MongoDB Rights Management

Source: Internet
Author: User
Tags auth data structures mongodb mongodb commands uuid

How to open the Shell client: MONGO. Db.shutdownserver () can be used when shutting down the database engine.

One, Shell command

The MongoDB shell provides commands that can be executed from the shell prompt.

Help<option>: Used to display syntax help for the shell command of MongoDB. The option parameter allows you to specify the specific areas that you want to be helped with.

Use<database>: Changes the current database handle. The database operation is processed on the current database handle.

Show<option>: Displays the manifest according to the option parameter.

DBS: Displays a list of databases.

Collections: Displays a collection manifest for the current database.

Profile: Displays the latest System.profile entries that are longer than 1 milliseconds.

Log[name]: Displays the last paragraph of the login memory. If name is not specified, then use Global.

Exit: Exit the database.

Second, Shell method

The shell in MongoDB provides a number of ways to perform administrative functions.

Load (script): Loads and runs JavaScript files inside the shell. To work with database scripts, it is the best way to use it.

UUID (String): Converts a 32-byte hexadecimal string into a bson uuid.

Db.auth (Username,password): Identity authentication in the current database.

Iii. Scripting with the shell

The commands, methods, and data structures of the MongoDB shell are based on interactive JavaScript. A good way to manage MongoDB is to create scripts that can run multiple times, or scripts that can run at any time at specific times, such as scripts that run at upgrade time. The script file can contain any number of MONGODB commands, using JavaScript code, such as conditional statements and loops. There are two ways to run a MongoDB shell script.

1. Using--eval

The--eval parameter accepts a JavaScript string or JavaScript file and starts the MongoDB shell and executes the JavaScript immediately.

2. Run the MongoDB script using the Load (Script_path) method.

Iv. managing user Accounts

1. Create a user account

Whether to create User Administrator account or database administrator account is to use AddUser () method to add user accounts, MongoDB 3.0 with CreateUser () instead, and then use AddUser () will prompt adduser () is not a function, The following can see the prompt, which accepts a document object that allows you to specify the user name, role, and password for that user. The following are the fields that the Document object can specify:

User string to specify a unique username

Roles array that specifies the user role. MongoDB provides a large number of roles that can be assigned to users. Roles have different permissions, this is mainly in the role

PWD hashorstring (optional) Specifies the user's password. When you create a user, this may be a hash value or a string, but it is stored in a hash value in the database.

Usersource <database> (optional) Instead of the PWD field, point to another database that has the same user-defined. The PWD or the usersource of that database are then used as credentials for that user. The Usersource field and the PWD field are mutually exclusive, and a document cannot contain both.

otherdbroles {<database>:[array],<database>:[array]}:(optional) allows you to specify the roles that this user has in other databases. Its format is a document that uses the database name as the key, including an array of roles that the database applies to for that user.

2. Roles

Users and roles are many-to-many relationships, one user can correspond to multiple roles, and one role can have multiple users. Different permissions for user roles are not the same. The following are some common roles that are assigned to users.

Read allows the user to read data from any collection in the database

Readanydatabase with read, but for all databases

ReadWrite provides all the features of read and allows users to write any collection in the database, including inserting, deleting, and updating files, and creating, renaming, and deleting collections

Readwriteanydatabase with ReadWrite, just for all databases

DbAdmin allows users to read and write to the database, as well as clean, modify, compress, get statistical summaries, and verify

Dbadminanydatabase with Dbadmin, but for all databases

Clusteradmin allows users to perform general management of MongoDB, including connecting, clustering, replicating, listing databases, creating databases, and deleting databases

Useradmin allows users to create and modify user accounts for the database

Useradminanydatabase with Useradmin, but for all databases

3. Delete user account

Users of MongoDB can be deleted using the Removeuser (<username>) method. You need to switch to the database where the user resides. Use Dropuser (<username>) after MongoDB 3.0 to see a hint when configured below.

V. Configuring Access Control

MongoDB provides authentication and authorization at the database level, meaning that the user exists in the context of a single database. To achieve basic authentication, MongoDB stores user credentials in a collection named System.users in each data.

