MongoDB 3.0 User Creation

Source: Internet
Author: User
Tags auth

Summary:

MongoDB 3.0 Security access control, in the addition of users above the 3.0 version and the previous version there is a big difference, here is the next 3.0 of the method of adding users.

Environment, testing:

After installing MongoDB, first turn off auth authentication, enter the view database, there is only one local library, the admin library does not exist:

[Email protected]:/usr/local/mongo4# MONGO--port=27020mongodb Shell version:3.0.4connecting to:127.0.0.1:27020/ test2015-06-29t09:31:08.673-0400 I CONTROL  [Initandlisten] > show dbs;local  0.078GB

Now you need to create an account that requires grant permission, which is the authorization permission for account management. Note that the account is followed by the library, so authorization in the specified library must also be verified in the specified library (auth).

> Use adminswitched to DB admin> db.createuser (...   {...     User: "DBA",...     PWD: "DBA",...     Roles: [{role: ' Useradminanydatabase ', db: ' admin '}]...   } ... ) Successfully added User: {    "user": "DBA",    "roles": [        {            "role": "Useradminanydatabase",            "db": "A DMin "        }    ]}

The above is the command to execute:

User: Username

PWD: Password

Roles: Specifies the role of the user, an empty array can be used to set the null role for the new user; In the Roles field, you can specify built-in roles and user-defined roles. Roles in role can be selected:

  Built-in Roles (built-in role):    1. Database user role: Read, readWrite;    2. Database management roles: DbAdmin, Dbowner, Useradmin;    3. Cluster Management role: Clusteradmin, Clustermanager, Clustermonitor, Hostmanager;    4. Backup Restore role: backups, restore;    5. All database roles: Readanydatabase, Readwriteanydatabase, Useradminanydatabase, Dbadminanydatabase    6. Super User role: Root      //There are several roles here that indirectly or directly provide access to the system's Superuser (Dbowner, Useradmin, Useradminanydatabase)    7. Internal role: __system

Specific roles:

read: Allows the user to read the specified database readWrite: Allows the user to read and write to the specified database dbAdmin: Allows the user to execute administrative functions in the specified database, such as index creation, deletion, View statistics or Access System.profileuseradmin: Allows the user to write to the System.users collection, to create, delete, and manage users in the specified database clusteradmin : Available only in the admin database, giving the user administrative privileges on all shards and replica set related functions. readanydatabase: Only available in the Admin database, giving the user read access to all databases readwriteanydatabase: Only available in the Admin database, giving users read and write access to all databases useradminanydatabase: Only available in the Admin database, giving the user useradmin permissions to all databases dbadminanydatabase: Only available in the admin database, Gives the user dbadmin permissions for all databases. root: Available only in the admin database. Super account, Super privilege

The useradminanydatabase role has just been set up to manage users who can create and delete users through this role. Verify: The auth parameter needs to be turned on.

[Email protected]:/usr/local/mongo4# MONGO--port=27020mongodb Shell version:3.0.4connecting to:127.0.0.1:27020/test > Show DBS;# # # #没有验证, cause no permissions. 2015-06-29t10:02:16.634-0400 E QUERY error:listdatabases failed:{"OK": 0, "errmsg": "Not authorized on admin To execute command {listdatabases:1.0} ', ' Code ': ' At Error ' (<anonymous>) at Mongo.getdbs (src/mongo/ SHELL/MONGO.JS:47:15) at Shellhelper.show (src/mongo/shell/utils.js:630:33) at Shellhelper (src/mongo/shell/utils.js : 524:36) at (SHELLHELP2): 1:1 @ src/mongo/shell/mongo.js:47> Use admin#验证, because the account added under admin, so go to the admin below to verify. Switched to DB admin>Db.auth(' DBA ', ' DBA ') 1> show dbs;admin 0.078GBlocal 0.078gb> use test#在test库里创建帐号Switched to DB test>Db.createuser(...          {... User: "Zjyr",... pwd: "Zjyr",... roles: [... {role: "read", DB: "Test"}#只读帐号...       ] ...     } ... ) Successfully added User: {"user": "Zjyr", "roles": [{"Role": "read", "DB": "Test "}]}>Db.createuser(...          {... User: "Zjy",... pwd: "Zjy",... roles: [... {role: "ReadWrite", DB: "Test"} #读写帐号 ...] ...     } ... ) Successfully added User: {"user": "Zjy", "roles": [{"Role": "ReadWrite",#读写账号"DB": "Test"}]}> show Users;#查看当前库下的用户{"_id": "Test.zjyr", "User": "Zjyr", "DB": "Test", "roles": [{"Role": "read",            "DB": "Test"}]}{"_id": "Test.zjy", "User": "Zjy", "DB": "Test", "roles": [{ "Role": "ReadWrite", "DB": "Test"}]}

2 accounts are created above and now verified: A collection is required to verify the prerequisites

