MongoDB用户权限管理

MongoDB权限说明

权限误区：并不是说下面的排序就证明权限越来越大除了 readWrite 权限用户外(root权限用户也包括)，其它用户都不具备对数据库的写入权限，除 read 权限外，其它用户都不具备对数据库中的读权限，每个权限的功能各不一样(除root外)

普通用户
普通用户只是拥有下面的读写权限

权限 说明
Read 允许用户读取指定数据库
readWrite 允许用户读写指定数据库
管理用户
管理用户具备下面说明的一些操作权限

权限 说明
dbAdmin 允许用户在指定数据库中指定管理函数，如(索引创建、删除、查看统计访问system.profile)
userAdmin 允许用户向system.users集合写入，可以找指定数据里面创建、删除和管理用户
clusterAdmin 只在admin数据库中可用，赋予用户所有分片和复制集相关函数的管理权限
授权用户
以下用户主要是为其它用户赋予相应的权限

权限 说明
readAnyDatabase 只在admin数据库中可用，赋予用户所有数据库的读权限
readWriteAnyDatabase 只在admin数据库中可用，赋予用户所有数据库的读写权限
userWriteAnyDatabase 只在admin数据库中可用，赋予用户所有数据库的userAdmin权限
dbAdminAnyDatabase 只在admin数据库中可用，赋予用户所有数据库的dbAdmin权限
超级管理员
可以无所不能，为所欲为

权限 说明
root 只在admin数据库中可用，超级管理员
mongodb安装好后第一次进入是不需要密码的，也没有任何用户，直接连接进入即可

/usr/local/mongodb/bin/mongo --host 192.168.31.215 --port 27018
创建管理用户

> use admin
switched to db admin
> db.createUser ( {
... user:"manage",
... pwd:"123456",
... roles:[ { role:"root", db:"admin" } ]
... }
... )

#返回以下信息代表创建成功
Successfully added user: {
"user" : "manage",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
退出登录，然后在mongodb配置文件中开启认证

vim /usr/local/mongodb/27018/conf/mongod.conf
security:
authorization: enabled
javascriptEnabled: true
重启mongodb

/usr/local/mongodb/bin/mongod --shutdown -f /usr/local/mongodb/27018/conf/mongod.conf
/usr/local/mongodb/bin/mongod -f /usr/local/mongodb/27018/conf/mongod.conf
连接mongodb

/usr/local/mongodb/bin/mongo --host 192.168.31.215 --port 27018
MongoDB shell version v4.2.0
connecting to: mongodb://192.168.31.215:27018/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("fc77266a-b2ff-4eb0-b6ca-c493c7c29143") }
MongoDB server version: 4.2.0
> use admin #进入admin库中先进行账号认证
switched to db admin
> db.auth('manage','123456') #认证账号，值返回1代表认证成功
1
mongdb库创建读写用户

> db.createUser( {
... user:"zhangsan",
... pwd:"zhangsan",
... roles:[ { role:"readWrite", db:"mongdb" } ]
... }
... )
Successfully added user: {
"user" : "zhangsan",
"roles" : [
{
"role" : "readWrite",
"db" : "mongdb"
}
]
}
验证创建的zhangsan用户(不需要退出登录)

> use admin
switched to db admin
> db.auth('zhangsan','zhangsan')
1
> show dbs #查看数据库，因为mongdb数据库存储数据，所以看不到
> use mongdb #直接 use 到mongdb数据库中
switched to db mongdb

#插入 json 格式文档到 coll 集合中
> db.coll.insert({"name": "Zhangsan","url": "http://abcops.cn","age": 25,"isNonProfit": true,})
WriteResult({ "nInserted" : 1 })
> show collections #查看已存在集合
coll
> db.coll.find() #读取集合中的数据
{ "_id" : ObjectId("5d8b24c2f1c33f4950f2c5df"), "name" : "Zhangsan", "url" : "http://abcops.cn", "age" : 25, "isNonProfit" : true }
以上完成了读写权限的验证

一个用户多个权限

为 lisi 用户授权 01db read权限 02db readWrite 03db dbAdmin权限 04db userAdmin权限
这次先把数据库创建出来

> use admin
switched to db admin
> db.auth('manage','123456')
1

> use 01db
switched to db 01db
> db.coll.insert({"name": "01db","url": "http://abcops.cn","age": 25,"isNonProfit": true,})
WriteResult({ "nInserted" : 1 })

> use 02db
switched to db 02db
> db.coll.insert({"name": "02db","url": "http://abcops.cn","age": 25,"isNonProfit": true,})
WriteResult({ "nInserted" : 1 })

> use 03db
switched to db 03db
> db.coll.insert({"name": "03db","url": "http://abcops.cn","age": 25,"isNonProfit": true,})
WriteResult({ "nInserted" : 1 })

> use 04db
switched to db 04db
> db.coll.insert({"name": "04db","url": "http://abcops.cn","age": 25,"isNonProfit": true,})
WriteResult({ "nInserted" : 1 })
创建用户并授权

> db.createUser( {
... user:"lisi",
... pwd:"123456",
... roles: [ { role:"read",db:"01db" },
... { role:"readWrite",db:"02db" },
... { role:"dbAdmin",db:"03db" },
... { role:"userAdmin",db:"04db" } ]
... }
... )
Successfully added user: {
"user" : "lisi",
"roles" : [
{
"role" : "read",
"db" : "01db"
},
{
"role" : "readWrite",
"db" : "02db"
},
{
"role" : "dbAdmin",
"db" : "03db"
},
{
"role" : "userAdmin",
"db" : "04db"
}
]
}
查看所有用户

> show users
{
"_id" : "admin.admin",
"userId" : UUID("9958faa5-7132-4146-8775-a001e47fe7f8"),
"user" : "admin",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1"
]
}
{
"_id" : "admin.lisi",
"userId" : UUID("bc8e5dc7-2f8c-40c1-8190-cea4951ae4a1"),
"user" : "lisi",
"db" : "admin",
"roles" : [
{
"role" : "read",
"db" : "01db"
},
{
"role" : "readWrite",
"db" : "02db"
},
{
"role" : "dbAdmin",
"db" : "03db"
},
{
"role" : "userAdmin",
"db" : "04db"
}
],
"mechanisms" : [
"SCRAM-SHA-1"
]
}
{
"_id" : "admin.manage",
"userId" : UUID("e1b34f57-06f2-4ef1-b23a-2d46a3964fbf"),
"user" : "manage",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1"
]
}
{
"_id" : "admin.micvs",
"userId" : UUID("1f4837c7-8c14-40d4-8a21-d621e0bcc278"),
"user" : "micvs",
"db" : "admin",
"roles" : [
{
"role" : "dbAdminAnyDatabase",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
{
"_id" : "admin.zhangsan",
"userId" : UUID("1003726b-c7fc-44e6-b001-b5c828bfb40d"),
"user" : "zhangsan",
"db" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "mongdb"
}
],
"mechanisms" : [
"SCRAM-SHA-1"
]
}