MongoDB User Rights Management configuration

First, the MongoDB command main command

show dbs  #显示数据库列表 show collections  #显示当前数据库中的集合（类似关系数据库中的表）show users  #显示用户use <db name>  #切换当前数据库，如果数据库不存在则创建数据库。 db.help()  #显示数据库操作命令，里面有很多的命令 db.foo.help()  #显示集合操作命令，同样有很多的命令，foo指的是当前数据库下，一个叫foo的集合，并非真正意义上的命令 db.foo.find()  #对于当前数据库中的foo集合进行数据查找（由于没有条件，会列出所有数据） db.foo.find( { a : 1 } )  #对于当前数据库中的foo集合进行查找，条件是数据中有一个属性叫a，且a的值为1

MongoDB does not have a command to create a database, but there are similar commands. For example: If you want to create a "myTest" database, run the use
MyTest command, and then do something (such as db.createcollection (' user ')) so that you can create a database called "MyTest".

Other commands

db.dropDatabase()  #删除当前使用数据库db.cloneDatabase("127.0.0.1")   #将指定机器上的数据库的数据克隆到当前数据库db.copyDatabase("mydb", "temp", "127.0.0.1")  #将本机的mydb的数据复制到temp数据库中db.repairDatabase()  #修复当前数据库db.getName()  #查看当前使用的数据库，也可以直接用dbdb.stats()  #显示当前db状态db.version()  #当前db版本db.getMongo()  ＃查看当前db的链接机器地址db.serverStatus()  #查看数据库服务器的状态

II. Create administrative rights 1, requirements

MongoDB after the installation is complete, the default is not required to enter the user name password to log in, but often the database we will be security considerations and set the user name password, this article mainly describes the MongoDB add administrator/Ordinary user method.

1. MongoDB does not have a default administrator account, so you need to add an administrator account, and then turn on permission authentication.
2. Switch to the Admin database, add the account is the Administrator account.
3. Users can only log in to the user's database, including the administrator account.
4. Administrators can manage all databases, but not directly manage other databases, before they can be certified in the Admin database.

2. Create an Administrator account

In the admin database, add a user and give the userAdminAnyDatabase role.
For example, the following is a user created in the admin database named admin .

[[email protected] ~]# mongoMongoDB shell version: 3.2.6connecting to: test> use adminswitched to db admin> db.createUser(...   {...     user: "admin",...     pwd: "abc123",...     roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]...   }... )Successfully added user: {        "user" : "admin",        "roles" : [                {                        "role" : "userAdminAnyDatabase",                        "db" : "admin"                }        ]}>

3. View Users

> show users{        "_id" : "admin.admin",        "user" : "admin",        "db" : "admin",        "roles" : [                {                        "role" : "userAdminAnyDatabase",                        "db" : "admin"                }        ]}>

> db.system.users.find(){ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "enbD/QBkAWDHurQp9h+RTA==", "storedKey" : "XeFFVoer/nm0iBeN/R7Z+L1GiSU=", "serverKey" : "w87cJMsQMOCrzcSaI44R9dGZvUY=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }>

Third, open permission verification

Edit the configuration file /etc/mongod.conf and modify the contents as follows:

security:  authorization: enabled

Restart MongoDB Service

systemctl restart mongod

Verify that permissions are in effect

[[email protected] ~]# mongoMongoDB shell version: 3.2.6connecting to: test> show dbs2018-08-01T10:57:13.168+0800 E QUERY    [thread1] Error: listDatabases failed:{        "ok" : 0,        "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",        "code" : 13} :[email protected]/mongo/shell/utils.js:25:13[email protected]/mongo/shell/mongo.js:62:1[email protected]/mongo/shell/utils.js:760:19[email protected]/mongo/shell/utils.js:650:15@(shellhelp2):1:1> use adminswitched to db admin> db.auth(‘admin‘,‘abc123‘)1> show dbsadmin   0.000GBlocal   0.000GBmyTest  0.000GB>

Iv. Create a regular user

Once a certified User administrator can use Db.createuser () to create additional users.
You can assign MongoDB built-in roles or user-defined roles to users.

This Admin user only has privileges to manage users and roles, and if you try to do anything else, such as reading the data in the Foo collection in the test database, MongoDB will return an error.

The database where you create the user (this is the test database) is the user authentication database. Although user authentication is the database, users can still have roles in other databases. That is, the user authentication database does not restrict user permissions.

[[email protected] ~]# mongoMongoDB shell version: 3.2.6connecting to: test> use adminswitched to db admin> db.auth(‘admin‘,‘abc123‘)1> use testswitched to db test> db.createUser(...    {...      user:"test1",...      pwd: "test1",...      roles: [{ role: "readWrite", db: "test"}]...    }...  )Successfully added user: {        "user" : "test1",        "roles" : [                {                        "role" : "readWrite",                        "db" : "test"                }        ]}>

Verify

[[email protected] ~]# mongoMongoDB shell version: 3.2.6connecting to: test> use testswitched to db test> db.auth(‘test1‘,‘test1‘)1>

V. Create Superuser Root

[[email protected] ~]# mongoMongoDB shell version: 3.2.6connecting to: test> use adminswitched to db admin> db.auth(‘admin‘,‘abc123‘)1> db.createUser(...   {...     user: "root",...     pwd: "root",...     roles: [ { role: "root", db: "admin" } ]...   }... )Successfully added user: {        "user" : "root",        "roles" : [                {                        "role" : "root",                        "db" : "admin"                }        

Vi. roles built into the MongoDB database role

database User role:read, readWrite;
database Management roles:dbAdmin, Dbowner, useradmin;
Cluster Management role:clusteradmin, Clustermanager, Clustermonitor, Hostmanager;
Backup Recovery role: Backups, restore;
all database roles:readanydatabase, Readwriteanydatabase, Useradminanydatabase, dbadminanydatabase
Super User role:root #这里还有几个角色间接或直接提供了系统超级用户的访问 (Dbowner, Useradmin, Useradminanydatabase)

Internal role: __system

Role Description:

read: allows the user to read the specified database
ReadWrite: allows the user to read and write to the specified database
dbAdmin: allows the user to perform administrative functions in the specified database, such as index creation, deletion, viewing statistics, or accessing System.profile
useradmin: allows the user to write to the System.users collection to create, delete, and manage users in the specified database
clusteradmin: available only in the admin database, giving the user administrative privileges on all shards and replica set related functions.
readanydatabase: only available in the Admin database, giving users read access to all databases
readwriteanydatabase: only available in the Admin database, giving users read and write access to all databases
useradminanydatabase: only available in the Admin database, giving the user useradmin permissions for all databases
dbadminanydatabase: only available in the Admin database, giving the user dbadmin permissions for all databases.
Root: available only in the admin database. Super account, Super privilege

MongoDB User Rights Management configuration