程序博客网 > sql server介绍

MongoDB 3.x 安全权限访问控制

来源:互联网 发布:sql server介绍 编辑:程序博客网 时间:2024/05/19 20:19

MongoDB 3.x 安全权限访问控制,在添加用户上面3.x版本和之前的版本有很大的区别,这里就说明下3.0的添加用户的方法。

环境、测试:

        在安装MongoDB之后,先关闭auth认证,进入查看数据库,只有一个local库,admin库是不存在的:

安装MongoDB之后,先关闭auth认证,进入查看数据库,只有一个local库,admin库是不存在的:

root@zhoujinyi:/usr/local/mongo4# mongo --port=27020MongoDB shell version: 3.0.4connecting to: 127.0.0.1:27020/test2015-06-29T09:31:08.673-0400 I CONTROL  [initandlisten] > show dbs;local  0.078GB

       现在需要创建一个帐号,该账号需要有grant权限,即:账号管理的授权权限。注意一点,帐号是跟着库走的,所以在指定库里授权,必须也在指定库里验证(auth)。

> use adminswitched to db admin> db.createUser(...   {...     user: "dba",...     pwd: "dba",...     roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]...   }... )Successfully added user: {    "user" : "dba",    "roles" : [        {            "role" : "userAdminAnyDatabase",            "db" : "admin"        }    ]}
 

上面加粗的就是执行的命令:

user:用户名

pwd:密码

roles:指定用户的角色,可以用一个空数组给新用户设定空角色;在roles字段,可以指定内置角色和用户定义的角色。role里的角色可以选:

  Built-In Roles(内置角色):    1. 数据库用户角色:read、readWrite;    2. 数据库管理角色:dbAdmin、dbOwner、userAdmin;    3. 集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager;    4. 备份恢复角色:backup、restore5. 所有数据库角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase    6. 超级用户角色:root      // 这里还有几个角色间接或直接提供了系统超级用户的访问(dbOwner 、userAdmin、userAdminAnyDatabase)    7. 内部角色:__system

        具体角色: 

Read:允许用户读取指定数据库readWrite:允许用户读写指定数据库dbAdmin:允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profileuserAdmin:允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户clusterAdmin:只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。readAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读权限readWriteAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读写权限userAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的userAdmin权限dbAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。root:只在admin数据库中可用。超级账号,超级权限
 

        刚建立了 userAdminAnyDatabase 角色,用来管理用户,可以通过这个角色来创建、删除用户。验证:需要开启auth参数。

root@zhoujinyi:/usr/local/mongo4# mongo --port=27020MongoDB shell version: 3.0.4connecting to: 127.0.0.1:27020/test> show dbs;    ####没有验证,导致没权限。2015-06-29T10:02:16.634-0400 E QUERY    Error: listDatabases failed:{    "ok" : 0,    "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",    "code" : 13}    at Error (<anonymous>)    at Mongo.getDBs (src/mongo/shell/mongo.js:47:15)    at shellHelper.show (src/mongo/shell/utils.js:630:33)    at shellHelper (src/mongo/shell/utils.js:524:36)    at (shellhelp2):1:1 at src/mongo/shell/mongo.js:47> use admin        #验证,因为在admin下面添加的帐号,所以要到admin下面验证。switched to db admin> db.auth('dba','dba')1> show dbs;admin  0.078GBlocal  0.078GB> use test        #在test库里创建帐号switched to db test> db.createUser(...     {...       user: "zjyr",...       pwd: "zjyr",...       roles: [...          { role: "read", db: "test" }    #只读帐号...       ]...     }... )Successfully added user: {    "user" : "zjyr",    "roles" : [        {            "role" : "read",            "db" : "test"        }    ]}> db.createUser(...     {...       user: "zjy",...       pwd: "zjy",...       roles: [...          { role: "readWrite", db: "test" }   #读写帐号...       ]...     }... )Successfully added user: {    "user" : "zjy",    "roles" : [        {            "role" : "readWrite",                #读写账号            "db" : "test"        }    ]}> show users;                                    #查看当前库下的用户{    "_id" : "test.zjyr",    "user" : "zjyr",    "db" : "test",    "roles" : [        {            "role" : "read",            "db" : "test"        }    ]}{    "_id" : "test.zjy",    "user" : "zjy",    "db" : "test",    "roles" : [        {            "role" : "readWrite",            "db" : "test"        }    ]}
 

