1. 前言
介紹 Mongodb 3.X 的認證控制
2. 環境搭建
[root@192.168.118.16 /usr/local/src]#wget http://downloads.mongodb.org/linux/mongodb-linux-x86_64-3.6.11.tgz [root@192.168.118.16 /usr/local/src]#tar xf mongodb-linux-x86_64-3.6.11.tgz [root@192.168.118.16 /usr/local/src]#mv mongodb-linux-x86_64-3.6.11 /usr/local/mongodb [root@192.168.118.16 /usr/local/src]#cd /usr/local/mongodb/ [root@192.168.118.16 /usr/local/mongodb]#mkdir -pv data conf log mkdir: created directory ‘data’ mkdir: created directory ‘conf’ mkdir: created directory ‘log’ 編寫配置文件: [root@192.168.118.16 /usr/local/mongodb/conf]#cat mongod.conf bind_ip = 0.0.0.0 # 監聽地址 port = 27017 # 監聽端口 fork = true # 后台運行 dbpath = /usr/local/mongodb/data # 數據存儲位置 logpath = /usr/local/mongodb/log/mongodb.log # 日志存儲位置 配置環境變量: [root@192.168.118.16 /usr/local/mongodb]#cat /etc/profile.d/mongodb.sh #!/bin/bash # Author:hukey export PATH=/usr/local/mongodb/bin:$PATH [root@192.168.118.16 /usr/local/mongodb]#source /etc/profile.d/mongodb.sh 啟動: [root@192.168.118.16 ~]#mongod -f /usr/local/mongodb/conf/mongod.conf about to fork child process, waiting until server is ready for connections. forked process: 14553 child process started successfully, parent exiting 連接 mongodb [root@192.168.118.16 ~]#mongo 192.168.118.16 > show dbs; admin 0.000GB config 0.000GB local 0.000GB
3. 權限控制
首先對mongodb權限認證有個了解:
mongodb - 內置角色:
Built-In Roles(內置角色):
1. 數據庫用戶角色:read、readWrite;
2. 數據庫管理角色:dbAdmin、dbOwner、userAdmin;
3. 集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager;
4. 備份恢復角色:backup、restore;
5. 所有數據庫角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase
6. 超級用戶角色:root
// 這里還有幾個角色間接或直接提供了系統超級用戶的訪問(dbOwner 、userAdmin、userAdminAnyDatabase)
7. 內部角色:__system
具體角色: Read:允許用戶讀取指定數據庫 readWrite:允許用戶讀寫指定數據庫 dbAdmin:允許用戶在指定數據庫中執行管理函數,如索引創建、刪除,查看統計或訪問system.profile userAdmin:允許用戶向system.users集合寫入,可以找指定數據庫里創建、刪除和管理用戶 clusterAdmin:只在admin數據庫中可用,賦予用戶所有分片和復制集相關函數的管理權限。 readAnyDatabase:只在admin數據庫中可用,賦予用戶所有數據庫的讀權限 readWriteAnyDatabase:只在admin數據庫中可用,賦予用戶所有數據庫的讀寫權限 userAdminAnyDatabase:只在admin數據庫中可用,賦予用戶所有數據庫的userAdmin權限 dbAdminAnyDatabase:只在admin數據庫中可用,賦予用戶所有數據庫的dbAdmin權限。 root:只在admin數據庫中可用。超級賬號,超級權限
首先,在默認沒有開啟認證(auth)的前提下,創建一個管理用戶的管理員賬號,即:賬號管理的授權權限
[root@192.168.118.16 ~]#mongod -f /usr/local/mongodb/conf/mongod.conf [root@192.168.118.16 ~]#mongo 192.168.118.16 > use admin switched to db admin > db.createUser({user: 'dba', pwd: 'dba', roles: [{role: 'userAdminAnyDatabase', db: 'admin'}]}) Successfully added user: { "user" : "dba", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] } 查看創建的用戶 > show users { "_id" : "admin.dba", "user" : "dba", "db" : "admin", "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
這樣就建立了一個 userAdminAnyDatabase 角色,用來管理用戶,可以通過這個角色來創建、刪除用戶。
添加 auth 並啟動 mongodb
[root@192.168.118.16 ~]#mongod -f /usr/local/mongodb/conf/mongod.conf --shutdown [root@192.168.118.16 ~]#mongod -f /usr/local/mongodb/conf/mongod.conf --auth [root@192.168.118.16 ~]#mongo 192.168.118.16 開啟 auth 如果沒有驗證,導致報錯 > show dbs 2020-03-16T11:48:42.045+0800 E QUERY [thread1] Error: listDatabases failed:{ "ok" : 0, "errmsg" : "there are no users authenticated", "code" : 13, "codeName" : "Unauthorized" } : _getErrorWithCode@src/mongo/shell/utils.js:25:13 Mongo.prototype.getDBs@src/mongo/shell/mongo.js:67:1 shellHelper.show@src/mongo/shell/utils.js:860:19 shellHelper@src/mongo/shell/utils.js:750:15 @(shellhelp2):1:1 驗證,因為是在 admin 下添加的賬號,所以需要在 admin 庫下驗證。 > use admin switched to db admin > db.auth('dba', 'dba') 1 > show dbs admin 0.000GB config 0.000GB local 0.000GB
