我使用keyFile来验证我的mongodb集群系统。我已经有一个管理员角色来对抗 admin db:
所以,首先我使用身份验证登录:
mongo localhost:40000/admin -u root -p 123456
mongos> use admin
switched to db admin
mongos> db.system.users.find()
{ "_id" : ObjectId("52dcb305398751501c530378"), "user" : "root", "pwd" : "a02786431d8419bbebee7aa4dad6aee9", "roles" : [ "clusterAdmin", "userAdmin", "readWriteAnyDatabase", "dbAdmin", "read" ] }
我以这样的角色登录后,我可以在admin和除addUser操作之外的任何其他普通数据库上做任何事情(包括查询,删除,修改等)!
例如,对于普通数据库 genbank ,我尝试添加用户:
mongos> use genbank
switched to db genbank
mongos> db.addUser({user:"genbankReader",pwd:"123456",roles:["read"]})
{
"user" : "genbankReader",
"pwd" : "6f755264f6d28045198f6ae53523005e",
"roles" : [
"read"
],
"_id" : ObjectId("52dcb8495ec4b673f09b66eb")
}
Mon Jan 20 13:46:49.007 couldn't add user: not authorized for insert on genbank.system.users at src/mongo/shell/db.js:128
但对于数据库管理员,我可以根据需要执行addUser():
mongos> use admin
switched to db admin
mongos> db.addUser({user:"adminReader",pwd:"123456",roles:["read"]})
{
"user" : "adminReader",
"pwd" : "60c67cf3181b8b8570583ddfb62dd32e",
"roles" : [
"read"
],
"_id" : ObjectId("52dcb8b25ec4b673f09b66ec")
}
真的很奇怪!
答案 0 :(得分:0)
从
更改根角色后[ "clusterAdmin", "userAdmin", "readWriteAnyDatabase", "dbAdmin", "read" ]
到
[ "clusterAdmin", "userAdminAnyDatabase", "dbAdminAnyDatabase", "readWriteAnyDatabase" ]
,问题解决了!
问题似乎来自角色类型“userAdmin”。从mongodb doc开始,针对db admin的用户admin角色与userAdminAnyDatabase相同:
Note The userAdmin role is a database-specific privilege, and only grants a user the ability to administer users on a single database. However, for the admin database, userAdmin **allows a user the ability to gain userAdminAnyDatabase**. Thus, for the admin database only, these roles are effectively the same.
因此,针对数据库管理员的角色类型userAdmin不能直接为我们提供管理其他dbs上的用户的能力,但是此角色下的用户可以创建另一个角色“userAdminAnyDatabase”,并且只有这样才能用户管理其他db的用户。