MongoDB 3.2的用户角色权限介绍和配置

MongoDB 3.2如果不配置auth验证的情况是等于游客也是超级管理员的,所有库和集合都有读写权限,但默认不支持外链接
如果配置auth验证,缺省有如下角色:
userAdminAnyDatabase 这个角色拥有分配角色和用户的权限,但没有读写的缺陷
root  这是超级管理员
readWrite  有读写权限
read    有读权限


createUser的语法如下:

db.createUser(
  {
    user: "myUserAdmin",
    pwd: "abc123",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)


db.createUser(
 {
   user: "root",
   pwd: "123456",
   roles: [
      { role: "readWrite", db: "test" },
      { role: "read", db: "yange" }
   ]
 }
)


下面举例说明:
用no-auth方式启动mongodb,创建root用户,对test库有读写权限,yange库只读

> show dbs
admin  0.000GB
local  0.000GB
test   0.018GB
yange  0.000GB
> use admin
switched to db admin
> db.createUser(
...  {
...    user: "root",
...    pwd: "123456",
...    roles: [
...       { role: "readWrite", db: "test" },
...       { role: "read", db: "yange" }
...    ]
...  }
... )
Successfully added user: {
"user" : "root",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "read",
"db" : "yange"
}
]
}


创建完毕后,关闭mongodb,以auth方式启动mongodb.
$ mongod --config /etc/mongodb.conf --rest

mongodb.conf文件内容如下:
bash-4.2$ cat /etc/mongodb.conf 
port=27017 #端口  
dbpath= /data/mongodb #数据文件存放目录  
logpath= /data/mongodb/logs/mongodb.log #日志文件存放目录  
logappend=true #使用追加的方式写日志  
fork=true #以守护程序的方式启用,即在后台运行  
maxConns=500 #最大同时连接数  
#noauth=true #不启用验证
auth=true  #启用验证
journal=true
storageEngine=wiredTiger
httpinterface=true


> use admin
switched to db admin
> db.auth("root","123456")
1

> use yange   --切换到yange库
switched to db yange
> show tables
yange
> db.yange.count()  --有可读权限
10000


> db.yange.insert({name:28})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on yange to execute command { insert: \"yange\", documents: [ { _id: ObjectId('57c110e083b48f01b16feb47'), name: 28.0 } ], ordered: true }"
}
})

> use test  --切换到test库
switched to db test

> show tables
books
chenfeng
duansf
heshang
numbers
products
test
test2
test3
> db.books.find()  --有可读权限
{ "_id" : ObjectId("5770f0b3f5dedda2a1409934"), "x" : 4, "j" : 2 }
{ "_id" : ObjectId("5770f0b3f5dedda2a1409935"), "x" : 4, "j" : 3 }
{ "_id" : ObjectId("5770f0b3f5dedda2a1409936"), "x" : 4, "j" : 4 }
{ "_id" : ObjectId("5770f0b3f5dedda2a1409937"), "x" : 4, "j" : 5 }
{ "_id" : ObjectId("5770f0b3f5dedda2a1409938"), "x" : 4, "j" : 6 }
{ "_id" : ObjectId("5770f0b3f5dedda2a1409939"), "x" : 4, "j" : 7 }
{ "_id" : ObjectId("5770f0b3f5dedda2a140993a"), "x" : 4, "j" : 8 }
{ "_id" : ObjectId("5770f0b3f5dedda2a140993b"), "x" : 4, "j" : 99 }


> db.books.save({x:4,j:2000})   --也有可写权限
WriteResult({ "nInserted" : 1 })



也可以用以下方式连接mongodb
bash-4.2$ mongo --port 27017 -u "root" -p "123456" --authenticationDatabase "admin"
MongoDB shell version: 3.2.7-39-g8da92ea
connecting to: 127.0.0.1:27017/test
> use test
switched to db test
> show tables
books
chenfeng
duansf
heshang
numbers
products
test
test2
test3
yange
> db.books.count()
9
> db.books.save({x:4,j:2001})
WriteResult({ "nInserted" : 1 })


> use yange
switched to db yange
> show tables
yange
> db.yange.count()
10000
> db.yange.insert({name:28})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on yange to execute command { insert: \"yange\", documents: [ { _id: ObjectId('57c11177b6b545b89a198459'), name: 28.0 } ], ordered: true }"
}
})


请使用浏览器的分享功能分享到微信等