創建只讀用戶
> use test > db.createUser({user:'rr', pwd: '123', roles:[{role: 'read', db: 'test'}]}) Successfully added user: { "user" : "rr", "roles" : [ { "role" : "read", "db" : "test" } ] }
創建讀寫用戶
> use test > db.createUser({user:'ww', pwd: '123', roles:[{role: 'readWrite', db: 'test'}]}) Successfully added user: { "user" : "ww", "roles" : [ { "role" : "readWrite", "db" : "test" } ] }
查看當前庫下所有用戶
> use test switched to db test > show users { "_id" : "test.rr", "user" : "rr", "db" : "test", "roles" : [ { "role" : "read", "db" : "test" } ] } { "_id" : "test.ww", "user" : "ww", "db" : "test", "roles" : [ { "role" : "readWrite", "db" : "test" } ] }
上面添加了兩個用戶,驗證一下,首先使用 讀寫用戶登錄: ww/123
> use test switched to db test > db.auth('ww','123') 1 > db.abc.insert({'a':1, 'b':2}) WriteResult({ "nInserted" : 1 }) > db.abc.find() { "_id" : ObjectId("5e6ef903f055137c529de0d8"), "a" : 1, "b" : 2 } ww/123 用戶只能在 test 庫中執行讀寫操作,無法執行其他任何操作。 > show dbs 2020-03-16T11:57:18.503+0800 E QUERY [thread1] Error: listDatabases failed:{ "ok" : 0, "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, lsid: { id: UUID(\"e73be962-001c-4896-967d-4d3a5ecbd64f\") }, $db: \"admin\" }", "code" : 13, "codeName" : "Unauthorized" } : _getErrorWithCode@src/mongo/shell/utils.js:25:13 Mongo.prototype.getDBs@src/mongo/shell/mongo.js:67:1 shellHelper.show@src/mongo/shell/utils.js:860:19 shellHelper@src/mongo/shell/utils.js:750:15 @(shellhelp2):1:1
讀用戶:rr/123
> use test switched to db test > db.auth('rr','123') 1 > db.abc.find() { "_id" : ObjectId("5e6ef903f055137c529de0d8"), "a" : 1, "b" : 2 } 當只讀用戶執行寫操作時,會發生沒有授權的錯誤。 > db.abc.insert({'aa':11,'bb':22}) WriteResult({ "writeError" : { "code" : 13, "errmsg" : "not authorized on test to execute command { insert: \"abc\", ordered: true, lsid: { id: UUID(\"30ef763c-d883-4793-8a16-2dbcd13b648e\") }, $db: \"test\" }" } })
通過上面的操作,發現某個用戶只能在某個庫下執行操作,如果需要有誇庫操作等,就顯得非常不方便。
上面的問題可以通過角色以下權限解決: readAnyDatabase:只在admin數據庫中可用,賦予用戶所有數據庫的讀權限 readWriteAnyDatabase:只在admin數據庫中可用,賦予用戶所有數據庫的讀寫權限
創建對所有庫只讀的權限
> use admin switched to db admin > db.auth('dba','dba') 1 > db.createUser({user:'anyrr', pwd:'123', roles:[{role: 'readAnyDatabase', db: 'admin'}]}) Successfully added user: { "user" : "anyrr", "roles" : [ { "role" : "readAnyDatabase", "db" : "admin" } ] }
驗證:在哪個庫下創建就需要在哪里去驗證
> use admin switched to db admin > db.auth('anyrr','123') 1 > show dbs; admin 0.000GB beta 0.000GB config 0.000GB local 0.000GB test 0.000GB > use test switched to db test > db.abc.find() { "_id" : ObjectId("5e6ef903f055137c529de0d8"), "a" : 1, "b" : 2 } > use beta switched to db beta > db.abc.find() { "_id" : ObjectId("5e6efbd8276c4a4cf5aa3f3c"), "aaa" : 111, "bbb" : 222 } 嘗試寫入數據,因為沒有寫入權限。 > db.abc.insert({"aaac" : 111, "bbbc" : 222}) WriteResult({ "writeError" : { "code" : 13, "errmsg" : "not authorized on beta to execute command { insert: \"abc\", ordered: true, lsid: { id: UUID(\"1348e445-d00e-434c-89c9-f363df619855\") }, $db: \"beta\" }" } })
創建對所有庫讀寫的權限
