DB Intro-mongodb User

Source: Internet
Author: User
Tags dba



Summary:



MongoDB 3.0 Security access control, in the addition of users above the 3.0 version and the previous version there is a big difference, here is the next 3.0 of the method of adding users.



Environment, testing:



After installing MongoDB, first turn off auth authentication, enter the view database, there is only one local library, the admin library does not exist:

[email protected]: / usr / local / mongo4 # mongo --port = 27020
MongoDB shell version: 3.0.4
connecting to: 127.0.0.1:27020/test
2015-06-29T09: 31: 08.673-0400 I CONTROL [initandlisten]
> show dbs;
local 0.078GB
Now you need to create an account, the account needs to have grant permissions, that is: authorization permissions for account management. Note that the account number follows the library, so authorization in the designated library must also be authenticated in the designated library (auth).

> use admin
switched to db admin
> db.createUser (
... {
... user: "dba",
... pwd: "dba",
... roles: [{role: "userAdminAnyDatabase", db: "admin"}]
...}
...)
Successfully added user: {
    "user": "dba",
    "roles": [
        {
            "role": "userAdminAnyDatabase",
            "db": "admin"
        }
    ]
}
The commands in bold above are the executed commands:

user: user name

pwd: password

roles: Specify the role of the user, you can use an empty array to set an empty role for the new user; in the roles field, you can specify the built-in roles and user-defined roles. The role in role can be selected:

  Built-In Roles:
    1. Database user roles: read, readWrite;
    2. Database management roles: dbAdmin, dbOwner, userAdmin;
    3. Cluster management roles: clusterAdmin, clusterManager, clusterMonitor, hostManager;
    4. Backup and restore roles: backup, restore;
    5. All database roles: readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase, dbAdminAnyDatabase
    6. Super user role: root
    // There are also several roles that provide indirect or direct access to system super users (dbOwner, userAdmin, userAdminAnyDatabase)
    7. Internal role: __system
Specific role:

Read: allows users to read the specified database
readWrite: allows users to read and write the specified database
dbAdmin: allows users to perform administrative functions in specified databases, such as index creation, deletion, viewing statistics, or accessing system.profile
userAdmin: allows users to write to the system.users collection, you can find, create, delete and manage users in the specified database
clusterAdmin: only available in the admin database, giving users administrative rights to all functions related to sharding and replication sets.
readAnyDatabase: only available in the admin database, giving users read access to all databases
readWriteAnyDatabase: only available in the admin database, giving users read and write permissions for all databases
userAdminAnyDatabase: only available in the admin database, giving users userAdmin permissions for all databases
dbAdminAnyDatabase: Only available in the admin database, giving users dbAdmin permissions for all databases.
root: Only available in the admin database. Super account, super permission
The userAdminAnyDatabase role has just been established to manage users. You can use this role to create and delete users. Authentication: auth parameters need to be enabled.

[email protected]: / usr / local / mongo4 # mongo --port = 27020
MongoDB shell version: 3.0.4
connecting to: 127.0.0.1:27020/test
> show dbs; #### No verification, resulting in no permission.
2015-06-29T10: 02: 16.634-0400 E QUERY Error: listDatabases failed: {
    "ok": 0,
    "errmsg": "not authorized on admin to execute command {listDatabases: 1.0}",
    "code": 13
}
    at Error (<anonymous>)
    at Mongo.getDBs (src / mongo / shell / mongo.js: 47: 15)
    at shellHelper.show (src / mongo / shell / utils.js: 630: 33)
    at shellHelper (src / mongo / shell / utils.js: 524: 36)
    at (shellhelp2): 1: 1 at src / mongo / shell / mongo.js: 47
> use admin #verify, because the account added under admin, so you must verify under admin.
switched to db admin
> db.auth (‘dba’, ‘dba’)
1
> show dbs;
admin 0.078GB
local 0.078GB
> use test #Create an account in the test library
switched to db test
> db.createUser (
... {
... user: "zjyr",
... pwd: "zjyr",
... roles: [
... {role: "read", db: "test"} # Read-only account
...]
...}
...)
Successfully added user: {
    "user": "zjyr",
    "roles": [
        {
            "role": "read",
            "db": "test"
        }
    ]
}
> db.createUser (
... {
... user: "zjy",
... pwd: "zjy",
... roles: [
... {role: "readWrite", db: "test"} #Read and write account
...]
...}
...)
Successfully added user: {
    "user": "zjy",
    "roles": [
        {
            "role": "readWrite", #Read and write account
            "db": "test"
        }
    ]
}
> show users; #View the users in the current library
{
    "_id": "test.zjyr",
    "user": "zjyr",
    "db": "test",
    "roles": [
        {
            "role": "read",
            "db": "test"
        }
    ]
}
{
    "_id": "test.zjy",
    "user": "zjy",
    "db": "test",
    "roles": [
        {
            "role": "readWrite",
            "db": "test"
        }
    ]
}
2 accounts have been created above, now verify: a collection is required for verification

