MongoDB 默认情况下,数据库没有用户名和密码,即无权限访问限制。为便于数据库的管理和安全,需要创建数据库用户。
一、用户权限
用户权限说明:
| 允许用户读取指定数据库 | |
| 允许用户读指定数据库 | |
| 允许用户在索引创建和删除等指定数据库中执行管理函数,查看统计数据或访问 system.profile | |
| 允许用户向 system.users 在指定的数据库中创建、删除和管理用户 | |
| 只在 admin 可用于数据库,并赋予用户所有分片和复制相关函数的管理权限。 | |
| 只在 admin 可用于数据库,并赋予用户所有数据库的读取权 | |
| 只在 admin 可用于数据库,并赋予用户所有数据库的读写权 | |
| 只在 admin 可用于数据库,并赋予用户所有数据库 userAdmin 权限 | |
| 只在 admin 可用于数据库,并赋予用户所有数据库 dbAdmin 权限。 | |
| 只在 admin 可用于数据库。超级账号,超级权限 |
更多用户权限说明参考:https://docs.mongodb.com/manual/core/security-built-in-roles/
{ user: "<name>", pwd: "<cleartext password>", customData: { <any information> }, roles: [ { role: "<role>", db: "<database>" } | "<role>", ... ] }- user 字段:用户名称;
- pwd 字段:用户密码;
- cusomData 字段:任何内容,如用户全名介绍;
- roles 字段:指定用户角色,可用空数组为新用户设置空角色;
- roles 字段:可指定内置角色和用户定义角色。
2.创建管理员用户
到这里专门讲解用户管理了,因此配置当中开启用户认证,配置信息如下:
[root@mongodb bin]$cat mongodb.conf #数据存储目录 dbpath=/usr/local/mongodb/data/db #日志文件目录 logpath=/usr/local/mongodb/logs/mongodb.log #后台运行 fork=true auth=true bind_ip=0.0.0.0 [root@mongodb bin]$systemctl restart mongod [root@mongodb bin]$systemctl status mongod进入管理数据库
[root@mongodb bin]$mongo MongoDB shell version v4.0.10 connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb Implicit session: session { "id" : UUID("56712ce5-d30a-421f-b447-0eea5294aafb") } MongoDB server version: 4.0.10 > use admin创建管理用户,root 权限
> use admin switched to db admin > db.createUser({user: "root",pwd: "root",roles: [ { role: "root", db: "admin" } ]}) Successfully added user: { "user" : "root", "roles" : [ { "role" : "root", "db" : "admin" } ] }在创建管理员角色用户时,必须到达 admin 下创建。
删除的时候也要到相应的库下操作。
验证用户是否使用
> db.auth("root","root") 1 # 返回 1 即为成功2.查看创建的管理员用户
常见的错误报告:
> show users 2019-07-03T14:33:49.060 0800 E QUERY [js] Error: command usersInfo requires authentication : _getErrorWithCode@src/mongo/shell/utils.js:25:13 DB.prototype.getUsers@src/mongo/shell/db.js:1763:1 shellHelper.show@src/mongo/shell/utils.js:859:9 shellHelper@src/mongo/shell/utils.js:766:15 @(shellhelp2):1:1这种错误报告经常出现在没有授权的情况下,只是创建了相应的用户名和角色,但还没有通过 root 用户登录。
> db.auth("root","root") 1 > show users { "_id" : "admin.root", "userId" : UUID("fa320150-781c-4a07-b427-c3a42f360133"), "user" : "root", "db" : "admin", "roles" : [ { "role" : "root", "db" : "admin" } ], "mechanisms" : [ "SCRAM-SHA-1", "SCRAM-SHA-256" ] }3,登陆数据库
注:用户在哪个数据库下创建,最后添加哪个库,这里自然选择 admin 库。
- 方法1:在命令行登录
[root@mongodb bin]$mongo -uroot -proot admin MongoDB shell version v4.0.10 connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb Implicit session: session { "id" : UUID("3f5eda3b-89da-4ef5-bcb2-022bc0517c11") } MongoDB server version: 4.0.10 Server has startup warnings: 2019-07-03T15:39:36.265 0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended. 2019-07-03T15:39:36.265 0800 I CONTROL [initandlisten] >- 方法二:登录数据库验证:
[root@mongodb bin]$ mongo MongoDB shell version v4.0.10 connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb Implicit session: session { "i" : UUID("896ba84c-3127-4ac1-85a9-ca4f4da3e60c") }
MongoDB server version: 4.0.10
> use admin
switched to db admin
> db.auth("root","root")
1
> show tables
system.users
system.version- 正常登陆之后,再次查看用户:
> show users
{
"_id" : "admin.root",
"userId" : UUID("fa320150-781c-4a07-b427-c3a42f360133"),
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}4,忘记管理员密码怎么办
有时候可能会忘记管理员密码,需要对其进行重置,这个时候,有两种方式可以更新管理员密码。
如果连用户名都忘记了,那么我们首先需要更改 MongoDB 的配置,去掉用户名密码认证的功能,然后重启。
[root@mongodb bin]$cat mongodb.conf
#数据存储目录
dbpath=/usr/local/mongodb/data/db
#日志文件目录
logpath=/usr/local/mongodb/logs/mongodb.log
#后台运行
fork=true
auth=false
bind_ip=0.0.0.0
[root@mongodb bin]$systemctl restart mongod
[root@mongodb bin]$systemctl status mongod然后使用 mongo 命令进入到数据库,进行简单查询:
