Summary of "MONGODB" Users and Authentication permissions

When you open the MongoDB service without adding any parameters, the default is no permission authentication, the logged-on user can operate the database arbitrarily and can access the database remotely!

After the installation is complete, MongoDB has a default admin database, at this time the admin database is empty, there is no record permission-related information! When a user does not have a admin.system.users, even if Mongod is started with the--auth parameter added, if the user is not added to the admin database, no authentication can be done at this time, regardless of whether it is started with the--auth parameter, Until a user has been added to the admin.system.users.

It is important to note thatadmin.system.users will save user information that is larger than the user rights set in other databases, with super privileges, that is, users created in admin can manipulate other database data in MongoDB.

1 MongoDB system, the database is created by the Superuser, a database can contain multiple users, a user can only be in a database, users in different databases may have the same name!

2 when Admin.system.users does not have a user, even if Mongod is started with the--auth parameter added, if the user is not added to the admin database, no authentication can be done at this time, regardless of whether it is started with the--auth parameter, Until a user has been added to the admin.system.users.

3 specific databases such as DB1 user User1, cannot access other database DB2, but can access the data created by other users in this database!

4 users with the same name in different databases cannot log in to other databases! For example, Db1,db2 have user1, to user1 login DB1, can not log in to DB2 for database operation!

5 The user created in the Admin database has super privileges and can manipulate the data objects of any database within the MONGODB system!

6 To supplement the second point, when admin.system.users has no user, even if the --auth parameter is added when mongod starts, and User1 is added to other libraries such as DB1, it will not connect to DB1 at this time. Do certification.

The following process verification by experiment (may not be comprehensive, please correct me):

1 When installing monogdb for the first time, there are no users in the admin database. At this time, whether or not the database is started in the --auth mode, users in other databases (such as the test database) can access other databases (such as the db1 database). Data operation!

a) Start mongodb in the default way

[[email protected] bin] $ ./mongod --dbpath = / opt / mongodata / data --port = 27000

Enter the mongodb shell in another window, the default is to directly enter the test database, and the user has super privileges at this time, can operate any database object!

[[email protected] bin] $ ./mongo 127.0.0.1:27000

MongoDB shell version: 2.0.1

connecting to: 127.0.0.1:27000/test

> show dbs

local (empty)

#View the user information in the admin database. Because it is a newly created database, user is empty ~!

> use admin

switched to db admin

> db.system.users.find ();

#Create a test database, and create an object yql, insert data!

> use test

switched to db test

>

> db.yql.insert ({id: 2, val: "yangql is learing monogdb master slave!"});

#Create db1 database and create object db1_test, insert data!

> use db1

switched to db db1

>

> db.db1_test.insert ({id: 1, val: "this data is in db1!"});

> db.db1_test.insert ({id: 2, val: "this data is in db1!"});

> db.db1_test.insert ({id: 3, val: "this data is in db1!"});

#Create a db2 database, and create an object db2_test, insert data!

> use db2

switched to db db2

>

> db.db2_test.insert ({id: 1, val: "this data is in db2!"});

> db.db2_test.insert ({id: 2, val: "this data is in db2!"});

> db.db2_test.insert ({id: 3, val: "this data is in db2!"});

> db.db2_test.find ();

{"_id": ObjectId ("4f2bbcdf2a801e73e6493f31"), "id": 1, "val": "this data is in db2!"}

{"_id": ObjectId ("4f2bbce52a801e73e6493f32"), "id": 2, "val": "this data is in db2!"}

{"_id": ObjectId ("4f2bbce92a801e73e6493f33"), "id": 3, "val": "this data is in db2!"}

>

> show dbs

admin (empty)

db1 0.203125GB

db2 0.203125GB

local (empty)

test 0.203125GB

#Create a user yql in the test database with a password of yql

> use test

switched to db test

>

> db.addUser ("yql", "yql")

{"n": 0, "connectionId": 1, "err": null, "ok": 1}

{

       "user": "yql",

       "readOnly": false,

       "pwd": "868ed7035435f33b60ebeba2f363ad91",

       "_id": ObjectId ("4f2bbed556f179b1ccc295d1")

}

> db.auth ("yql", "yql") #Authentication function to verify whether the corresponding user exists in the database

1

>

> db.system.users.find ();

