MongoDB 数据库默认是没有用户名及密码的,即无权限访问限制。为了方便数据库的管理和安全,需创建数据库用户。
1.用户权限
用户中权限的说明
用户创建语法
{
user: "<name>",
pwd: "<cleartext password>",
customData: { <any information> },
roles: [
{ role: "<role>",
db: "<database>" } | "<role>",
...
]
}
语法说明:
- user 字段:用户的名字;
- pwd 字段:用户的密码;
- cusomData 字段:为任意内容,例如可以为用户全名介绍;
- roles 字段:指定用户的角色,可以用一个空数组给新用户设定空角色;
- roles 字段:可以指定内置角色和用户定义的角色。
2.创建管理员用户
到这里专门讲解用户管理了,因此配置当中开启用户认证,配置信息如下:
[root@mongodb bin]$cat mongodb.conf
#数据存储目录
dbpath=/usr/local/mongodb/data/db
#日志文件目录
logpath=/usr/local/mongodb/logs/mongodb.log
#后台运行
fork=true
auth=true
bind_ip=0.0.0.0
[root@mongodb bin]$systemctl restart mongod
[root@mongodb bin]$systemctl status mongod
进入管理数据库
[root@mongodb bin]$mongo
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("56712ce5-d30a-421f-b447-0eea5294aafb") }
MongoDB server version: 3.6.8
> use admin
2-1.创建管理用户,root 权限
> use admin
switched to db admin
> db.createUser({user: "root",pwd: "root",roles: [ { role: "root", db: "admin" } ]})
Successfully added user: {
"user" : "root",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
]
}
注意:
创建管理员角色用户的时候,必须到 admin 下创建。
删除的时候也要到相应的库下操作。
验证用户是否能用
> db.auth("root","root")
1 # 返回 1 即为成功
2-2.查看创建的管理员用户
一个常见的报错:
> show users
2019-07-03T14:33:49.060+0800 E QUERY [js] Error: command usersInfo requires authentication :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.getUsers@src/mongo/shell/db.js:1763:1
shellHelper.show@src/mongo/shell/utils.js:859:9
shellHelper@src/mongo/shell/utils.js:766:15
@(shellhelp2):1:1
这种报错常常出现在没有授权的情况下,刚刚也只是创建了对应的用户名以及角色,但是还没有通过 root 用户进行登陆。
> db.auth("root","root")
1
> show users
{
"_id" : "admin.root",
"userId" : UUID("fa320150-781c-4a07-b427-c3a42f360133"),
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
2-3.登陆数据库
注意:用户在哪个数据库下创建的,最后加上什么库,这里自然选择 admin 库。
- 方法一:命令行中进行登陆
[root@mongodb bin]$mongo -uroot -proot admin
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("3f5eda3b-89da-4ef5-bcb2-022bc0517c11") }
MongoDB server version: 3.6.8
Server has startup warnings:
2019-07-03T15:39:36.265+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-03T15:39:36.265+0800 I CONTROL [initandlisten]
>
- 方法二:在数据库中进行登陆验证:
[root@mongodb bin]$ mongo
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("896ba84c-3127-4ac1-85a9-ca4f4da3e60c") }
MongoDB server version: 3.6.8
> use admin
switched to db admin
> db.auth("root","root")
1
> show tables
system.users
system.version
- 正常登陆之后,再次查看用户:
> show users
{
"_id" : "admin.root",
"userId" : UUID("fa320150-781c-4a07-b427-c3a42f360133"),
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
2-4.忘记管理员密码怎么办
有时候可能会忘记管理员密码,需要对其进行重置,这个时候,有两种方式可以更新管理员密码。
如果连用户名都忘记了,那么我们首先需要更改 MongoDB 的配置,去掉用户名密码认证的功能,然后重启。
[root@mongodb bin]$cat mongodb.conf
#数据存储目录
dbpath=/usr/local/mongodb/data/db
#日志文件目录
logpath=/usr/local/mongodb/logs/mongodb.log
#后台运行
fork=true
auth=false
bind_ip=0.0.0.0
[root@mongodb bin]$systemctl restart mongod
[root@mongodb bin]$systemctl status mongod
然后使用 mongo 命令进入到数据库,进行简单查询:
[root@localhost bin]$mongo
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("3e0268c2-7e34-4a61-947d-f8e2368640f5") }
MongoDB server version: 3.6.8
Server has startup warnings:
2019-07-04T17:54:54.016+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T17:54:54.016+0800 I CONTROL [initandlisten]
> use admin
switched to db admin
> show users
{
"_id" : "admin.root",
"userId" : UUID("c8514da6-4484-4036-9c13-b5deeb449575"),