        上面创建了2个帐号,现在验证下:验证前提需要一个集合。

> db.abc.insert({"a":1,"b":2})              #插入失败,没有权限,userAdminAnyDatabase 权限只是针对用户管理的,对其他是没有权限的。WriteResult({    "writeError" : {        "code" : 13,        "errmsg" : "not authorized on test to execute command { insert: \"abc\", documents: [ { _id: ObjectId('55915185d629831d887ce2cb'), a: 1.0, b: 2.0 } ], ordered: true }"    }})> byeroot@zhoujinyi:/usr/local/mongo4# mongo --port=27020MongoDB shell version: 3.0.4connecting to: 127.0.0.1:27020/test> use testswitched to db test> db.auth('zjy','zjy')       #用创建的readWrite帐号进行写入1> db.abc.insert({"a":1,"b":2})WriteResult({ "nInserted" : 1 })> db.abc.insert({"a":11,"b":22})WriteResult({ "nInserted" : 1 })> db.abc.insert({"a":111,"b":222})WriteResult({ "nInserted" : 1 })> db.abc.find(){ "_id" : ObjectId("559151a1b78649ebd8316853"), "a" : 1, "b" : 2 }{ "_id" : ObjectId("559151cab78649ebd8316854"), "a" : 11, "b" : 22 }{ "_id" : ObjectId("559151ceb78649ebd8316855"), "a" : 111, "b" : 222 }> db.auth('zjyr','zjyr')       #切换到只有read权限的帐号1> db.abc.insert({"a":1111,"b":2222})  #不能写入WriteResult({    "writeError" : {        "code" : 13,        "errmsg" : "not authorized on test to execute command { insert: \"abc\", documents: [ { _id: ObjectId('559151ebb78649ebd8316856'), a: 1111.0, b: 2222.0 } ], ordered: true }"    }})> db.abc.find()        #可以查看{ "_id" : ObjectId("559151a1b78649ebd8316853"), "a" : 1, "b" : 2 }{ "_id" : ObjectId("559151cab78649ebd8316854"), "a" : 11, "b" : 22 }{ "_id" : ObjectId("559151ceb78649ebd8316855"), "a" : 111, "b" : 222 }

         有没有一个超级权限?不仅可以授权,而且也可以对集合进行任意操作?答案是肯定的,只是不建议使用。那就是role角色设置成root

> db.auth('dba','dba')1> db.createUser(...  {...    user: "zhoujinyi",...    pwd: "zhoujinyi",...    roles: [...       { role: "root", db: "admin" }      #超级root帐号...    ]...  }... )Successfully added user: {    "user" : "zhoujinyi",    "roles" : [        {            "role" : "root",            "db" : "admin"        }    ]}> > show users;              #查看当前库下的用户{    "_id" : "admin.dba",    "user" : "dba",    "db" : "admin",    "roles" : [        {            "role" : "userAdminAnyDatabase",            "db" : "admin"        }    ]}{    "_id" : "admin.zhoujinyi",    "user" : "zhoujinyi",    "db" : "admin",    "roles" : [        {            "role" : "root",            "db" : "admin"        }    ]}> use adminswitched to db admin> db.auth('zhoujinyi','zhoujinyi')1> use testswitched to db test> db.abc.insert({"a":1,"b":2})WriteResult({ "nInserted" : 1 })> db.abc.insert({"a":1111,"b":2222})          #权限都有WriteResult({ "nInserted" : 1 })> db.abc.find(){ "_id" : ObjectId("5591539bb78649ebd8316857"), "a" : 1, "b" : 2 }{ "_id" : ObjectId("559153a0b78649ebd8316858"), "a" : 1111, "b" : 2222 }> db.abc.remove({})WriteResult({ "nRemoved" : 2 })

        因为帐号都是在当前需要授权的数据库下授权的,那要是不在当前数据库下会怎么样?

