MongoDB 3.X User Rights control

Summary:

MongoDB 3.0 Security access control, in the addition of users above the 3.0 version and the previous version there is a big difference, here is the next 3.0 of the method of adding users.

Environment, testing:

After installing MongoDB, first turn off auth authentication, enter the view database, there is only one local library, the admin library does not exist:

root@zhoujinyi:/usr/local/mongo4# MONGO--port=27020
MongoDB Shell version:3.0.4
connecting to: 127.0.0.1:27020/test
2015-06-29t09:31:08.673-0400 I CONTROL  [Initandlisten] 
> show dbs;
Local  0.078GB

Now you need to create an account that requires grant permission, which is the authorization permission for account management. Note that the account is followed by the library, so authorization in the specified library must also be verified in the specified library (auth).

> Use admin
switched to DB admin
> Db.createuser (
...   {
...     User: "DBA",
...     PWD: "DBA",
...     Roles: [{role: ' Useradminanydatabase ', db: ' admin '}]
...   }
... )
Successfully added User: {
    "user": "DBA",
    "roles": [
        {
            "role": "Useradminanydatabase",
            "DB" : "Admin"
        }
    ]
}

The above is the command to execute:

User: Username

PWD: Password

Roles: Specifies the role of the user, an empty array can be used to set the null role for the new user; In the Roles field, you can specify built-in roles and user-defined roles. Roles in role can be selected:

  Built-in Roles (built-in role):
    1. Database user role: Read, readWrite;
    2. Database management roles: DbAdmin, Dbowner, Useradmin;
    3. Cluster Management role: Clusteradmin, Clustermanager, Clustermonitor, Hostmanager;
    4. Backup Restore role: backups, restore;
    5. All database roles: Readanydatabase, Readwriteanydatabase, Useradminanydatabase, Dbadminanydatabase
    6. Super User role: Root  
    //There are several roles here that indirectly or directly provide access to the system's Superuser (Dbowner, Useradmin, Useradminanydatabase)
    7. Internal role: __system

Specific roles:

read: Allows the user to read the specified database readWrite: Allows the user to read and write to the
specified database
dbAdmin: Allows the user to execute administrative functions in the specified database, such as index creation, deletion, View statistics or Access System.profile
useradmin: Allows the user to write to the System.users collection, to create, delete, and manage users in the specified database
clusteradmin : Available only in the admin database, giving the user administrative privileges on all shards and replica set related functions.
readanydatabase: Only available in the Admin database, giving users read access
to all databases readwriteanydatabase: Available only in the Admin database, giving users read and write access to all databases
useradminanydatabase : Only available in the Admin database, giving the user useradmin permissions for all databases
dbadminanydatabase: Only available in the Admin database, giving the user dbadmin permissions for all databases.
root: Available only in the admin database. Super account, Super privilege

The useradminanydatabase role has just been set up to manage users who can create and delete users through this role. Verify: The auth parameter needs to be turned on.

root@zhoujinyi:/usr/local/mongo4# MONGO--port=27020 MongoDB shell version:3.0.4 connecting To:127.0.0.1:27020/test & Gt Show DBS;# # # #没有验证, cause no permissions. 2015-06-29t10:02:16.634-0400 E QUERY error:listdatabases failed:{"OK": 0, "errmsg": "Not authorized on ADMI N to execute command {listdatabases:1.0} ', ' Code ': ' At Error ' (<anonymous>) at Mongo.getdbs (src/ MONGO/SHELL/MONGO.JS:47:15) at Shellhelper.show (src/mongo/shell/utils.js:630:33) at Shellhelper (src/mongo/shell/ utils.js:524:36) at (SHELLHELP2): 1:1 @ src/mongo/shell/mongo.js:47 > Use admin#验证, because the account added under admin, so go to the admin below to verify. Switched to DB admin >Db.auth(' DBA ', ' DBA ') 1 > show DBS; Admin 0.078GB local 0.078GB > Use test#在test库里创建帐号Switched to DB Test >Db.createuser(
...          {... User: "Zjyr", ... pwd: "Zjyr", ... roles: [... {role: "read", DB: "Test"}#只读帐号...       ]
...     }
... ) Successfully added User: {"user": "Zjyr", "roles": [{"Role": "read", "DB": "Test"}]} >Db.createuser(
...          {... User: "Zjy", ... pwd: "Zjy", ... roles: [...
{role: "ReadWrite", DB: "Test"} #读写帐号 ...]
...     }
... ) Successfully added User: {"user": "Zjy", "roles": [{"Role": "ReadWrite",#读写账号"DB": "Test"}]} > show Users;#查看当前库下的用户{"_id": "Test.zjyr", "User": "Zjyr", "DB": "Test", "roles": [{"Role": "read",  "DB": "Test"}]} {"_id": "Test.zjy", "User": "Zjy", "DB": "Test", "roles": [{"Role": "ReadWrite", "DB": "Test"}]}

2 accounts are created above and now verified: A collection is required to verify the prerequisites