When a user is not defined in the Admin database, MongoDB allows a connection on the local host to have full administrative access to the database. Therefore, the first step in setting up a new MongoDB instance is to create a user administrator and a database administrator account. User admins have the ability to create user accounts in the admin and other databases. You also need to create a database administrator account that you can use as a superuser to manage other aspects of databases, clustering, replication, and MongoDB.

1. Create a User administrator

The user Administrator account should only create the user's permissions, not the management database or other administrative functions. Make database management and user account management completely separate. User managed accounts should be created with useradminanydatabase as the only role.

The above can be seen using the User Administrator account to query collection is an error, this is because the user administrator account is only used to manage users, unable to manage the database.

2. Turn on authentication

User Administrator account has been created to restart the MongoDB database using the--auth parameter

3. Create a database administrator

The database administrator who created the admin database above, using the database administrator, shows that collections can be displayed, while using the user administrator to display the times wrong.

READ: Allows the user to read the specified database

ReadWrite: Allows the user to read and write to the specified database

DbAdmin: Allows the user to perform administrative functions in the specified database, such as index creation, deletion, viewing statistics, or accessing System.profile

Useradmin: Allows the user to write to the System.users collection to create, delete, and manage users in the specified database

Clusteradmin: Available only in the admin database, giving the user administrative privileges on all shards and replica set related functions.

Readanydatabase: Only available in the Admin database, giving users read access to all databases

Readwriteanydatabase: Only available in the Admin database, giving users read and write access to all databases

Useradminanydatabase: Only available in the Admin database, giving the user useradmin permissions for all databases

Dbadminanydatabase: Only available in the Admin database, giving the user dbadmin permissions for all databases.

Root: Available only in the admin database. Super account, Super privilege

(1). Database User Role

Control for each database.
read: Provides a read of all non-system collections, as well as system.indexes,system.js in the System collection, system.namespaces
readWrite: Contains all the Read permissions and the permissions to modify system.js in all non-system collections and system collections.

(2). Database Management Roles

Each of these databases contains the following database management roles.
Dbowner: The owner of the database, with full permissions to the database.
dbAdmin: Some database object management operations, but no database read and write permissions. (Reference: Http://docs.mongodb.org/manual/reference/built-in-roles/#dbAdmin)
useradmin: Create, modify users and roles for the current user. A user with Useradmin permissions can assign arbitrary permissions to any user of that database.

(3). Cluster Administrative Permissions

The Admin database contains the following roles, and the user manages the entire system rather than a single database. These permissions contain replication sets and management functions for shared clusters.
clusteradmin: Provides the largest cluster management functionality. A combination of permissions equivalent to Clustermanager,clustermonitor, and Hostmanager, and Dropdatabase.
Clustermanager: Provides cluster and replica set management and monitoring operations. Users with this permission can manipulate config and local databases (that is, sharding and replication functions)
clustermonitor: Only monitor clusters and replica sets.
Hostmanager: Provides the ability to monitor and administer the server, including shutdown nodes, Logrotate, repairdatabase, etc.
Backup Restore permissions: The Admin database contains the role of backup recovery data. Includes backup, restore, and so on.

(4). All database Roles

The Admin database provides a permission role for all databases in a Mongod instance:
readanydatabase: has read every database permission. But it does not include the databases that are applied to the cluster.
readwriteanydatabase: Has readwrite per database permission. But it does not include the databases that are applied to the cluster.
useradminanydatabase: Has useradmin each database permission, but does not include the database that is applied to the cluster.
dbadminanydatabase: provides dbadmin per database permission, but does not include the database that is applied to the cluster.

(5). Super Administrator privileges

Root:dbadmin to the Admin database, useradmin to the admin database, and useradminanydatabase. However, it does not have the right to backup restore, directly manipulate the system.* collection, but superuser with root privileges can give themselves these permissions.

(6). Backup Recovery role: backups, restore;

(7). Internal role: __system

PS: You can click on the built-in role link above to view details about the permissions that each role has.

MongoDB Rights Management

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.