> Db.abc.insert ({"A": 1, "B": 2})#插入失败, no permissions, useradminanydatabase permissions are only for the user management, the other is not authorized. Writeresult ({"Writeerror": {"code": "ErrMsg": "Not authorized on test to execute command {Inser T: \ "Abc\", documents: [{_id:objectid (' 55915185D629831D887CE2CB '), a:1.0, b:2.0}], ordered:true} "}") > bye[ Email protected]:/usr/local/mongo4# MONGO--port=27020mongodb Shell version:3.0.4connecting to:127.0.0.1:27020/test > Use testswitched to DB test> db.auth (' zjy ', ' zjy ')#用创建的readWrite帐号进行写入1> Db.abc.insert ({"A": 1, "B": 2}) Writeresult ({"ninserted": 1}) > Db.abc.insert ({"A": one, "B": ()) Writeresult ({" Ninserted ": 1}" > Db.abc.insert ({"A": 111, "B": 222}) Writeresult ({"ninserted": 1}) > Db.abc.find () {"_id": ObjectId ("559151a1b78649ebd8316853"), "a": 1, "B": 2} {"_id": ObjectId ("559151cab78649ebd8316854"), "a": one, "B":} {"_id ": ObjectId (" 559151ceb78649ebd8316855 ")," a ": 111," B ": 222}> Db.auth (' zjyr ', ' zjyr ')#切换到只有read权限的帐号1> Db.abc.insert ({"A": 1111, "B": 2222})#不能写入Writeresult ({"Writeerror": {"code": "ErrMsg": "Not authorized on test to execute command {Inser T: \ "Abc\", documents: [{_id:objectid (' 559151ebb78649ebd8316856 '), a:1111.0, b:2222.0}], ordered:true}}) ; Db.abc.find ()#可以查看{"_id": ObjectId ("559151a1b78649ebd8316853"), "a": 1, "B": 2} {"_id": ObjectId ("559151cab78649ebd8316854"), "a": one, "B": 22} {"_id": ObjectId ("559151ceb78649ebd8316855"), "a": 111, "B": 222}

Is there a super privilege? Not only can authorization, but also can be arbitrary operation of the collection? The answer is yes, but it is not recommended. That is, role roles are set to root.

> Db.auth (' dba ', ' DBA ') 1>Db.createuser(...       {... User: "Zhoujinyi",... pwd: "Zhoujinyi",... roles: [... {role: "Root", DB:" Admin "}#超级root帐号...    ] ...  } ... ) Successfully added User: {"user": "Zhoujinyi", "roles": [{"Role": "Root", "db": "Admin"}]}> >Show Users; #查看当前库下的用户{"_id": "Admin.dba", "User": "DBA", "DB": "admin", "roles": [{"Role": "Useradminanyd Atabase "," db ":" Admin "}]}{" _id ":" Admin.zhoujinyi "," User ":" Zhoujinyi "," db ":" Admi n "," roles ": [{" Role ":" Root "," db ":" admin "}]}> use adminswitched to DB admin> Db.auth (' Zhoujinyi ', ' Zhoujinyi ') 1> use testswitched to db test> Db.abc.insert ({"A": 1, "B": 2}) Writeresult ({"ninserted": 1}) > Db.abc.insert ({"A": 1111, "B": 2222})#权限都有Writeresult ({"ninserted": 1}) > Db.abc.find () {"_id": ObjectId ("5591539bb78649ebd8316857"), "a": 1, "B": 2} {"_id ": ObjectId (" 559153a0b78649ebd8316858 ")," a ": 1111," B ": 2222}> db.abc.remove ({}) Writeresult ({" Nremoved ": 2})

Because the account is authorized under the current database that requires authorization, what if it is not in the current database?

> dbadmin>Db.createuser(...       {... User: "DXY",... pwd: "DXY",... roles: [... {role: "ReadWrite", DB: "Test"},#在当前库下创建其他库的帐号, create the account for test, ABC library under the Admin library... {role: "ReadWrite", DB: "ABC"} ...] ...  } ... ) Successfully added User: {"user": "DXY", "roles": [{"Role": "ReadWrite", "DB": " Test "}, {" Role ":" ReadWrite "," DB ":" abc "}]}> > Show users; {"_id": "Admin.dba", "User": "DBA", "DB": "admin", "roles": [{"Role": "Useradminanyd Atabase "," db ":" Admin "}]}{" _id ":" Admin.zhoujinyi "," User ":" Zhoujinyi "," db ":" Admi    n "," roles ": [{" Role ":" Root "," db ":" Admin "}]}{" _id ":" ADMIN.DXY ",        "User": "DXY", "db": "admin", "roles": [{"Role": "ReadWrite", "DB": "Test" }, {"Role": "ReadWrite", "DB": "ABC"}]}> use testswitched to DB TEST&G T          Db.auth (' DXY ', ' DXY ')#在admin下创建的帐号, cannot be verified directly in other libraries,ERROR:18 authentication failed.0> use adminswitched to DB admin#只能在帐号创建库下认证, and then go to another library to do it. > Db.auth (' DXY ', ' DXY ') 1> use testswitched to db test> Db.abc.insert ({"A": 1111, "B": 2222}) Writeresult ({" Ninserted ": 1}" > abcswitched to DB abc> Db.abc.insert ({"A": 1111, "B": 2222}) Writeresult ({"ninserted": 1})

The above further explains that the database account is followed by the database to go, where to create certification.

