Mongodb学习笔记--用户和权限

# Mongodb 用户和身份验证
mongodb默认是没有用户名和密码的,只要连接成功就可以操作,但是如果要将mongodb作为项目中间件上线的话,肯定不希望任何人都可以访问,为了保证数据安全,mongodb提供了addUser方法来添加用户。
该方法包含三个参数:
~~~
user: 用户名
pwd: 密码
roles: 集合类型。用户所拥有的角色
添加用户:db.createUser({user:"用户名", pwd:"密码", roles:[{role:"角色", db:"数据库"}]})
删除用户:db.dropUser("用户名")
~~~
##Mongodb用户分为两类:超级用户和数据库用户
数据库的用户都存放在admin数据库下:
```shell script
db.system.users
```
### 超级用户
mongodb的超级用户存储在admin数据库中,该数据库中的用户可以对所有的数据库进行任意操作,拥有最大的权限。mongodb刚安装时,admin数据库是空的。
### 数据库用户
数据库用户是存放在单个数据库中的,只能访问对应的数据库。
### 用户和权限的特性
* 数据库是由超级用户创建的,一个数据库可以包含多个用户,一个用户只能在一个数据库下。不同的数据库下用户名可以相同
* 如果在admin数据库中不存在用户,即使在mongodb启动时添加了-auth参数,此时不进行任何认证还是可以作任何操作
* 在admin数据库创建的用户具有超级权限,可以对系统内的任何数据库数据对象进行操作
* 数据库test下的用户test_user1不能访问其他数据库如local、test2,但是可以访问同一数据库下其他用户如test_user2创建的数据
* 不同数据库下的同一用户名用户,在一个数据库登陆后,不能再另一个数据库登录。如test1、test2数据库下都有用户test_user用户,那么test_user用户再test1登录后,不能再test2登录。
### 验证以上特性
打开之前配置的mongodb集群,连入master:27017端口。
```shell script
[root@moggledb ~]# mongo --host 192.168.226.130 --port 27017
...
rs0:PRIMARY>
```
此时admin数据库中仍没有任何用户,因此可以再任意数据库下访问其他数据库。
```shell script
rs0:PRIMARY> show dbs
local 1.078GB
test 0.078GB
rs0:PRIMARY> use local
switched to db local
rs0:PRIMARY> use test
switched to db test
```
从local数据库下访问test数据库,切换成功。
查看admin数据库下的users表。
```shell script
rs0:PRIMARY> db.system.users.find()
rs0:PRIMARY>
```
此时db.system.users为空,因此是超级管理员权限,可以访问任意数据库。
+ 验证:数据库是由超级用户创建的,一个数据库可以包含多个用户,一个用户只能在一个数据库下。不同的数据库下用户名可以相同

```shell script
rs0:PRIMARY> use test1
rs0:PRIMARY> db.createUser({user:"admin", pwd:"123465", roles:[{role:"readWrite", db:"test1"}]})
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "test1"
}
]
}
```
用户创建成功后,用户信息会存放在admin数据库下的system.users中。再admin下再创建一个超级用户
```shell script
rs0:PRIMARY> use admin
switched to db admin
rs0:PRIMARY> db.system.users.find()
{ "_id" : "test1.admin", "user" : "admin", "db" : "test1", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "2gOLsZlScfAloQ9rdiL3tA==", "storedKey" : "JWG+rgHy+jbXG
1EDxYDXgfd17Jw=", "serverKey" : "cWCH2UwJ3f4Tg86smNZtenC0EUs=" } }, "roles" : [ { "role" : "readWrite", "db" : "test1" } ] }
rs0:PRIMARY> db.createUser({user:"root", pwd:"root", roles:[{role:"userAdminAnyDatabase", db:"admin"}]})
Successfully added user: {
"user" : "root",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
rs0:PRIMARY> db.system.users.find()
{ "_id" : "test1.admin", "user" : "admin", "db" : "test1", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "2gOLsZlScfAloQ9rdiL3tA==", "storedKey" : "JWG+rgHy+jbXG
1EDxYDXgfd17Jw=", "serverKey" : "cWCH2UwJ3f4Tg86smNZtenC0EUs=" } }, "roles" : [ { "role" : "readWrite", "db" : "test1" } ] }
{ "_id" : "admin.root", "user
" : "root", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "PJPZSCq9YqY96QOWgVPnRQ==", "storedKey" : "VAO+Now5XIzkmew
