mongoDB authentication

转自：http://blog.csdn.net/allen_jinjie/article/details/9235073

1. 最开始的时候，我们启动mongodb，但是不包含--auth参数：

E:MongoDBin>mongod --dbpath=E:mongodbdb
Thu Jul 04 16:31:58.700 [initandlisten] db version v2.4.4
Thu Jul 04 16:31:58.700 [initandlisten] git version: 4ec1fb96702c9d4c57b1e06dd34eb73a16e407d2
Thu Jul 04 16:31:58.700 [initandlisten] build info: windows sys.getwindowsversion(major=6, minor=0, build=6002, platform=2, servic
e_pack='Service Pack 2') BOOST_LIB_VERSION=1_49
Thu Jul 04 16:31:58.700 [initandlisten] allocator: system
Thu Jul 04 16:31:58.700 [initandlisten] options: { dbpath: "E:mongodbdb" }
Thu Jul 04 16:31:58.731 [initandlisten]
Thu Jul 04 16:31:58.731 [initandlisten] ** WARNING: mongod started without --replSet yet 1 documents are present in local.system.r
eplset
Thu Jul 04 16:31:58.731 [initandlisten] **          Restart with --replSet unless you are doing maintenance and no other clients a
re connected.
Thu Jul 04 16:31:58.731 [initandlisten] **          The TTL collection monitor will not start because of this.
Thu Jul 04 16:31:58.731 [initandlisten] **          For more info see http://dochub.mongodb.org/core/ttlcollections
Thu Jul 04 16:31:58.731 [initandlisten]
Thu Jul 04 16:31:58.981 [initandlisten] waiting for connections on port 27017
Thu Jul 04 16:31:58.981 [websvr] admin web console waiting for connections on port 28017

另开一Dos窗口，直接连接到test数据库上：

E:MongoDBin>mongo
MongoDB shell version: 2.4.4
connecting to: test

2. 连接到admin数据库，在admin数据库上创建一个用户，这个用户保存在admin.system.users中，它的权限比在其它数据库中设置的用户权限更大。（当admin.system.users中一个用户都没有时，即使mongod启动时添加了--auth参数，如果没有在admin数据库中添加用户，此时不进行任何认证还是可以做任何操作，直到在admin.system.users中添加了一个用户。）

> use admin
switched to db admin
> db.system.users.find()
> db.addUser("allenlei","123456")
{
        "user" : "allenlei",
        "readOnly" : false,
        "pwd" : "a9eadc99bab4734b32f5bc4148d866c6",
        "_id" : ObjectId("51d534878704a2ac963ed790")
}
> db.system.users.find()
{ "_id" : ObjectId("51d534878704a2ac963ed790"), "user" : "allenlei", "readOnly" : false, "pwd" : "a9eadc99bab4734b32f5bc4148d866c6
" }
>

3. 现在admin数据库中已经有用户信息了，我们关掉mongodb, 重新启动，这次带有--auth 参数。

E:MongoDBin>mongod --dbpath=E:mongodbdb --auth
Thu Jul 04 16:44:57.393 [initandlisten] db version v2.4.4
Thu Jul 04 16:44:57.393 [initandlisten] git version: 4ec1fb96702c9d4c57b1e06dd34eb73a16e407d2
Thu Jul 04 16:44:57.409 [initandlisten] build info: windows sys.getwindowsversion(major=6, minor=0, build=6002, platform=2, servic
e_pack='Service Pack 2') BOOST_LIB_VERSION=1_49
Thu Jul 04 16:44:57.409 [initandlisten] allocator: system
Thu Jul 04 16:44:57.409 [initandlisten] options: { auth: true, dbpath: "E:mongodbdb" }
Thu Jul 04 16:44:57.440 [initandlisten]
Thu Jul 04 16:44:57.440 [initandlisten] ** WARNING: mongod started without --replSet yet 1 documents are present in local.system.r
eplset
Thu Jul 04 16:44:57.440 [initandlisten] **          Restart with --replSet unless you are doing maintenance and no other clients a
re connected.
Thu Jul 04 16:44:57.440 [initandlisten] **          The TTL collection monitor will not start because of this.
Thu Jul 04 16:44:57.440 [initandlisten] **          For more info see http://dochub.mongodb.org/core/ttlcollections
Thu Jul 04 16:44:57.440 [initandlisten]
Thu Jul 04 16:44:57.549 [websvr] admin web console waiting for connections on port 28017
Thu Jul 04 16:44:57.549 [initandlisten] waiting for connections on port 27017

4. 由于指定了-auth参数，那么连接到数据库上就需要提供登录账户，尽管不提供也可以登录到test这个默认数据库，但是没办法操作：

E:MongoDBin>mongo
MongoDB shell version: 2.4.4
connecting to: test
> show collections
Thu Jul 04 16:53:51.752 JavaScript execution failed: error: {
        "$err" : "not authorized for query on test.system.namespaces",
        "code" : 16550
} at src/mongo/shell/query.js:L128
>

5. 现在我们指定连接到admin数据库，如果账户不对：

E:MongoDBin>mongo --authenticationDatabase admin -u allenlei -p
MongoDB shell version: 2.4.4
Enter password:
connecting to: test
Thu Jul 04 16:56:55.569 JavaScript execution failed: Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" } at src/mongo/shell/db.j
s:L228
exception: login failed

6. 奇怪的是，就算是账户正确，我的机器上也是显示连接到test数据库而不是admin。我需要转到admin数据库上，（root是建立在test数据库上的账户）

E:MongoDBin>mongo --authenticationDatabase admin -u allenlei -p
MongoDB shell version: 2.4.4
Enter password:
connecting to: test
> db.system.users.find()
{ "_id" : ObjectId("51d3e1c94ef3aba14566b889"), "user" : "root", "readOnly" : false, "pwd" : "b3098ef4591719e9f75972a75883726b" }
> use admin
switched to db admin
> db.system.users.find()
{ "_id" : ObjectId("51d5378a6a7de1fde965535c"), "user" : "allenlei", "readOnly" : false, "pwd" : "a9eadc99bab4734b32f5bc4148d866c6
" }
>
> show collections
system.indexes
system.users
> use tutorial
switched to db tutorial
> show collections
newCollection_noCapped
numbers
person
personalinfo
photo.chunks
photo.files
student
student_res
system.indexes
system.users
users
>

可以看出，通过admin数据库登入，可以以登录账户进入其他数据库进行操作。

7. 现在用root账号登入test数据库：

E:MongoDBin>mongo -authenticationDatabase test -u root -p
MongoDB shell version: 2.4.4
Enter password:
connecting to: test
> show collections
person
system.indexes
system.users
> db.system.users.find()
{ "_id" : ObjectId("51d53a706ce04d74431706b4"), "user" : "root", "readOnly" : false, "pwd" : "34e5772aa66b703a319641d42a47d696" }
> use tutorial
switched to db tutorial
> show collections
Thu Jul 04 17:04:51.186 JavaScript execution failed: error: {
        "$err" : "not authorized for query on tutorial.system.namespaces",
        "code" : 16550
} at src/mongo/shell/query.js:L128
>

root账户属于test而不是admin数据库，权限只能在本数据库使用，而不像allenlei可以到tutorial数据库操作。