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root", #这里就可以判断角色为root的账号名字也是root
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
> show tables #或者通过查询表来得知
system.users
system.version
> db.system.users.find() #查询user表
{ "_id" : "admin.root", "userId" : UUID("c8514da6-4484-4036-9c13-b5deeb449575"), "user" : "root", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "SxO3kQwjFX8833lnQXQKbw==", "storedKey" : "1LQVQGW3ScF8WC0iCSMUJ5Iokpc=", "serverKey" : "t2PSzcZSE1KFzMXXK4BmxfPno9s=" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "XDCd8GfHOtBiZnC6Eafx37aUV+2lO9EZbWl9rQ==", "storedKey" : "ZYHs6Umf0bVP8uofPGlcAl5uFzzQWovc4oczHjckmBs=", "serverKey" : "apVEilrpFXVAfBMMCwiIHl7H4bdnd6xm6KN88fXYJWo=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }
得知管理员用户的名称为 root 之后,就能够进行密码更新的操作了。
- 利用
db.changeUserPassword
[root@localhost bin]$mongo
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("3e0268c2-7e34-4a61-947d-f8e2368640f5") }
MongoDB server version: 3.6.8
Server has startup warnings:
2019-07-04T17:54:54.016+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T17:54:54.016+0800 I CONTROL [initandlisten]
> use admin
switched to db admin
> db.changeUserPassword('root','test1')
然后重新开启用户认证,重启验证。
[root@mongodb bin]$cat mongodb.conf
#数据存储目录
dbpath=/usr/local/mongodb/data/db
#日志文件目录
logpath=/usr/local/mongodb/logs/mongodb.log
#后台运行
fork=true
auth=true
bind_ip=0.0.0.0
[root@mongodb bin]$systemctl restart mongod
[root@mongodb bin]$systemctl status mongod
登陆一下。
[root@localhost bin]$mongo -uroot -ptest1 admin
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("7ebe8a49-a750-46b1-a59e-c95abc0d7401") }
MongoDB server version: 3.6.8
Server has startup warnings:
2019-07-04T18:06:24.623+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T18:06:24.623+0800 I CONTROL [initandlisten]
> db
admin
> show users
{
"_id" : "admin.root",
"userId" : UUID("c8514da6-4484-4036-9c13-b5deeb449575"),
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
3.按生产需求创建应用用户
因为目前用户规划都还比较简单,因此创建用户的时候,都是基于 admin 来进行。
3-1.创建某库的读写用户
- 创建 test 用户,权限为读写
[root@mongodb bin]$mongo -uroot -proot admin #使用admin登陆
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("3f5eda3b-89da-4ef5-bcb2-022bc0517c11") }
MongoDB server version: 3.6.8
Server has startup warnings:
2019-07-03T15:39:36.265+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-03T15:39:36.265+0800 I CONTROL [initandlisten]
> use wake #一定要注意,给哪个库授权就要先切换到对应的库,不然这个用户将无法登陆
> db.createUser({user: "test",pwd: "test",roles: [ { role: "readWrite", db: "wake" } ]}) #创建读写用户
Successfully added user: {
"user" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "wake"
}
]
}
> show users #查看用户
{
"_id" : "wake.test",
"userId" : UUID("3bd64373-13c5-4a47-95f9-92a2433c0bf4"),
"user" : "test",
"db" : "wake",
"roles" : [
{
"role" : "readWrite",
"db" : "wake"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
注意:给哪个库创建用户,授权用户,都要先use到对应的库,否则将不生效,删除用户也是。
- 测试用户权限
[root@localhost bin]$mongo -utest -ptest wake
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/wake?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("dd97a5e3-9226-4a04-8221-dec566edc1c3") }
MongoDB server version: 3.6.8
> db.createCollection('d')
{ "ok" : 1 }
> db.getCollectionNames()
[ "a", "b", "c", "d" ]
3-2.创建对某库的只读用户
- 在 wake 库创建只读用户 test
[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("b1d0e8f4-6c13-4c27-abfa-b8035f983453") }