kRFr3TIKU6J0=", "serverKey" : "9V2ArT9CWsunH8TCk/lY1oCAUzk=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
```
此时我们test1数据库有了用户admin,然后再test2下创建相同用户admin
```shell script
rs0:PRIMARY> use test2
switched to db test2
rs0:PRIMARY> db.createUser({user:"admin", pwd:"123456", roles:[{role:"readWrite", db:"test2"}]})
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "test2"
}
]
}
rs0:PRIMARY> db.createUser({user:"test2",pwd:"test2",roles:[{role:"read", db:"test2"}]})
Successfully added user: {
"user" : "test2",
"roles" : [
{
"role" : "read",
"db" : "test2"
}
]
}
rs0:PRIMARY> db.getUsers()
[
{
"_id" : "test2.admin",
"user" : "admin",
"db" : "test2",
"roles" : [
{
"role" : "readWrite",
"db" : "test2"
}
]
},
{
"_id" : "test2.test2",
"user" : "test2",
"db" : "test2",
"roles" : [
{
"role" : "read",
"db" : "test2"
}
]
}
]
rs0:PRIMARY>
```
可以看到,不同数据库下可以有相同的用户名。同一个数据库下可以有多个用户。
* 在admin数据库创建的用户具有超级权限,可以对系统内的任何数据库数据对象进行操作

退出primary节点,停掉集群节点。先停掉备份节点,在停主节点。
```shell script
rs0:PRIMARY> exit
bye
[root@moggledb ~]# mongod --shutdown --dbpath /data/node3
killing process with pid: 2768
[root@moggledb ~]# mongod --shutdown --dbpath /data/node2
killing process with pid: 2679
[root@moggledb ~]# mongod --shutdown --dbpath /data/node1
killing process with pid: 2595
[root@moggledb ~]# ps -ef |grep mongod
root 8347 2571 0 22:10 pts/0 00:00:00 grep mongod
[root@moggledb ~]#
```
在primary节点上生成keyfile文件
```shell script
[root@moggledb ~]# openssl rand -base64 666 > /data/node1/keyfile
[root@moggledb ~]# chmod 600 /data/node1/keyfile
```
将keyfile复制到其他节点上,并修改权限为600
```shell script
[root@moggledb ~]# openssl rand -base64 666 > /data/node1/keyfile
[root@moggledb ~]# chmod 600 /data/node1/keyfile
[root@moggledb ~]# cp /data/node1/keyfile /data/node2/
[root@moggledb ~]# cp /data/node1/keyfile /data/node3/
[root@moggledb ~]# chmod 600 /data/node2/keyfile
[root@moggledb ~]# chmod 600 /data/node3/keyfile
```
修改primary节点启动配置文件:
```properties
auth=true
oplogSize=100
keyFile=/data/node1/keyfile
```
修改secondary节点配置文件:
```properties
oplogSize=100
keyFile=/data/node2/keyfile
```
启动副本集,先启动主节点:
```shell script
[root@moggledb ~]# mongod -f /data/node1/mongodb-node1.conf
about to fork child process, waiting until server is ready for connections.
forked process: 8368
child process started successfully, parent exiting
[root@moggledb ~]# mongod -f /data/node2/mongodb-node2.conf
about to fork child process, waiting until server is ready for connections.
forked process: 8452
child process started successfully, parent exiting
[root@moggledb ~]# mongod -f /data/node3/mongodb-node3.conf
about to fork child process, waiting until server is ready for connections.
