A few days ago, users asked MongoDB database permissions issues. At that time, a general understanding of this week, a closer look. For a database that cannot be accessed arbitrarily, there must be write access restrictions.
Before you know this, familiarize yourself with the shell client first. The previous blog also has some way to open the shell client: MONGO. Db.shutdownserver () can be used when shutting down the database engine.
One, Shell command
The MongoDB shell provides commands that can be executed from the shell prompt.
Help<option>: Used to display syntax help for the shell command of MongoDB. The option parameter allows you to specify the specific areas that you want to be helped with.
Use<database>: Changes the current database handle. The database operation is processed on the current database handle.
Show<option>: Displays the manifest according to the option parameter.
DBS: Displays a list of databases.
Collections: Displays a collection manifest for the current database.
Profile: Displays the latest System.profile entries that are longer than 1 milliseconds.
Log[name]: Displays the last paragraph of the login memory. If name is not specified, then use Global.
Exit: Exit the database.
Second, Shell method
The shell in MongoDB provides a number of ways to perform administrative functions.
Load (script): Loads and runs JavaScript files inside the shell. To work with database scripts, it is the best way to use it.
UUID (String): Converts a 32-byte hexadecimal string into a bson uuid.
Db.auth (Username,password): Identity authentication in the current database.
Iii. Scripting with the shell
The commands, methods, and data structures of the MongoDB shell are based on interactive JavaScript. A good way to manage MongoDB is to create scripts that can run multiple times, or scripts that can run at any time at specific times, such as scripts that run at upgrade time. The script file can contain any number of MONGODB commands, using JavaScript code, such as conditional statements and loops. There are two ways to run a MongoDB shell script.
1. Using--eval
The--eval parameter accepts a JavaScript string or JavaScript file and starts the MongoDB shell and executes the JavaScript immediately.
2. Run the MongoDB script using the Load (Script_path) method.
Iv. managing user Accounts
1. Create a user account
Whether to create User Administrator account or database administrator account is to use AddUser () method to add user accounts, MongoDB 3.0 with CreateUser () instead, and then use AddUser () will prompt adduser () is not a function, The following can see the prompt, which accepts a document object that allows you to specify the user name, role, and password for that user. The following are the fields that the Document object can specify:
User string to specify a unique username
Roles array that specifies the user role. MongoDB provides a large number of roles that can be assigned to users. Roles have different permissions, this is mainly in the role
PWD hashorstring (optional) Specifies the user's password. When you create a user, this may be a hash value or a string, but it is stored in a hash value in the database.
Usersource <database> (optional) Instead of the PWD field, point to another database that has the same user-defined. The PWD or the usersource of that database are then used as credentials for that user. The Usersource field and the PWD field are mutually exclusive, and a document cannot contain both.
otherdbroles {<database>:[array],<database>:[array]}:(optional) allows you to specify the roles that this user has in other databases. Its format is a document that uses the database name as the key, including an array of roles that the database applies to for that user.
2. Roles
Users and roles are many-to-many relationships, one user can correspond to multiple roles, and one role can have multiple users. Different permissions for user roles are not the same. The following are some common roles that are assigned to users.
Read allows the user to read data from any collection in the database
Readanydatabase with read, but for all databases
ReadWrite provides all the features of read and allows users to write any collection in the database, including inserting, deleting, and updating files, and creating, renaming, and deleting collections
Readwriteanydatabase with ReadWrite, just for all databases
DbAdmin allows users to read and write to the database, as well as clean, modify, compress, get statistical summaries, and verify
Dbadminanydatabase with Dbadmin, but for all databases
Clusteradmin allows users to perform general management of MongoDB, including connecting, clustering, replicating, listing databases, creating databases, and deleting databases
Useradmin allows users to create and modify user accounts for the database
Useradminanydatabase with Useradmin, but for all databases
3. Delete user account
Users of MongoDB can be deleted using the Removeuser (<username>) method. You need to switch to the database where the user resides. Use Dropuser (<username>) after MongoDB 3.0 to see a hint when configured below.
V. Configuring Access Control
MongoDB provides authentication and authorization at the database level, meaning that the user exists in the context of a single database. To achieve basic authentication, MongoDB stores user credentials in a collection named System.users in each data.
When a user is not defined in the Admin database, MongoDB allows a connection on the local host to have full administrative access to the database. Therefore, the first step in setting up a new MongoDB instance is to create a user administrator and a database administrator account. User admins have the ability to create user accounts in the admin and other databases. You also need to create a database administrator account that you can use as a superuser to manage other aspects of databases, clustering, replication, and MongoDB.
1. Create a User administrator
The user Administrator account should only create the user's permissions, not the management database or other administrative functions. Make database management and user account management completely separate. User managed accounts should be created with useradminanydatabase as the only role.
The above can be seen using the User Administrator account to query collection is an error, this is because the user administrator account is only used to manage users, unable to manage the database.
2. Turn on authentication
User Administrator account has been created to restart the MongoDB database using the--auth parameter
3. Create a database administrator
The database administrator who created the admin database above, using the database administrator, shows that collections can be displayed, while using the user administrator to display the times wrong.
MongoDB Rights Management