> use admin switched to db admin > db.auth('dba','dba') > db.createUser({user:'anyrw', pwd:'123', roles:[{role: 'readWriteAnyDatabase', db:'admin'}]}) Successfully added user: { "user" : "anyrw", "roles" : [ { "role" : "readWriteAnyDatabase", "db" : "admin" } ] } 驗證對所有庫的讀寫權限 > use admin switched to db admin > db.auth('anyrw', '123') 1 > show dbs admin 0.000GB beta 0.000GB config 0.000GB local 0.000GB test 0.000GB > use test switched to db test > db.abc.insert({'x': 123, 'y':345}) WriteResult({ "nInserted" : 1 }) > db.abc.find() { "_id" : ObjectId("5e6ef903f055137c529de0d8"), "a" : 1, "b" : 2 } { "_id" : ObjectId("5e6f106ff60792da65189693"), "x" : 123, "y" : 345 } > use beta switched to db beta > db.abc.insert({'x': 123, 'y':345}) WriteResult({ "nInserted" : 1 }) > db.abc.find() { "_id" : ObjectId("5e6efbd8276c4a4cf5aa3f3c"), "aaa" : 111, "bbb" : 222 } { "_id" : ObjectId("5e6f1080f60792da65189694"), "x" : 123, "y" : 345 }
在 mongodb 中有一個類似 MySQL root 的權限,能夠對mongodb做所有權限的操作
創建 root 權限: > db.createUser({user: 'root', pwd:'123', roles:[{role: 'root', db: 'admin'}]}) Successfully added user: { "user" : "root", "roles" : [ { "role" : "root", "db" : "admin" } ] } 驗證: > use admin switched to db admin > db.auth('root','123') 1 > show dbs; # 查看所有庫 admin 0.000GB beta 0.000GB config 0.000GB local 0.000GB test 0.000GB > use test switched to db test > db.abc.find() # 查看某一個庫 { "_id" : ObjectId("5e6ef903f055137c529de0d8"), "a" : 1, "b" : 2 } { "_id" : ObjectId("5e6f106ff60792da65189693"), "x" : 123, "y" : 345 } > db.drop db.dropAllRoles( db.dropAllUsers( db.dropDatabase( db.dropRole( db.dropUser( > use beta switched to db beta > db.abc.find() { "_id" : ObjectId("5e6efbd8276c4a4cf5aa3f3c"), "aaa" : 111, "bbb" : 222 } { "_id" : ObjectId("5e6f1080f60792da65189694"), "x" : 123, "y" : 345 } > db.dropDatabase() # 刪除某個庫 { "dropped" : "beta", "ok" : 1 } > show dbs; admin 0.000GB config 0.000GB local 0.000GB test 0.000GB > use test switched to db test > show users # 查看 test 庫的用戶 { "_id" : "test.rr", "user" : "rr", "db" : "test", "roles" : [ { "role" : "read", "db" : "test" } ] } { "_id" : "test.ww", "user" : "ww", "db" : "test", "roles" : [ { "role" : "readWrite", "db" : "test" } ] } > db.dropUser('rr') # 刪除某個庫下的用戶 true > show users { "_id" : "test.ww", "user" : "ww", "db" : "test", "roles" : [ { "role" : "readWrite", "db" : "test" } ] }
通過上面 root 用戶的驗證,root權限非常高,慎用!
4.總結
1. 首先在默認沒有auth參數的啟動下創建管理用戶權限的用戶,以后添加管理刪除用戶都使用這個用戶操作
db.createUser({user: 'dba', pwd: 'dba', roles: [{role: 'userAdminAnyDatabase', db: 'admin'}]})
2. 為mognodb 添加認證參數並重啟生效
關閉mongodb: mongod -f mognod.conf --shutdown 命令行開啟認證服務 mongod -f mongod.conf --auth 配置文件開啟認證服務 auth on 如果是yaml格式則添加 security: authorization: enabled
3. 權限控制
Read:對某個庫的讀權限;
use 庫名
db.createUser({user:'rr', pwd: '123', roles:[{role: 'read', db: '庫名'}]})
ReadWrite:對某個庫的讀寫權限;
use 庫名
db.createUser({user:'ww', pwd: '123', roles:[{role: 'readWrite', db: '庫名'}]})
readAnyDatabase:對所有庫的讀權限;
use admin
db.createUser({user:'anyrr', pwd:'123', roles:[{role: 'readAnyDatabase', db: 'admin'}]})
readWriteAnyDatabase:對所有庫的讀寫權限
use admin
db.createUser({user:'anyrw', pwd:'123', roles:[{role: 'readWriteAnyDatabase', db:'admin'}]})
root:開啟mongodb最高權限
use admin
db.createUser({user: 'root', pwd:'123', roles:[{role: 'root', db: 'admin'}]})
參考鏈接:
https://www.cnblogs.com/seasonzone/p/9359501.html