forked process: 8535
child process started successfully, parent exiting
[root@moggledb ~]# ps -ef |grep mongod
root 8368 1 1 22:22 ? 00:00:00 mongod -f /data/node1/mongodb-node1.conf
root 8452 1 1 22:22 ? 00:00:00 mongod -f /data/node2/mongodb-node2.conf
root 8535 1 2 22:22 ? 00:00:00 mongod -f /data/node3/mongodb-node3.conf
root 8598 2571 0 22:23 pts/0 00:00:00 grep mongod
[root@moggledb ~]#
```
连接主节点
```shell script
[root@moggledb node1]# mongo --username root --password root admin --host 192.168.226.130 --port 27017
MongoDB shell version: 3.0.6
connecting to: 192.168.226.130:27017/admin
rs0:PRIMARY> show dbs
admin 0.078GB
local 1.078GB
test 0.078GB
test1 0.078GB
rs0:PRIMARY>
```
root用户是超级用户,可以查看所有的数据库。但是如果要操作某一个数据库内的数据的话,还是需要使用数据的用户,root用户无权限。
```shell script
rs0:PRIMARY> db.system.users.find()
{ "_id" : "test1.admin", "user" : "admin", "db" : "test1", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "2gOLsZlScfAloQ9rdiL3tA==", "storedKey" : "JWG+rgHy+jbXG1EDxYDXgfd17Jw=", "serverKey" : "cWCH2UwJ3f4Tg86smNZtenC0EUs=" } }, "roles" : [ { "role" : "readWrite", "db" : "test1" } ] }
{ "_id" : "admin.root", "user" : "root", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "PJPZSCq9YqY96QOWgVPnRQ==", "storedKey" : "VAO+Now5XIzkmewkRFr3TIKU6J0=", "serverKey" : "9V2ArT9CWsunH8TCk/lY1oCAUzk=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
{ "_id" : "test2.admin", "user" : "admin", "db" : "test2", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "bpf9kX28M/qcjItzYRCh0A==", "storedKey" : "ptn1v5z70h0u2HYdh2SgBt8lI+s=", "serverKey" : "Wh3m8g2olZhoP5Xho2p6HS+CJrs=" } }, "roles" : [ { "role" : "readWrite", "db" : "test2" } ] }
{ "_id" : "test2.test2", "user" : "test2", "db" : "test2", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "8XmR1dpRQc4Tpb0JLzEsZw==", "storedKey" : "npUCRpSPlI5xAmEkbeKkJU5BC9U=", "serverKey" : "ZzbabAQR5VblYw+Lx4yE82Y33mQ=" } }, "roles" : [ { "role" : "read", "db" : "test2" } ] }
rs0:PRIMARY> use test1
switched to db test1
rs0:PRIMARY> show collections
2020-05-06T23:55:18.738-0700 E QUERY Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on test1 to execute command { listCollections: 1.0 }",
"code" : 13
}
at Error (<anonymous>)
at DB._getCollectionInfosCommand (src/mongo/shell/db.js:646:15)
at DB.getCollectionInfos (src/mongo/shell/db.js:658:20)
at DB.getCollectionNames (src/mongo/shell/db.js:669:17)
at shellHelper.show (src/mongo/shell/utils.js:625:12)
at shellHelper (src/mongo/shell/utils.js:524:36)
at (shellhelp2):1:1 at src/mongo/shell/db.js:646
rs0:PRIMARY>
```
使用test1数据库的admin用户认证:
```shell script
rs0:PRIMARY> db.auth("admin","123465")
1
rs0:PRIMARY> show collections
coll
system.indexes
```
注意我在上面设置test1数据库密码时,写错了,写成了123465,因此这里认证时密码也要是123465。
* 使用test2数据库的admin用户插入一条数据,用test2用户去查看数据
```shell script
rs0:PRIMARY> use test2
switched to db test2
rs0:PRIMARY> db.auth("admin","123456")
rs0:PRIMARY> db.coll.insert({"name":"java"})
WriteResult({ "nInserted" : 1 })
rs0:PRIMARY> db.auth("test2","test2")
1
rs0:PRIMARY> db.coll.find()
{ "_id" : ObjectId("5eb3b5bd7e5f031e229d4cf2"), "name" : "java" }
rs0:PRIMARY> db.coll.insert({"text":"hello mongodb"})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on test2 to execute command { insert: \"coll\", documents: [ { _id: ObjectId('5eb3b63a7e5f031e229d4cf3'), text: \"hello mongodb\" } ], ordered:
true }"
}
})
rs0:PRIMARY>
```
可以看到切换为test2用户后,test2用户可以查看admin用户插入的数据,但是test2用户只有读的权限,因此插入数据失败。
posted @ 2020-05-07 15:23  Zs夏至  阅读(384)  评论(0编辑  收藏  举报