mongodb 3.2 用户权限管理配置
环境
MongoDB shell version: 3.2.6
Win 7
设置方法
用户权限设置
-
1、进入mongodb的shell :
mongo
-
2、切换数据库:
use admin
从3.0 版本起,默认只有 local
库,没有admin
库,需要我们自己来创建。
- 3、添加用户,指定用户的角色和数据库:
-
db.createUser( { user: "admin", customData:{description:"superuser"}, pwd: "admin", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } ) user字段,为新用户的名字; pwd字段,用户的密码; cusomData字段,为任意内容,例如可以为用户全名介绍; roles字段,指定用户的角色,可以用一个空数组给新用户设定空角色。在roles字段,可以指定内置角色和用户定义的角色。
-
4、查看创建的用户 :
show users
或db.system.users.find()
-
5、启用用户权限:
修改配置文件,增加配置:
security:
authorization: enabled
重新启动mongodb
net stop mongodb;
net start mongodb;
- 6、用户验证使用:
启用用户验证后,再次登录mongo shell ,执行 show dbs
等命令会提示“没有权限”。此时,需要用户验证登录。
db.auth("admin","admin")
其他
内建的角色
- 数据库用户角色:read、readWrite;
- 数据库管理角色:dbAdmin、dbOwner、userAdmin;
- 集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager;
- 备份恢复角色:backup、restore;
- 所有数据库角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase
- 超级用户角色:root
- // 这里还有几个角色间接或直接提供了系统超级用户的访问(dbOwner 、userAdmin、userAdminAnyDatabase)
- 内部角色:__system
官方详情角色说明 –> 传送门
配置文件示例
官方详解 –> 传送门
#此处为配置文件可配置的内容 #Mongod config file #MongoDB configuration files use the YAML format. #The following example configuration file contains several mongod settings. # ########Example Start######## #systemLog: # destination: file # path: "/var/log/mongodb/mongodb.log" # logAppend: true #storage: # journal: # enabled: true #processManagement: # fork: true #net: # bindIp: 127.0.0.1 # port: 27017 #setParameter: # enableLocalhostAuthBypass: false # ########Example End######## # ########Core Options systemLog: # verbosity: 0 #Default: 0; 1 to 5 increases the verbosity level to include Debug messages. # quiet: <boolean> # traceAllException: <boolean> # syslogFacility: user path: "/usr/local/mongodb/log/mongod.log" logAppend: true # logRotate: <string> #rename or reopen destination: file # timeStampFormat: iso8601-local # component: # accessControl: # verbosity: 0 # command: # verbosity: 0 # # COMMENT additional component verbosity settings omitted for brevity # storage: # verbosity: 0 # journal: # verbosity: <int> # write: # verbosity: 0 # # ########ProcessManagement Options processManagement: fork: true pidFilePath: "/usr/local/mongodb/log/mongod.pid" # # #########Net Options net: port: 27017 # bindIp: <string> #Default All interfaces. # maxIncomingConnections: 65536 # wireObjectCheck: true # ipv6: false # unixDomainSocket: # enabled: true # pathPrefix: "/tmp" # filePermissions: 0700 # http: # enabled: false # JSONPEnabled: false # RESTInterfaceEnabled: false # ssl: # sslOnNormalPorts: <boolean> # deprecated since 2.6 # mode: <string> # PEMKeyFile: <string> # PEMKeyPassword: <string> # clusterFile: <string> # clusterPassword: <string> # CAFile: <string> # CRLFile: <string> # allowConnectionsWithoutCertificates: <boolean> # allowInvalidCertificates: <boolean> # allowInvalidHostnames: false # FIPSMode: <boolean> # # ########security Options #security: # keyFile: <string> # clusterAuthMode: keyFile # authorization: disable # javascriptEnabled: true ########security.sasl Options # sasl: # hostName: <string> # serviceName: <string> # saslauthdSocketPath: <string> # # #########setParameter Option setParameter: enableLocalhostAuthBypass: false # <parameter1>: <value1> # <parameter2>: <value2> # # #########storage Options storage: dbPath: "/data/db" # indexBuildRetry: true # repairPath: "/data/db/_tmp" # journal: # enabled: true # directoryPerDB: false # syncPeriodSecs: 60 engine: "mmapv1" #Valid options include mmapv1 and wiredTiger. #########storage.mmapv1 Options # mmapv1: # preallocDataFiles: true # nsSize: 16 # quota: # enforced: false # maxFilesPerDB: 8 # smallFiles: false # journal: # debugFlags: <int> # commitIntervalMs: 100 # 100 or 30 #########storage.wiredTiger Options # wiredTiger: # engineConfig: # cacheSizeGB: <number> #Default: the maximum of half of physical RAM or 1 gigabyte # statisticsLogDelaySecs: 0 # journalCompressor: "snappy" # directoryForIndexes: false # collectionConfig: # blockCompressor: "snappy" # indexConfig: # prefixCompression: true # # ##########operationProfiling Options #operationProfiling: # slowOpThresholdMs: 100 # mode: "off" # # ##########replication Options #replication: # oplogSizeMB: <int> # replSetName: <string> # secondaryIndexPrefetch: all # # ##########sharding Options #sharding: # clusterRole: <string> #configsvr or shardsvr # archiveMovedChunks: True # # #########auditLog Options #auditLog: # destination: <string> #syslog/console/file # format: <string> #JSON/BSON # path: <string> # filter: <string> # # #########snmp Options #snmp: # subagent: <boolean> # master: <boolean> # # ########mongos-only Options #replication: # localPingThresholdMs: 15 # #sharding: # autoSplit: true # configDB: <string> # chunkSize: 64 # # ########Windows Service Options #processManagement: # windowsService: # serviceName: <string> # displayName: <string> # description: <string> # serviceUser: <string> # servicePassword: <string>