MongoDB server version: 3.6.8
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten]
> use wake #切换到对应库
> db.createUser({user: "test1",pwd: "test1",roles: [ { role: "read", db: "wake" } ]}) #创建对应用户
Successfully added user: {
"user" : "test1",
"roles" : [
{
"role" : "read",
"db" : "wake"
}
]
}
> show users #查看用户
{
"_id" : "wake.test",
"userId" : UUID("3bd64373-13c5-4a47-95f9-92a2433c0bf4"),
"user" : "test",
"db" : "wake",
"roles" : [
{
"role" : "readWrite",
"db" : "wake"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
{
"_id" : "wake.test1",
"userId" : UUID("eb2e54b8-a036-40a8-b8d4-5c8f5548ad25"),
"user" : "test1",
"db" : "wake",
"roles" : [
{
"role" : "read",
"db" : "wake"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
- 登录 test 用户,并测试是否只读
[root@localhost bin]$mongo -utest1 -ptest1 wake
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/wake?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("cca6f744-47e6-4bcb-8682-8c1af7080108") }
MongoDB server version: 3.6.8
> db.getCollectionNames() #可以正常查询
[ "a", "b", "c", "d" ]
> db.createCollection('e') #创建报错
{
"ok" : 0,
"errmsg" : "not authorized on wake to execute command { create: \"e\", lsid: { id: UUID(\"cca6f744-47e6-4bcb-8682-8c1af7080108\") }, $db: \"wake\" }",
"code" : 13,
"codeName" : "Unauthorized"
}
>
3-3.创建对多库不同权限的用户
- 创建对 test 为读写权限,对 wake 库为只读权限的用户
[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("c5e35008-0a1e-4513-9394-947e49f67f81") }
MongoDB server version: 3.6.8
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten]
> use test #切换到test库
switched to db test
> db.createUser({user: "app",pwd: "app",roles: [ { role: "readWrite", db: "test" },{ role: "read", db: "wake" }]}) #创建用户
Successfully added user: {
"user" : "app",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "read",
"db" : "wake"
}
]
}
> show users #查看用户
{
"_id" : "test.app",
"userId" : UUID("e25d6c21-190a-44e4-8868-868a474fcf12"),
"user" : "app",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "read",
"db" : "wake"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
注意,这个时候创建的用户,是基于 test 库创建的,那么后续登陆等操作,也都需要跟上 test 库,而不能够跟上 wake 的库。如果跟上 wake 的库,将会报如下错误:
[root@localhost bin]$mongo -uapp -papp wake
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/wake?gssapiServiceName=mongodb
2019-07-04T00:54:54.617+0800 E QUERY [js] Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:344:17
@(connect):2:6
exception: connect failed
- 查看并测试用户
[root@localhost bin]$mongo -uapp -papp test
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/test?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("8cef0c4a-3f3d-4802-8926-79aea22db826") }
MongoDB server version: 3.6.8
> db.createCollection('a')
{ "ok" : 1 }
> db.getCollectionNames()
[ "a" ]
> use wake
switched to db wake
> db.getCollectionNames()
[ "a", "b", "c", "d" ]
3-4.更改用户权限
其实更改权限无非就是更改用户的角色,因为在 MongoDB 中,角色决定了不同用户的不同权限。
- 先查看一下当前用户的角色。
[root@localhost bin]$mongo -uroot -ptest1 admin
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("dbda85c8-7a90-4143-a31c-7a8ea58b80cc") }
MongoDB server version: 3.6.8
Server has startup warnings:
2019-07-04T18:06:24.623+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T18:06:24.623+0800 I CONTROL [initandlisten]
> use wake
switched to db wake
> show users
{
"_id" : "wake.test",
"userId" : UUID("3bd64373-13c5-4a47-95f9-92a2433c0bf4"),
"user" : "test",
"db" : "wake",
"roles" : [
{
