时间:2021-07-01 10:21:17 帮助过:4人阅读
#先访问到admin数据库
use admin
db.auth("admin","admin")
use mydb
db.createRole({
role: "testRole",
privileges: [{ resource: { db: "mydb", collection: "" }, actions: [ "find" ] }],
roles: []
})
> use admin
switched to db admin
>
> show collections
system.indexes
system.roles
system.users
system.version
>
> db.system.roles.find();
{ "_id" : "mydb.testRole", "role" : "testRole", "db" : "mydb", "privileges" : [ { "resource" : { "db" : "mydb", "collection" : "" }, "actions" : [ "find" ] } ], "roles" : [ ] }
>
use mydb
db.createUser(
{
user: "userkk",
pwd: "userkk",
roles: [ { role: "testRole", db: "mydb" } ]
}
)
[root@localhost ~]# mongo
MongoDB shell version: 3.0.2
connecting to: test
> use mydb
switched to db mydb
>
> db.auth("userkk","userkk")
1
>
> db.tab.find({"id":999})
{ "_id" : ObjectId("554ef5ac1b590330c00c7d02"), "id" : 999 }
>
> db.tab.insert({"id":1000})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on mydb to execute command { insert: \"tab\", documents: [ { _id: ObjectId('554f145cdf782b42499d80e5'), id: 1000.0 } ], ordered: true }"
}
})
>
use admin
db.auth("admin","admin")
use mydb
#添加Privileges给角色
db.grantPrivilegesToRole("testRole",
[{ resource: { db: "mydb", collection: "" },actions: [ "update", "insert", "remove" ]}
])
exit #退出mongodb重新登录
use mydb
db.auth("userkk","userkk")
#增删数据可以操作了!~
db.tab.insert({"id":1000})
db.tab.find({"id":1000})
db.tab.remove({"id":1000})
#此时admin的角色记录为:
> db.system.roles.find();
{ "_id" : "mydb.testRole", "role" : "testRole", "db" : "mydb", "privileges" : [ { "resource" : { "db" : "mydb", "collection" : "" }, "actions" : [ "find", "insert", "remove", "update" ] } ], "roles" : [ ] }
>
use admin
db.auth("admin","admin")
use mydb
db.updateRole("testRole",{ roles:[{ role: "readWrite",db: "mydb"}]},{ w:"majority" })
db.auth("userkk","userkk")
show dbs
关于角色,参考官方文档提取总结如下:
|
角色分类 |
角色 |
权限及角色 (本文大小写可能有些变化,使用时请参考官方文档) |
|
Database User Roles |
read |
CollStats,dbHash,dbStats,find,killCursors,listIndexes,listCollections |
|
readWrite |
CollStats,ConvertToCapped,CreateCollection,DbHash,DbStats, DropCollection,CreateIndex,DropIndex,Emptycapped,Find, Insert,KillCursors,ListIndexes,ListCollections,Remove, RenameCollectionSameDB,update |
|
|
Database Administration Roles |
dbAdmin |
collStats,dbHash,dbStats,find,killCursors,listIndexes,listCollections, dropCollection 和 createCollection 在 system.profile |
|
dbOwner |
角色:readWrite, dbAdmin,userAdmin |
|
|
userAdmin |
ChangeCustomData,ChangePassword,CreateRole,CreateUser, DropRole,DropUser,GrantRole,RevokeRole,ViewRole,viewUser |
|
|
Cluster Administration Roles |
clusterAdmin |
角色:clusterManager, clusterMonitor, hostManager |
|
clusterManager |
AddShard,ApplicationMessage,CleanupOrphaned,FlushRouterConfig, ListShards,RemoveShard,ReplSetConfigure,ReplSetGetStatus, ReplSetStateChange,Resync,
EnableSharding,MoveChunk,SplitChunk,splitVector |
|
|
clusterMonitor |
connPoolStats,cursorInfo,getCmdLineOpts,getLog,getParameter, getShardMap,hostInfo,inprog,listDatabases,listShards,netstat, replSetGetStatus,serverStatus,shardingState,top
collStats,dbStats,getShardVersion |
|
|
hostManager |
applicationMessage,closeAllDatabases,connPoolSync,cpuProfiler, diagLogging,flushRouterConfig,fsync,invalidateUserCache,killop, logRotate,resync,setParameter,shutdown,touch,unlock |
|
|
Backup and Restoration Roles |
backup |
提供在admin数据库mms.backup文档中insert,update权限 列出所有数据库:listDatabases 列出所有集合索引:listIndexes
对以下提供查询操作:find *非系统集合 *系统集合:system.indexes, system.namespaces, system.js *集合:admin.system.users 和 admin.system.roles |
|
restore |
非系统集合、system.js,admin.system.users 和 admin.system.roles 及2.6 版本的system.users提供以下权限: collMod,createCollection,createIndex,dropCollection,insert
列出所有数据库:listDatabases system.users :find,remove,update |
|
|
All-Database Roles |
readAnyDatabase |
提供所有数据库中只读权限:read 列出集群所有数据库:listDatabases |
|
readWriteAnyDatabase |
提供所有数据库读写权限:readWrite 列出集群所有数据库:listDatabases |
|
|
userAdminAnyDatabase |
提供所有用户数据管理权限:userAdmin Cluster:authSchemaUpgrade,invalidateUserCache,listDatabases admin.system.users和admin.system.roles: collStats,dbHash,dbStats,find,killCursors,planCacheRead createIndex,dropIndex |
|
|
dbAdminAnyDatabase |
提供所有数据库管理员权限:dbAdmin 列出集群所有数据库:listDatabases |
|
|
Superuser Roles |
root |
角色:dbOwner,userAdmin,userAdminAnyDatabase readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase,clusterAdmin |
|
Internal Role |
__system |
集群中对任何数据库采取任何操作 |
参考:mongo Shell Methods , Built-In Roles
MongoDB 基础(六)安全认证(权限操作)
标签: