我在mongo01test数据库中创建了一个用户“mongo01testro”。
use mongo01test
db.addUser( "mongo01testro", "pwd01", true );
db.system.users.find();
{ "_id" : ObjectId("53xyz"), "user" : "mongo01testro", "readOnly" : true, "pwd" : "b9eel61" }
当我从另一个会话登录时,这个新创建的用户, 我能够在收藏中插入奇怪的文件。
我希望做到以下几点:
请帮助。
此致 Parag
答案 0 :(得分:13)
你忘记了 - 启用
创建用户
// ensure that we have new db, no roles, no users
use products
db.dropDatabase()
// create admin user
use products
db.createUser({
"user": "prod-admin",
"pwd": "prod-admin",
"roles": [
{"role": "clusterAdmin", "db": "admin" },
{"role": "readAnyDatabase", "db": "admin" },
"readWrite"
]},
{ "w": "majority" , "wtimeout": 5000 }
)
// login via admin acont in order to create readonly user
// mongo --username=prod-admin --password=prod-admin products
db.createUser({
"user": "prod-r",
"pwd": "prod-r",
"roles": ["read"]
})
启用身份验证:
sudo vim /etc/mongod.conf # edit file
# Turn on/off security. Off is currently the default
#noauth = true
auth = true
sudo service mongod restart # reload configuiration
检查写入限制:
# check if write operation for readonly user
$ mongo --username=prod-r --password=prod-r products
MongoDB shell version: 2.6.4
connecting to: products
> db.laptop.insert({"name": "HP"})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on products to execute command { insert: \"laptop\", documents: [ { _id: ObjectId('53ecb7115f0bfc61d8b1113e'), name: \"HP\" } ], ordered: true }"
}
})
# check write operation for admin user
$ mongo --username=prod-admin --password=prod-admin products
MongoDB shell version: 2.6.4
connecting to: products
> db.laptop.insert({"name": "HP"})
WriteResult({ "nInserted" : 1 })
# check read operation for readonly user
$ mongo --username=prod-r --password=prod-r products
MongoDB shell version: 2.6.4
connecting to: products
> db.laptop.findOne()
{ "_id" : ObjectId("53ecb54798da304f99625d05"), "name" : "HP" }
答案 1 :(得分:1)
MongoDB改变了它在版本> = 2.2和2.6中处理用户的方式,如果你要更新mongodb,你将需要Upgrade User Authorization Data to 2.6 Format。
在versions < 2.2(旧版)中,您可以使用db.addUser(username, password, readOnly)函数作为@HüseyinBABAL建议。如果您使用的是版本&gt; 2.2或2.6您可以更好地控制角色和权限。
假设您使用mongo v&gt; 2.6你可以创建类似的东西:
use admin
db.createUser({
user: "myUsername",
pwd: "mypwd",
roles: [{
role: "userAdminAnyDatabase",
db: "admin"
}]
})
db.addUser({
user: "username",
pwd: "password",
roles: [{
role: "readWrite",
db: "myDBName"
}]
})
您可以使用Build in Roles,也可以使用create custom roles。
因此,当您使用v&gt;时,您可以清楚地看到更多选项。 2.6在身份验证和角色管理方面。
答案 2 :(得分:0)
这是我的情景;
// Create admin user
use admin
db.addUser('root', 'strong_password');
// Read only user
use dbforuser1
db.addUser('user1', 'user1_pass', true);
// Read / Write access
use dbforuser2
db.addUser('user2', 'user2_pass');
如果您要登录db for user 1
use dbforuser1
db.auth('user1', 'user1_pass')
答案 3 :(得分:0)
如果在MongoDB部署上启用了访问控制,则应通过使用要控制访问的admin用户(或具有userAdmin角色的用户)对相关数据库进行身份验证来登录。为此
mongo <db_name> -u <user_name> -p <user_password>
例如:mongo mongo01test -u admin -p admin_paaswrod
然后执行以下查询以为当前连接的数据库创建只读用户,
db.createUser({user:"user_name",pwd:"password",roles:[{role:"read", db:"db_name"}]});
例如:db.createUser({user:"user_rd",pwd:"password",roles:[{role:"read", db:"mongo01test"}]});
创建同时具有readWrite访问权限的用户,
db.createUser({user:"user_name",pwd:"password",roles:[{role:"readWrite", db:"db_name"}]});
例如:db.createUser({user:"user_rw",pwd:"pass_rw",roles:[{role:"readWrite", db:"mongo01test"}]});
要创建具有管理员权限的用户
use admin;
db.createUser({user:"admin_user_name",pwd:"password", roles:[{role:"dbAdmin", db:"admin"},{role:"readWriteAnyDatabase", db:"admin"},{role:"backup", db:"admin"},{role:"restore", db:"admin"}]});