【MongoDB 安全篇】MongoDB用户管理

目录

1 软件环境

2 用户管理

2.1 查看数据库用户信息

2.1.1 语法

2.1.2 示例

2.2 查看数据库所有用户信息

2.2.1 语法

2.2.2 示例

2.3 创建用户

2.3.1 语法

2.3.2 示例

2.4 修改密码

2.4.1 语法

2.4.2 示例

2.5 修改用户

2.5.1 语法

2.5.2 示例

2.6 删除用户

2.6.1 语法

2.6.2 示例

2.7 删除所有用户

2.7.1 语法

2.7.2 示例

2.8 给用户授权角色

2.8.1 语法

2.8.2 示例

2.9 从用户收回角色

2.9.1 语法

2.9.2 示例

2.10 用户认证

2.10.1 语法

2.10.2 示例


MongoDB提供了各种特性,例如身份验证、访问控制、加密以保护MongoDB服务器。本篇主要对MongoDB下的用户相关的指令进行总结。

1 软件环境

使用的软件分别为:

  • VirtualBox 5.2
  • Oracle Linux 6.7
  • MongoDB 4.2.0

2 用户管理

2.1 查看数据库用户信息

返回特定用户的信息,查询时须在用户所在的数据库进行该命令,并且用户必须存在,否则出错。

2.1.1 语法

db.getUser( "<username>", {
showCredentials: <Boolean>,
showPrivileges: <Boolean>,
showAuthenticationRestrictions: <Boolean>,
filter: <document>
} )

2.1.2 示例

> use scott
switched to db scott
> db.getUser("scott")
{
"_id" : "scott.scott",
"userId" : UUID("9d580a1f-d8f6-47f6-af02-a090bb8a9123"),
"user" : "scott",
"db" : "scott",
"roles" : [
{
"role" : "read",
"db" : "hr"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}

2.2 查看数据库所有用户信息

该指令返回所在数据库中的所有用户信息。

2.2.1 语法

db.getUsers( {
showCredentials: <Boolean>,
filter: <document>
} )

2.2.2 示例

> use admin
switched to db admin
> db.getUsers()
[
{
"_id" : "admin.root",
"userId" : UUID("678bde68-119a-460b-8479-b6ef35c057f0"),
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
]

2.3 创建用户

在该命令运行的数据库创建一个新用户,如果用户已存在,则出错。

2.3.1 语法

{
user: "<name>",
pwd: passwordPrompt(), // Or "<cleartext password>"
customData: { <any information> },
roles: [
{ role: "<role>", db: "<database>" } | "<role>",
...
],
authenticationRestrictions: [
{
clientSource: ["<IP>" | "<CIDR range>", ...]
serverAddress: ["<IP>" | "<CIDR range>", ...]
},
...
],
mechanisms: [ "<SCRAM-SHA-1|SCRAM-SHA-256>", ... ],
passwordDigestor: "<server|client>"
}

2.3.2 示例

> use scott
switched to db scott
> db.createUser({user:"s1",pwd:"s1",roles:[{role:"readWrite",db:"scott"},{role:"read",db:"hr"}]})
Successfully added user: {
"user" : "s1",
"roles" : [
{
"role" : "readWrite",
"db" : "scott"
},
{
"role" : "read",
"db" : "hr"
}
]
}

2.4 修改密码

修改用户密码,执行该命令须切换到用户所在的数据库。

2.4.1 语法

db.changeUserPassword(username, password)

2.4.2 示例

> use scott
switched to db scott
> db.changeUserPassword("s1","scott")

2.5 修改用户

修改用户信息,执行该命令须在用户所在的数据库。

2.5.1 语法

db.updateUser(
"<username>",
{
customData : { <any information> },
roles : [
{ role: "<role>", db: "<database>" } | "<role>",
...
],
pwd: passwordPrompt(), // Or "<cleartext password>"
authenticationRestrictions: [
{
clientSource: ["<IP>" | "<CIDR range>", ...],
serverAddress: ["<IP>", | "<CIDR range>", ...]
},
...
],
mechanisms: [ "<SCRAM-SHA-1|SCRAM-SHA-256>", ... ],
passwordDigestor: "<server|client>"
},
writeConcern: { <write concern> }
)