> dbadmin> db.createUser(...  {...    user: "dxy",...    pwd: "dxy",...    roles: [...       { role: "readWrite", db: "test" },     #在当前库下创建其他库的帐号,在admin库下创建test、abc库的帐号...       { role: "readWrite", db: "abc" }         ...    ]...  }... )Successfully added user: {    "user" : "dxy",    "roles" : [        {            "role" : "readWrite",            "db" : "test"        },        {            "role" : "readWrite",            "db" : "abc"        }    ]}> > show users;{    "_id" : "admin.dba",    "user" : "dba",    "db" : "admin",    "roles" : [        {            "role" : "userAdminAnyDatabase",            "db" : "admin"        }    ]}{    "_id" : "admin.zhoujinyi",    "user" : "zhoujinyi",    "db" : "admin",    "roles" : [        {            "role" : "root",            "db" : "admin"        }    ]}{    "_id" : "admin.dxy",    "user" : "dxy",    "db" : "admin",    "roles" : [        {            "role" : "readWrite",            "db" : "test"        },        {            "role" : "readWrite",            "db" : "abc"        }    ]}> use testswitched to db test> db.auth('dxy','dxy')          #在admin下创建的帐号,不能直接在其他库验证,Error: 18 Authentication failed.0> use adminswitched to db admin            #只能在帐号创建库下认证,再去其他库进行操作。> db.auth('dxy','dxy')1> use testswitched to db test> db.abc.insert({"a":1111,"b":2222})WriteResult({ "nInserted" : 1 })> use abcswitched to db abc> db.abc.insert({"a":1111,"b":2222})WriteResult({ "nInserted" : 1 })

        上面更加进一步说明数据库帐号是跟着数据库来走的,哪里创建哪里认证。创建了这么多帐号,怎么查看所有帐号

>  use adminswitched to db admin> db.auth('dba','dba')1> db.system.users.find().pretty(){    "_id" : "admin.dba",    "user" : "dba",    "db" : "admin",    "credentials" : {        "SCRAM-SHA-1" : {            "iterationCount" : 10000,            "salt" : "KfDUzCOIUo7WVjFr64ZOcQ==",            "storedKey" : "t4sPsKG2dXnZztVYj5EgdUzT9sc=",            "serverKey" : "2vCGiq9NIc1zKqeEL6VvO4rP26A="        }    },    "roles" : [        {            "role" : "userAdminAnyDatabase",            "db" : "admin"        }    ]}{    "_id" : "test.zjyr",    "user" : "zjyr",    "db" : "test",    "credentials" : {        "SCRAM-SHA-1" : {            "iterationCount" : 10000,            "salt" : "h1gOW3J7wzJuTqgmmQgJKQ==",            "storedKey" : "7lkoANdxM2py0qiDBzFaZYPp1cM=",            "serverKey" : "Qyu6IRNyaKLUvqJ2CAa/tQYY36c="        }    },    "roles" : [        {            "role" : "read",            "db" : "test"        }    ]}{    "_id" : "test.zjy",    "user" : "zjy",    "db" : "test",    "credentials" : {        "SCRAM-SHA-1" : {            "iterationCount" : 10000,            "salt" : "afwaKuTYPWwbDBduQ4Hm7g==",            "storedKey" : "ebb2LYLn4hiOVlZqgrAKBdStfn8=",            "serverKey" : "LG2qWwuuV+FNMmr9lWs+Rb3DIhQ="        }    },    "roles" : [        {            "role" : "readWrite",            "db" : "test"        }    ]}{    "_id" : "admin.zhoujinyi",    "user" : "zhoujinyi",    "db" : "admin",    "credentials" : {        "SCRAM-SHA-1" : {            "iterationCount" : 10000,            "salt" : "pE2cSOYtBOYevk8tqrwbSQ==",            "storedKey" : "TwMxdnlB5Eiaqg4tNh9ByNuUp9A=",            "serverKey" : "Mofr9ohVlFfR6/md4LMRkOhXouc="        }    },    "roles" : [        {            "role" : "root",            "db" : "admin"        }    ]}{    "_id" : "admin.dxy",    "user" : "dxy",    "db" : "admin",    "credentials" : {        "SCRAM-SHA-1" : {            "iterationCount" : 10000,            "salt" : "XD6smcWX4tdg/ZJPoLxxRg==",            "storedKey" : "F4uiayykHDp/r9krAKZjdr+gqjM=",            "serverKey" : "Kf51IU9J3RIrB8CFn5Z5hEKMSkw="        }    },    "roles" : [        {            "role" : "readWrite",            "db" : "test"        },        {            "role" : "readWrite",            "db" : "abc"        }    ]}> db.system.users.find().count()5