{"_id": ObjectId ("4f2bbed556f179b1ccc295d1"), "user": "yql", "readOnly": false, "pwd": "868ed7035435f33b60ebeba2f363ad91"}

>

exit

bye

b) Shut down the mongod service and start the database in authentication mode

[[email protected] bin] $ ./mongod --dbpath = / opt / mongodata / data --port = 27000 --auth

Login again, although the user is created in test, but the user is not created in the admin database, so the user logged in by default still has super privilege

[[email protected] bin] $ ./mongo 127.0.0.1:27000

MongoDB shell version: 2.0.1

connecting to: 127.0.0.1:27000/test

>

> use test

switched to db test

>

> db.system.users.find ();

{"_id": ObjectId ("4f2bbed556f179b1ccc295d1"), "user": "yql", "readOnly": false, "pwd": "868ed7035435f33b60ebeba2f363ad91"}

>

>

> use db1

switched to db db1

>

> db.db1_test.find ();

{"_id": ObjectId ("4f2bb3a42a801e73e6493f2b"), "id": 1, "val": "this data is in db1!"}

{"_id": ObjectId ("4f2bb3ae2a801e73e6493f2c"), "id": 2, "val": "this data is in db1!"}

{"_id": ObjectId ("4f2bb3b32a801e73e6493f2d"), "id": 3, "val": "this data is in db1!"}

>

exit

bye

Log in to the database as a specific user, or access other databases. The following example shows that the user of test can access the data of db1

[[email protected] bin] $ ./mongo 127.0.0.1:27000 -uyql -pyql

MongoDB shell version: 2.0.1

connecting to: 127.0.0.1:27000/test

>

> use db1

switched to db db1

> db.db1_test.find ();

{"_id": ObjectId ("4f2bb3a42a801e73e6493f2b"), "id": 1, "val": "this data is in db1!"}

{"_id": ObjectId ("4f2bb3ae2a801e73e6493f2c"), "id": 2, "val": "this data is in db1!"}

{"_id": ObjectId ("4f2bb3b32a801e73e6493f2d"), "id": 3, "val": "this data is in db1!"}

>

bye

2 After adding users in admin.system.users, the authentication and authorization services of mongodb take effect!

#Create users in the admin database! supper password is sup

[[email protected] bin] $ ./mongo 127.0.0.1:27000

MongoDB shell version: 2.0.1

connecting to: 127.0.0.1:27000/test

> use admin

switched to db admin

>

> db.addUser ("supper", "sup")

{"n": 0, "connectionId": 4, "err": null, "ok": 1}

{

       "user": "supper",

       "readOnly": false,

       "pwd": "51a481f72b8b8218df9fee50b3737c44",

       "_id": ObjectId ("4f2bc0d357a309043c6947a4")

}

>

> db.auth ("supper", "sup")

1

>

exit

bye

[[email protected] bin] $

Log in by default, that is, log in as an unauthenticated user. No permission will be displayed when querying!

[[email protected] bin] $ ./mongo 127.0.0.1:27000

MongoDB shell version: 2.0.1

connecting to: 127.0.0.1:27000/test

>

> db.system.users.find ();

error: {

       "$ err": "unauthorized db: test lock type: -1 client: 127.0.0.1",

       "code": 10057

}

>

> show dbs

Fri Feb 3 19:12:30 uncaught exception: listDatabases failed: {"errmsg": "need to login", "ok": 0}

>

>

exit

bye

After creating a user in the admin database, log in using the authentication method, you can query the corresponding database and only query the information in the corresponding database! Can't query other database information of other mongodb systems!

[[email protected] bin] $ ./mongo 127.0.0.1:27000 -uyql -pyql

MongoDB shell version: 2.0.1

connecting to: 127.0.0.1:27000/test

>

> db.system.users.find ();

{"_id": ObjectId ("4f2bbed556f179b1ccc295d1"), "user": "yql", "readOnly": false, "pwd": "868ed7035435f33b60ebeba2f363ad91"}

>

> db.yql.find ();

{"_id": ObjectId ("4f2bb3662a801e73e6493f2a"), "id": 2, "val": "yangql is learing monogdb master slave!"}

> When querying the system database information, the following error is reported!

> show dbs;

Fri Feb 3 19:15:56 uncaught exceptio