> db.abc.insert ({"a": 1, "b": 2}) #Insert failed, no permission, userAdminAnyDatabase permission is only for user management, no permission for others.
WriteResult ({
    "writeError": {
        "code": 13,
        "errmsg": "not authorized on test to execute command {insert: \" abc \ ", documents: [{_id: ObjectId (‘ 55915185d629831d887ce2cb ‘), a: 1.0, b: 2.0}], ordered: true}"
    }
})
>
bye
[email protected]: / usr / local / mongo4 # mongo --port = 27020
MongoDB shell version: 3.0.4
connecting to: 127.0.0.1:27020/test
> use test
switched to db test
> db.auth (‘zjy’, ‘zjy’) #write with the created readWrite account
1
> db.abc.insert ({"a": 1, "b": 2})
WriteResult ({"nInserted": 1})
> db.abc.insert ({"a": 11, "b": 22})
WriteResult ({"nInserted": 1})
> db.abc.insert ({"a": 111, "b": 222})
WriteResult ({"nInserted": 1})
> db.abc.find ()
{"_id": ObjectId ("559151a1b78649ebd8316853"), "a": 1, "b": 2}
{"_id": ObjectId ("559151cab78649ebd8316854"), "a": 11, "b": 22}
{"_id": ObjectId ("559151ceb78649ebd8316855"), "a": 111, "b": 222}
> db.auth (‘zjyr’, ‘zjyr’) #Switch to an account with read permission only
1
> db.abc.insert ({"a": 1111, "b": 2222}) #Cannot write
WriteResult ({
    "writeError": {
        "code": 13,
        "errmsg": "not authorized on test to execute command {insert: \" abc \ ", documents: [{_id: ObjectId (‘ 559151ebb78649ebd8316856 ’), a: 1111.0, b: 2222.0}], ordered: true}"
    }
})
> db.abc.find () #Can view
{"_id": ObjectId ("559151a1b78649ebd8316853"), "a": 1, "b": 2}
{"_id": ObjectId ("559151cab78649ebd8316854"), "a": 11, "b": 22}
{"_id": ObjectId ("559151ceb78649ebd8316855"), "a": 111, "b": 222}
Is there a super authority? Not only can you authorize, but you can also perform arbitrary operations on the collection? The answer is yes, but it is not recommended. That is, the role role is set to root.

> db.auth (‘dba’, ‘dba’)
1
> db.createUser (
... {
... user: "zhoujinyi",
... pwd: "zhoujinyi",
... roles: [
... {role: "root", db: "admin"} #Super root account
...]
...}
...)
Successfully added user: {
    "user": "zhoujinyi",
    "roles": [
        {
            "role": "root",
            "db": "admin"
        }
    ]
}
>
> show users; #View the users in the current library
{
    "_id": "admin.dba",
    "user": "dba",
    "db": "admin",
    "roles": [
        {
            "role": "userAdminAnyDatabase",
            "db": "admin"
        }
    ]
}
{
    "_id": "admin.zhoujinyi",
    "user": "zhoujinyi",
    "db": "admin",
    "roles": [
        {
            "role": "root",
            "db": "admin"
        }
    ]
}
> use admin
switched to db admin
> db.auth (‘zhoujinyi’, ‘zhoujinyi’)
1
> use test
switched to db test
> db.abc.insert ({"a": 1, "b": 2})
WriteResult ({"nInserted": 1})
> db.abc.insert ({"a": 1111, "b": 2222}) #Permissions are available
WriteResult ({"nInserted": 1})
> db.abc.find ()
{"_id": ObjectId ("5591539bb78649ebd8316857"), "a": 1, "b": 2}
{"_id": ObjectId ("559153a0b78649ebd8316858"), "a": 1111, "b": 2222}
> db.abc.remove ({})
WriteResult ({"nRemoved": 2})
Because the account is authorized under the current database that needs to be authorized, what happens if it is not in the current database?

> db
admin
> db.createUser (
... {
... user: "dxy",
... pwd: "dxy",
... roles: [
... {role: "readWrite", db: "test"}, #Create accounts of other libraries under the current library, and create accounts of test and abc libraries under the admin library
... {role: "readWrite", db: "abc"}
...]
...}
...)
Successfully added user: {
    "user": "dxy",
    "roles": [
        {
            "role": "readWrite",
            "db": "test"
        },
        {
            "role": "readWrite",
            "db": "abc"
        }
    ]
}
>
> show users;
{
    "_id": "admin.dba",
    "user": "dba",
    "db": "admin",
    "roles": [
        {
            "role": "userAdminAnyDatabase",
            "db": "admin"
        }
    ]
}
{
    "_id": "admin.zhoujinyi",
    "user": "zhoujinyi",
    "db": "admin",
    "roles": [
        {
            "role": "root",
            "db": "admin"
        }
    ]
}
{
    "_id": "admin.dxy",
    "user": "dxy",
    "db": "admin",
    "roles": [
        {
            "role": "readWrite",
            "db": "test"
        },
        {
            "role": "readWrite",
            "db": "abc"
        }
    ]
}
> use test
switched to db test
> db.auth (‘dxy’, ‘dxy’) #The account created under admin cannot be directly verified in other libraries,
Error: 18 Authentication failed.
0
> use admin
switched to db admin #Only authenticate under the account creation library, and then go to other libraries for operations.
> db.auth (‘dxy’, ‘dxy’)
1
> use test
switched to db test
> db.abc.insert ({"a": 1111, "b": 2222})
WriteResult ({"nInserted": 1})
> use abc
switched to db abc
> db.abc.insert ({"a": 1111, "b": 2222})
WriteResult ({"nInserted": 1})
The above further explains that the database account follows the database, and where to create and authenticate.