Create so many accounts, how to view all accounts ?

> Use adminswitched to DB admin> db.auth (' dba ', ' DBA ') 1>Db.system.users.find (). Pretty (){"_id": "Admin.dba", "User": "DBA", "DB": "admin", "credentials": {"Scram-sha-1": {" IterationCount ": 10000," salt ":" kfduzcoiuo7wvjfr64zocq== "," Storedkey ":" T4spskg2dxnzztvyj5egduz  T9sc= "," Serverkey ":" 2vcgiq9nic1zkqeel6vvo4rp26a= "}," Roles ": [{" Role ": "Useradminanydatabase", "db": "Admin"}]}{"_id": "Test.zjyr", "User": "Zjyr", "DB": " Test "," credentials ": {" Scram-sha-1 ": {" IterationCount ": 10000," salt ":" H1gow3j7wzj utqgmmqgjkq== "," Storedkey ":" 7lkoandxm2py0qidbzfazypp1cm= "," Serverkey ":" Qyu6irnyakluvqj2caa/tqy Y36c= "}}," Roles ": [{" Role ":" read "," DB ":" Test "}]}{" _id ":" Test.zjy "," User ":" Zjy "," DB ":" Test "," credentials ": {" Scram-sha-1 ": {" Iterationco           Unt ": 10000, "Salt": "afwakutypwwbdbduq4hm7g==", "Storedkey": "ebb2lyln4hiovlzqgrakbdstfn8=", "Serverkey": "L G2qwwuuv+fnmmr9lws+rb3dihq= "}}," Roles ": [{" Role ":" ReadWrite "," DB ":" Te        St "}]}{" _id ":" Admin.zhoujinyi "," User ":" Zhoujinyi "," db ":" admin "," credentials ": { "Scram-sha-1": {"IterationCount": 10000, "salt": "pe2csoytboyevk8tqrwbsq==", "STOREDK EY ":" Twmxdnlb5eiaqg4tnh9bynuup9a= "," Serverkey ":" Mofr9ohvlffr6/md4lmrkohxouc= "}}," Roles ": [{"Role": "Root", "db": "Admin"}]} {"_id": "ADMIN.DXY", "User": "DXY", "db": "admin", "credentials": {"Scram-sha-1": {" IterationCount ": 10000," salt ":" xd6smcwx4tdg/zjpolxxrg== "," Storedkey ":" f4uiayykhdp/r9krakzjdr+    Gqjm= "," Serverkey ":" kf51iu9j3rirb8cfn5z5hekmskw= "    }}, "Roles": [{"Role": "ReadWrite", "DB": "Test"}, { "Role": "ReadWrite", "DB": "abc"}]}> Db.system.users.find (). Count () 5

Backup restore use that role's account? Previously created account Zjy:test Library read and write permissions; zjyr:test Library reading permissions

[Email protected]:~#Mongodump--port=27020-uzjyr-pzjyr--db=test-o Backup#只要读权限就可以备份2015-06-29t11:20:04.864-0400 writing test.abc to backup/test/abc.bson2015-06-29t11:20:04.865-0400 writing test.abc m Etadata to backup/test/abc.metadata.json2015-06-29t11:20:04.866-0400 done dumping test.abc2015-06-29t11 : 20:04.867-0400 writing test.system.indexes to Backup/test/system.indexes.bson[email protected]:~#Mongorestore--port=27020-uzjy-pzjy--db=test backup/test/#读写权限可以进行还原2015 -06-29t11:20:26.607-0400 Building a list of collections To restore from backup/test/dir2015-06-29t11:20:26.609-0400 reading metadata file from Backup/test/abc.metadata.json2 015-06-29t11:20:26.609-0400 restoring test.abc from File backup/test/abc.bson2015-06-29t11:20:26.611-0400 error:e11 Duplicate key error index:test.abc.$_id_ dup key: {: ObjectId (' 559154efb78649ebd831685a ')}2015-06-29t11:20:26.611- 0400 Restoring indexes for collection test.abc from metadata2015-06-29t11:20:26.612-0400 finished restoring TEST.ABC 2015-06-29t11:20:26.612-0400 Done
transferred from: http://www.cnblogs.com/zhoujinyi/p/4610050.html

MongoDB 3.0 User Creation

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.