MongoDB Basics (vi) Security authentication (permission actions)

As with all other databases, permissions are managed almost the same. MongoDB stores all user information in the collection System.users of the admin database, saving the user name, password, and database information. MongoDB does not enable authentication by default, as long as it can connect to the server, it can connect to Mongod. To enable security authentication, you need to change the configuration file parameter auth.

The following tests understand

To view the database:

> Show DBS

Found that admin didn't even! ~

Looking for a long time, can not find the relevant instructions, so directly create user admin

Use Admindb.createuser (  {    User: "admin",    pwd: "admin",    roles: [{role: "Useradminanydatabase", DB: " Admin "}]  })

Successfully created, then query the admin in the collection, there is data!

> Show Collectionssystem.indexessystem.userssystem.version

View information for 3 collections:

Now enable AUTH:
[Email protected] ~]# vi/etc/mongod.conf

Auth=true

Restart the Mongod service:

[Email protected] ~]# service Mongod restart

Direct default login, view collection, found no permission to operate:

[Email protected] ~]# MONGO

[[email protected] ~]# Mongomongodb shell version:3.0.2connecting to:test> show dbs2015-05-09t21:57:03.176-0700 E QUE RY    error:listdatabases failed:{"OK": 0, "errmsg": "Not authorized in Admin to execute command {listdatabases:1.0} "," code ": @    Error (<anonymous>) at    Mongo.getdbs (src/mongo/shell/mongo.js:47:15) at    Shellhelper.show (src/mongo/shell/utils.js:630:33) at    shellhelper (src/mongo/shell/utils.js:524:36)    

Just now in the database admin created an account admin, first to data admin come in connection (other DB failed):

Db.auth ("admin", "admin") returns a value of 1, indicating that the login was successful! The ~db.auth ("admin", "admin") record does not exist and the line does not record history in the shell after execution.

So now create another user "MyUser"

Db.createuser (  {    User: "MyUser",    pwd: "MyUser",    roles: [{role: "ReadWrite", DB: "MyDB"}]  })

You can also delete roles:

#授予角色: Db.grantrolestouser ("UserName", [{role: "<role>", DB: "<database>"}]) Db.grantrolestouser ("MyUser ", [{role:" Dbowner ", DB:" MyDB "}]) #取消角色: Db.grantrolestouser (" UserName ", [{role:" <role> ", DB:" <databas E> "}]) Db.revokerolesfromuser (" MyUser ", [{role:" ReadWrite ", DB:" MyDB "}])

Because it is created in the admin database, it can only be logged in the Admin database:

At this point, you can switch to the database in which you are working:

When you create a user, you can create it in their database, so that you don't have to go to the admin database to log in and switch on. Create user "USERKK" as in Database "MyDB".

Use Admindb.auth ("admin", "admin") with use Mydbdb.createuser (  {    User: "Userkk",    pwd: "Userkk",    roles: [{ Role: "Dbowner", DB: "MyDB"}]  }) Db.auth ("Userkk", "USERKK")

--------------------------------------------------------------------------------------------------------------- ---

Gorgeous split

--------------------------------------------------------------------------------------------------------------- ---

Now authorize the test:

#先访问到admin数据库

Use Admindb.auth ("admin", "admin")

#切换到 MyDB, create a role in database MyDB
#roles: Create role "TestRole" in Database "MyDB"
#privileges: This role can view all the collections of "find" Database "MyDB"
#db. Droprole ("TestRole")

Use Mydbdb.createrole ({  role: "TestRole", privileges: [{resource: {db: "MyDB", Collection: "}, Actions: [" Find "] }], roles: []})

#在admin数据库生成集合system. Roles. View roles.

#回到mydb, create a user in database MyDB and grant the role "TestRole"
#db. Dropuser ("Userkk")

Use Mydbdb.createuser (  {    User: "Userkk",    pwd: "Userkk",    roles: [{role: "TestRole", DB: "MyDB"}]  } )

Exit MongoDB and re-login to operate. Find can only be used with find
>exit

Add 3 "Privileges" permissions to the Role "TestRole": "Update", "Insert", "remove". And then re-operate.

#更改角色 roles, update all roles values. The same privileges can also be updated to replace! ~

Use Admindb.auth ("admin", "admin") with use Mydbdb.updaterole ("TestRole", {roles:[{role: "ReadWrite", DB: "MyDB"}]},{w: " Majority "}) Db.auth (" Userkk "," USERKK ") show DBS

For roles, refer to the Official document extraction summary as follows:

Role categories	Role	Permissions and Roles (This document may vary in case, please refer to the official documentation when using)
Database User Roles	Read	Collstats,dbhash,dbstats,find,killcursors,listindexes,listcollections
	ReadWrite	Collstats,converttocapped,createcollection,dbhash,dbstats, Dropcollection,createindex,dropindex,emptycapped,find, Insert,killcursors,listindexes,listcollections,remove, Renamecollectionsamedb,update
Database Administration Roles	DbAdmin	Collstats,dbhash,dbstats,find,killcursors,listindexes,listcollections, Dropcollection and CreateCollection in System.profile
	Dbowner	Role: ReadWrite, Dbadmin,useradmin
	Useradmin	Changecustomdata,changepassword,createrole,createuser, Droprole,dropuser,grantrole,revokerole,viewrole,viewuser
Cluster Administration Roles	Clusteradmin	Role: Clustermanager, Clustermonitor, Hostmanager
	Clustermanager	Addshard,applicationmessage,cleanuporphaned,flushrouterconfig, Listshards,removeshard,replsetconfigure,replsetgetstatus, Replsetstatechange,resync, Enablesharding,movechunk,splitchunk,splitvector
	Clustermonitor	Connpoolstats,cursorinfo,getcmdlineopts,getlog,getparameter, Getshardmap,hostinfo,inprog,listdatabases,listshards,netstat, Replsetgetstatus,serverstatus,shardingstate,top Collstats,dbstats,getshardversion
	Hostmanager	Applicationmessage,closealldatabases,connpoolsync,cpuprofiler, Diaglogging,flushrouterconfig,fsync,invalidateusercache,killop, Logrotate,resync,setparameter,shutdown,touch,unlock
Backup and Restoration Roles	Backup	Provides insert,update permissions in the admin database mms.backup document List all databases: listdatabases List all collection indexes: listindexes Provide query operations for the following: find * Non-system collection * System collection: System.indexes, System.namespaces, system.js * Collection: Admin.system.users and Admin.system.roles
	Restore	Non-system collections, System.js,admin.system.users and Admin.system.roles, and version 2.6 of System.users provide the following permissions: Collmod,createcollection,createindex,dropcollection,insert List all databases: listdatabases System.users:find,remove,update
All-database Roles	Readanydatabase	Provide read-only permissions in all databases: Read List all databases for the cluster: listdatabases
	Readwriteanydatabase	Provides read and write access to all databases: ReadWrite List all databases for the cluster: listdatabases
	Useradminanydatabase	Provide all user data management rights: Useradmin Cluster:authschemaupgrade,invalidateusercache,listdatabases Admin.system.users and Admin.system.roles: Collstats,dbhash,dbstats,find,killcursors,plancacheread Createindex,dropindex
	Dbadminanydatabase	Provide all database administrator rights: DbAdmin List all databases for the cluster: listdatabases
Superuser Roles	Root	Role: Dbowner,useradmin,useradminanydatabase Readwriteanydatabase, Dbadminanydatabase, Useradminanydatabase,clusteradmin
Internal Role	__system	Take any action on any database in the cluster

reference:MONGO Shell Methods, built-in Roles

MongoDB Basics (vi) Security authentication (permission actions)