With so many accounts created, how do I view all accounts?

> use admin
switched to db admin
> db.auth (‘dba’, ‘dba’)
1
> db.system.users.find (). pretty ()
{
    "_id": "admin.dba",
    "user": "dba",
    "db": "admin",
    "credentials": {
        "SCRAM-SHA-1": {
            "iterationCount": 10000,
            "salt": "KfDUzCOIUo7WVjFr64ZOcQ ==",
            "storedKey": "t4sPsKG2dXnZztVYj5EgdUzT9sc =",
            "serverKey": "2vCGiq9NIc1zKqeEL6VvO4rP26A ="
        }
    },
    "roles": [
        {
            "role": "userAdminAnyDatabase",
            "db": "admin"
        }
    ]
}
{
    "_id": "test.zjyr",
    "user": "zjyr",
    "db": "test",
    "credentials": {
        "SCRAM-SHA-1": {
            "iterationCount": 10000,
            "salt": "h1gOW3J7wzJuTqgmmQgJKQ ==",
            "storedKey": "7lkoANdxM2py0qiDBzFaZYPp1cM =",
            "serverKey": "Qyu6IRNyaKLUvqJ2CAa / tQYY36c ="
        }
    },
    "roles": [
        {
            "role": "read",
            "db": "test"
        }
    ]
}
{
    "_id": "test.zjy",
    "user": "zjy",
    "db": "test",
    "credentials": {
        "SCRAM-SHA-1": {
            "iterationCount": 10000,
            "salt": "afwaKuTYPWwbDBduQ4Hm7g ==",
            "storedKey": "ebb2LYLn4hiOVlZqgrAKBdStfn8 =",
            "serverKey": "LG2qWwuuV + FNMmr9lWs + Rb3DIhQ ="
        }
    },
    "roles": [
        {
            "role": "readWrite",
            "db": "test"
        }
    ]
}
{
    "_id": "admin.zhoujinyi",
    "user": "zhoujinyi",
    "db": "admin",
    "credentials": {
        "SCRAM-SHA-1": {
            "iterationCount": 10000,
            "salt": "pE2cSOYtBOYevk8tqrwbSQ ==",
            "storedKey": "TwMxdnlB5Eiaqg4tNh9ByNuUp9A =",
            "serverKey": "Mofr9ohVlFfR6 / md4LMRkOhXouc ="
        }
    },
    "roles": [
        {
            "role": "root",
            "db": "admin"
        }
    ]
}
{
    "_id": "admin.dxy",
    "user": "dxy",
    "db": "admin",
    "credentials": {
        "SCRAM-SHA-1": {
            "iterationCount": 10000,
            "salt": "XD6smcWX4tdg/ ZJPoLxxRg == ",
            "storedKey": "F4uiayykHDp / r9krAKZjdr + gqjM =",
            "serverKey": "Kf51IU9J3RIrB8CFn5Z5hEKMSkw ="
        }
    },
    "roles": [
        {
            "role": "readWrite",
            "db": "test"
        },
        {
            "role": "readWrite",
            "db": "abc"
        }
    ]
}
> db.system.users.find (). count ()
5
Which role account is used for backup and restore? The previously created account zjy: test library read and write permissions; zjyr: test library read permissions

[email protected]: ~ # mongodump --port = 27020 -uzjyr -pzjyr --db = test -o backup #As long as you have read permission
2015-06-29T11: 20: 04.864-0400 writing test.abc to backup / test / abc.bson
2015-06-29T11: 20: 04.865-0400 writing test.abc metadata to backup / test / abc.metadata.json
2015-06-29T11: 20: 04.866-0400 done dumping test.abc
2015-06-29T11: 20: 04.867-0400 writing test.system.indexes to backup / test / system.indexes.bson


[email protected]: ~ # mongorestore --port = 27020 -uzjy -pzjy --db = test backup / test / #Read and write permissions can be restored
2015-06-29T11: 20: 26.607-0400 building a list of collections to restore from backup / test / dir
2015-06-29T11: 20: 26.609-0400 reading metadata file from backup / test / abc.metadata.json
2015-06-29T11: 20: 26.609-0400 restoring test.abc from file backup / test / abc.bson
2015-06-29T11: 20: 26.611-0400 error: E11000 duplicate key error index: test.abc. $ _ Id_ dup key: {: ObjectId (‘559154efb78649ebd831685a‘)}
2015-06-29T11: 20: 26.611-0400 restoring indexes for collection test.abc from metadata
2015-06-29T11: 20: 26.612-0400 finished restoring test.abc
2015-06-29T11: 20: 26.612-0400 done
DB Intro-MongoDB User

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.