        备份还原使用那个角色的帐号?之前创建的帐号zjy:test库读写权限;zjyr:test库读权限

root@zhoujinyi:~# mongodump --port=27020 -uzjyr -pzjyr --db=test -o backup   #只要读权限就可以备份2015-06-29T11:20:04.864-0400    writing test.abc to backup/test/abc.bson2015-06-29T11:20:04.865-0400    writing test.abc metadata to backup/test/abc.metadata.json2015-06-29T11:20:04.866-0400    done dumping test.abc2015-06-29T11:20:04.867-0400    writing test.system.indexes to backup/test/system.indexes.bsonroot@zhoujinyi:~# mongorestore --port=27020 -uzjy -pzjy --db=test backup/test/  #读写权限可以进行还原2015-06-29T11:20:26.607-0400    building a list of collections to restore from backup/test/ dir2015-06-29T11:20:26.609-0400    reading metadata file from backup/test/abc.metadata.json2015-06-29T11:20:26.609-0400    restoring test.abc from file backup/test/abc.bson2015-06-29T11:20:26.611-0400    error: E11000 duplicate key error index: test.abc.$_id_ dup key: { : ObjectId('559154efb78649ebd831685a') }2015-06-29T11:20:26.611-0400    restoring indexes for collection test.abc from metadata2015-06-29T11:20:26.612-0400    finished restoring test.abc2015-06-29T11:20:26.612-0400    done

阅读全文
'); })();
0 0
sql server介绍 sql server介绍
原创粉丝点击
热门IT博客
网络诈骗七万判几年网络诈骗七万判几年
淘宝美工招聘信息高阳淘宝美工招聘信息高阳
测脸型的软件
文笔好的宫廷小说知乎
淘宝开店怎么采购商品
java ssh项目案例
图片绘制软件
淘宝网二手市场
淘宝网人参种子价格
淘宝付款虚拟生成器
excle取数据前几位
网络抓包工具有哪些
黑龙江消防网通知通告
如何成为cfo 知乎
布丁动漫软件下载
常熟淘宝培训班
淘宝禁止出售黄赌毒
python bat
裴礼文数学分析知乎
three.js 加载obj mtl
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 锄禾的意思是什么 古诗配画锄禾 唐诗锄禾日当午原文 锄禾日当午的下一句是什么 锄禾日当午谁写的 锄禾日当午 歌曲 清明上河图锄禾日当午 锄禾日当午名字 锄禾日当午下一句 锄禾日当午是什么诗名 锄禾的作者是谁 锄禾是什么意思 除禾 大唐逍遥侯 清明锄禾 锅组词 农家一锅鲜 自嗨锅使用方法 锅的拼音 平底锅菜谱 韩式锅 小型油炸锅 蒸酒锅 熬糖锅 干锅培训班 炒菜锅排名 电动煎药锅 空气锅 双锅筒蒸汽锅炉 瓜鲜锅 家用炒菜锅 铁锅 不锈钢锅 老式爆米花锅 炒菜锅什么牌子的好 苏泊尔不沾锅 天际锅 不粘锅炒菜 日式油炸锅 一人一锅小火锅桌 电磁炉鸳鸯锅 电磁炉 陶瓷锅

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里