【MongoDB 安全篇】MongoDB用户管理
目录
MongoDB提供了各种特性,例如身份验证、访问控制、加密以保护MongoDB服务器。本篇主要对MongoDB下的用户相关的指令进行总结。
1 软件环境
使用的软件分别为:
- VirtualBox 5.2
- Oracle Linux 6.7
- MongoDB 4.2.0
2 用户管理
2.1 查看数据库用户信息
返回特定用户的信息,查询时须在用户所在的数据库进行该命令,并且用户必须存在,否则出错。
2.1.1 语法
db.getUser( "<username>", {
showCredentials: <Boolean>,
showPrivileges: <Boolean>,
showAuthenticationRestrictions: <Boolean>,
filter: <document>
} )2.1.2 示例
> use scott
switched to db scott
> db.getUser("scott")
{
"_id" : "scott.scott",
"userId" : UUID("9d580a1f-d8f6-47f6-af02-a090bb8a9123"),
"user" : "scott",
"db" : "scott",
"roles" : [
{
"role" : "read",
"db" : "hr"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}2.2 查看数据库所有用户信息
该指令返回所在数据库中的所有用户信息。
2.2.1 语法
db.getUsers( {
showCredentials: <Boolean>,
filter: <document>
} )2.2.2 示例
> use admin
switched to db admin
> db.getUsers()
[
{
"_id" : "admin.root",
"userId" : UUID("678bde68-119a-460b-8479-b6ef35c057f0"),
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
]2.3 创建用户
在该命令运行的数据库创建一个新用户,如果用户已存在,则出错。
2.3.1 语法
{
user: "<name>",
pwd: passwordPrompt(), // Or "<cleartext password>"
customData: { <any information> },
roles: [
{ role: "<role>", db: "<database>" } | "<role>",
...
],
authenticationRestrictions: [
{
clientSource: ["<IP>" | "<CIDR range>", ...]
serverAddress: ["<IP>" | "<CIDR range>", ...]
},
...
],
mechanisms: [ "<SCRAM-SHA-1|SCRAM-SHA-256>", ... ],
passwordDigestor: "<server|client>"
}2.3.2 示例
> use scott
switched to db scott
> db.createUser({user:"s1",pwd:"s1",roles:[{role:"readWrite",db:"scott"},{role:"read",db:"hr"}]})
Successfully added user: {
"user" : "s1",
"roles" : [
{
"role" : "readWrite",
"db" : "scott"
},
{
"role" : "read",
"db" : "hr"
}
]
}2.4 修改密码
修改用户密码,执行该命令须切换到用户所在的数据库。
2.4.1 语法
db.changeUserPassword(username, password)2.4.2 示例
> use scott
switched to db scott
> db.changeUserPassword("s1","scott")
2.5 修改用户
修改用户信息,执行该命令须在用户所在的数据库。
2.5.1 语法
db.updateUser(
"<username>",
{
customData : { <any information> },
roles : [
{ role: "<role>", db: "<database>" } | "<role>",
...
],
pwd: passwordPrompt(), // Or "<cleartext password>"
authenticationRestrictions: [
{
clientSource: ["<IP>" | "<CIDR range>", ...],
serverAddress: ["<IP>", | "<CIDR range>", ...]
},
...
],
mechanisms: [ "<SCRAM-SHA-1|SCRAM-SHA-256>", ... ],
passwordDigestor: "<server|client>"
},
writeConcern: { <write concern> }
)2.5.2 示例
> use scott
switched to db scott
> db.updateUser("scott",{pwd:"s1",customData:{dept:"IT",tel:"150XXXXX"}})2.6 删除用户
删除当前数据库的用户信息。
2.6.1 语法
db.dropUser(username, writeConcern)2.6.2 示例
> use scott
switched to db scott
> db.dropUser("scott")
true2.7 删除所有用户
删除所在数据库的所有用户信息。
2.7.1 语法
db.dropAllUsers(writeConcern)2.7.2 示例
> use scott
switched to db scott
> db.dropAllUsers()
NumberLong(1)2.8 给用户授权角色
将角色授权给用户。
2.8.1 语法
db.grantRolesToUser( "<username>", [ <roles> ], { <writeConcern> } )2.8.2 示例
> use scott
switched to db scott
> db.createUser({user:"s1",pwd:"s1",roles:[]})
Successfully added user: { "user" : "s1", "roles" : [ ] }
> db.grantRolesToUser("s1",["readWrite",{role:"read",db:"hr"}])
> db.getUser("s1")
{
"_id" : "scott.s1",
"userId" : UUID("ec26515f-2c71-4718-880b-27f5d51c7eae"),
"user" : "s1",
"db" : "scott",
"roles" : [
{
"role" : "readWrite",
"db" : "scott"
},
{
"role" : "read",
"db" : "hr"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}2.9 从用户收回角色
从用户所在的数据库收回一个或多个角色。
2.9.1 语法
db.revokeRolesFromUser( "<username>", [ <roles> ], { <writeConcern> } )2.9.2 示例
> use scott
switched to db scott
> db.revokeRolesFromUser("s1",[{role:"read",db:"hr"}])
> db.getUser("s1")
{
"_id" : "scott.s1",
"userId" : UUID("ec26515f-2c71-4718-880b-27f5d51c7eae"),
"user" : "s1",
"db" : "scott",
"roles" : [
{
"role" : "readWrite",
"db" : "scott"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}2.10 用户认证
该指令允许用户在shell中对数据库进行认证。
2.10.1 语法
方法1:
db.auth( <username>, passwordPrompt() )
// Or
db.auth( <username>, <password> )方法2:
db.auth( {
user: <username>,
pwd: passwordPrompt(), // Or "<cleartext password>"
mechanism: <authentication mechanism>,
digestPassword: <boolean>
} )2.10.2 示例
示例1:
[mongod@strong ~]$ mongo 192.168.56.102
MongoDB shell version v4.2.0
connecting to: mongodb://192.168.56.102:27017/test?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("0f30e70e-b04b-45ab-b44f-e2b31f93f01c") }
MongoDB server version: 4.2.0
> use scott
switched to db scott
> db.auth("s1",passwordPrompt())
Enter password:
1
> show collections
dept
emp
foo
inventory
students
user示例2:
[mongod@strong ~]$ mongo 192.168.56.102
MongoDB shell version v4.2.0
connecting to: mongodb://192.168.56.102:27017/test?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("32ed91e3-54a4-41e9-997c-54d6bca24b63") }
MongoDB server version: 4.2.0
> use scott
switched to db scott
> db.auth("s1","s1")
1
> show collections
dept
emp
foo
inventory
students
user除了上面的方法外,还可以使用如下方式进行数据库的连接,即
[mongod@strong ~]$ mongo 192.168.56.102 -us1 -p --authenticationDatabase scott