"role" : "readWrite", #可以看到test用户是readWrite的角色
"db" : "wake"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
{
"_id" : "wake.test1",
"userId" : UUID("eb2e54b8-a036-40a8-b8d4-5c8f5548ad25"),
"user" : "test1",
"db" : "wake",
"roles" : [
{
"role" : "read", #可以看到test1用户是read的角色
"db" : "wake"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
- 更改用户角色
[root@localhost bin]$mongo -uroot -ptest1 admin
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("dbda85c8-7a90-4143-a31c-7a8ea58b80cc") }
MongoDB server version: 3.6.8
Server has startup warnings:
2019-07-04T18:06:24.623+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T18:06:24.623+0800 I CONTROL [initandlisten]
> use wake
switched to db wake
> db.updateUser("test",{roles:[{role:"dbAdmin",db:"wake"}]})
> show users
{
"_id" : "wake.test",
"userId" : UUID("3bd64373-13c5-4a47-95f9-92a2433c0bf4"),
"user" : "test",
"db" : "wake",
"roles" : [
{
"role" : "dbAdmin", #可以看到权限已经更新
"db" : "wake"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
{
"_id" : "wake.test1",
"userId" : UUID("eb2e54b8-a036-40a8-b8d4-5c8f5548ad25"),
"user" : "test1",
"db" : "wake",
"roles" : [
{
"role" : "read",
"db" : "wake"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
3-5.删除用户
- 删除 app 用户:先登录到 admin 数据库
[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("6edeba63-e2bf-477c-a098-965767d105b6") }
MongoDB server version: 3.6.8
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten]
>
- 进入 test 库删除 app 用户
> use test
switched to db test
> show users
{
"_id" : "test.app",
"userId" : UUID("e25d6c21-190a-44e4-8868-868a474fcf12"),
"user" : "app",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "read",
"db" : "wake"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
> db.dropUser("app")
true
> show users
到这里,基本上能够体会到,MongoDB 当中那些关于角色用户权限规则的定义与配置了,MongoDB 自身已经定义好了许多个角色,这些角色针对全局,而在创建用户的时候,用户,角色,库这三个概念又是分离的,因此要多多体会,去理解三者的关系。
3-6.其他授权
- 创建 app 数据库的管理员:先登录到 admin 数据库
[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("572862cc-456d-4f5f-98ea-e65054411de6") }
MongoDB server version: 3.6.8
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten]
> use app
switched to db app
> db.createUser({user: "admin",pwd: "admin",roles: [ { role: "dbAdmin", db: "app" } ]})
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "dbAdmin",
"db" : "app"
}
]
}
> show users
{
"_id" : "app.admin",
"userId" : UUID("01e196c8-2119-488b-9d11-b969db266aea"),
"user" : "admin",
"db" : "app",
"roles" : [
{
"role" : "dbAdmin",
"db" : "app"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
- 创建 app 数据库读写权限的用户并具有 clusterAdmin 权限,要当心,这个用户的权限可是相当大的
[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v3.6.8
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("572862cc-456d-4f5f-98ea-e65054411de6") }
MongoDB server version: 3.6.8
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten]
> use app
switched to db app
> db.createUser({user: "super-app",pwd: "super-app",roles: [ { role: "readWrite", db: "app" },{ role: "clusterAdmin", db: "admin" }]})
Successfully added user: {
"user" : "super-app",
"roles" : [
{
"role" : "readWrite",
"db" : "app"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
]
}
> show users
{
"_id" : "app.super-app",
"userId" : UUID("7533af91-3063-4460-8cb5-f77061eb5680"),
"user" : "super-app",
"db" : "app",
"roles" : [
{
"role" : "readWrite",
"db" : "app"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
评论区