2.5.2 示例

> use scott
switched to db scott
> db.updateUser("scott",{pwd:"s1",customData:{dept:"IT",tel:"150XXXXX"}})

2.6 删除用户

删除当前数据库的用户信息。

2.6.1 语法

db.dropUser(username, writeConcern)

2.6.2 示例

> use scott
switched to db scott
> db.dropUser("scott")
true

2.7 删除所有用户

删除所在数据库的所有用户信息。

2.7.1 语法

db.dropAllUsers(writeConcern)

2.7.2 示例

> use scott
switched to db scott
> db.dropAllUsers()
NumberLong(1)

2.8 给用户授权角色

将角色授权给用户。

2.8.1 语法

db.grantRolesToUser( "<username>", [ <roles> ], { <writeConcern> } )

2.8.2 示例

> use scott

switched to db scott

> db.createUser({user:"s1",pwd:"s1",roles:[]})
Successfully added user: { "user" : "s1", "roles" : [ ] }
> db.grantRolesToUser("s1",["readWrite",{role:"read",db:"hr"}])
> db.getUser("s1")
{
"_id" : "scott.s1",
"userId" : UUID("ec26515f-2c71-4718-880b-27f5d51c7eae"),
"user" : "s1",
"db" : "scott",
"roles" : [
{
"role" : "readWrite",
"db" : "scott"
},
{
"role" : "read",
"db" : "hr"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}

2.9 从用户收回角色

从用户所在的数据库收回一个或多个角色。

2.9.1 语法

db.revokeRolesFromUser( "<username>", [ <roles> ], { <writeConcern> } )

2.9.2 示例

> use scott
switched to db scott
> db.revokeRolesFromUser("s1",[{role:"read",db:"hr"}])
> db.getUser("s1")
{
"_id" : "scott.s1",
"userId" : UUID("ec26515f-2c71-4718-880b-27f5d51c7eae"),
"user" : "s1",
"db" : "scott",
"roles" : [
{
"role" : "readWrite",
"db" : "scott"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}

2.10 用户认证

该指令允许用户在shell中对数据库进行认证。

2.10.1 语法

方法1:

db.auth( <username>, passwordPrompt() )
// Or
db.auth( <username>, <password> )

方法2:

db.auth( {
user: <username>,
pwd: passwordPrompt(), // Or "<cleartext password>"
mechanism: <authentication mechanism>,
digestPassword: <boolean>
} )

2.10.2 示例

示例1:

[mongod@strong ~]$ mongo 192.168.56.102
MongoDB shell version v4.2.0
connecting to: mongodb://192.168.56.102:27017/test?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("0f30e70e-b04b-45ab-b44f-e2b31f93f01c") }
MongoDB server version: 4.2.0
> use scott
switched to db scott
> db.auth("s1",passwordPrompt())
Enter password:
1
> show collections
dept
emp
foo
inventory
students
user

示例2:

[mongod@strong ~]$ mongo 192.168.56.102
MongoDB shell version v4.2.0
connecting to: mongodb://192.168.56.102:27017/test?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("32ed91e3-54a4-41e9-997c-54d6bca24b63") }
MongoDB server version: 4.2.0
> use scott
switched to db scott
> db.auth("s1","s1")
1
> show collections
dept
emp
foo
inventory
students
user

除了上面的方法外,还可以使用如下方式进行数据库的连接,即

[mongod@strong ~]$ mongo 192.168.56.102 -us1 -p --authenticationDatabase scott

 

posted @ 2019-09-07 23:18  追梦男生  阅读(220)  评论(0编辑  收藏  举报