("peach", "123")

    修改密码。当前数据库下的已存在的用户

       use admin

       db.dropUser("peach")

    删除用户

       db.dropAllUsers()

    删除所有用户

       use admin

       db.getUser("peach")

    获取用户信息

       use admin

       db.getUsers()

    获取所有用户

       use admin

       db.auth("peach", "123" )

    认证

       db.collection.find()

    列出集合里面的数据

       db.collection.dataSize()

    集合大小

       db.collection.drop()

    删除集合

       db.collection.insert( { item: "card", qty: 15 } )

    添加数据

    概念对比:

  • 相关阅读:
    【40讲系列1】数组、链表
    更改凭证类型
    将公司代码设置给生产性的(不能删除业务数据的配置)
    使用参考过账
    查看凭证行项目
    查看凭证过账行项目
    预制凭证
    做凭证时凭证日期等于过账日期
    英语-20210302
    自动计算税额
  • 原文地址:https://www.cnblogs.com/LUA123/p/9455298.html
Copyright © 2011-2022 走看看