[root@localhost bin]$mongo
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("3e0268c2-7e34-4a61-947d-f8e2368640f5") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T17:54:54.016+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T17:54:54.016+0800 I CONTROL [initandlisten]
> use admin
switched to db admin
> show users
{
"_id" : "admin.root",
"userId" : UUID("c8514da6-4484-4036-9c13-b5deeb449575"),
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root", #这里就可以判断角色为root的账号名字也是root
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
> show tables #或者通过查询表来得知
system.users
system.version
> db.system.users.find() #查询user表
{ "_id" : "admin.root", "userId" : UUID("c8514da6-4484-4036-9c13-b5deeb449575"), "user" : "root", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "SxO3kQwjFX8833lnQXQKbw==", "storedKey" : "1LQVQGW3ScF8WC0iCSMUJ5Iokpc=", "serverKey" : "t2PSzcZSE1KFzMXXK4BmxfPno9s=" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "XDCd8GfHOtBiZnC6Eafx37aUV+2lO9EZbWl9rQ==", "storedKey" : "ZYHs6Umf0bVP8uofPGlcAl5uFzzQWovc4oczHjckmBs=", "serverKey" : "apVEilrpFXVAfBMMCwiIHl7H4bdnd6xm6KN88fXYJWo=" } }, "roles" : [ { "role" : "root", "db" : "admin" } ] }得知管理员用户的名称为 root 之后,就能够进行密码更新的操作了。
利用
db.changeUserPassword[root@localhost bin]$mongo
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("3e0268c2-7e34-4a61-947d-f8e2368640f5") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T17:54:54.016+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T17:54:54.016+0800 I CONTROL [initandlisten]
> use admin
switched to db admin
> db.changeUserPassword('root','test1')然后重新开启用户认证,重启验证。
[root@mongodb bin]$cat mongodb.conf
#数据存储目录
dbpath=/usr/local/mongodb/data/db
#日志文件目录
logpath=/usr/local/mongodb/logs/mongodb.log
#后台运行
fork=true
auth=true
bind_ip=0.0.0.0
[root@mongodb bin]$systemctl restart mongod
[root@mongodb bin]$systemctl status mongod登陆一下:
[root@localhost bin]$mongo -uroot -ptest1 admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("7ebe8a49-a750-46b1-a59e-c95abc0d7401") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T18:06:24.623+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T18:06:24.623+0800 I CONTROL [initandlisten]
> db
admin
> show users
{
"_id" : "admin.root",
"userId" : UUID("c8514da6-4484-4036-9c13-b5deeb449575"),
"user" : "root",
"db" : "admin",
"roles" : [
{
"role" : "root",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}3,按生产需求创建应用用户
因为目前用户规划都还比较简单,因此创建用户的时候,都是基于 admin 来进行。
1,创建某库的读写用户
- 创建 test 用户,权限为读写
[root@mongodb bin]$mongo -uroot -proot admin #使用admin登陆
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("3f5eda3b-89da-4ef5-bcb2-022bc0517c11") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-03T15:39:36.265+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-03T15:39:36.265+0800 I CONTROL [initandlisten]
> use eryajf #一定要注意,给哪个库授权就要先切换到对应的库,不然这个用户将无法登陆
> db.createUser({user: "test",pwd: "test",roles: [ { role: "readWrite", db: "eryajf" } ]}) #创建读写用户
Successfully added user: {
"user" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "eryajf"
}
]
}
> show users #查看用户
{
"_id" : "eryajf.test",
"userId" : UUID("3bd64373-13c5-4a47-95f9-92a2433c0bf4"),
"user" : "test",
"db" : "eryajf",
"roles" : [
{
"role" : "readWrite",
"db" : "eryajf"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}给哪个库创建用户,授权用户,都要先use到对应的库,否则将不生效,删除用户也是。
- 测试用户权限
[root@localhost bin]$mongo -utest -ptest eryajf
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/eryajf?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("dd97a5e3-9226-4a04-8221-dec566edc1c3") }
MongoDB server version: 4.0.10
> db.createCollection('d')
{ "ok" : 1 }
> db.getCollectionNames()
[ "a", "b", "c", "d" ]2,创建对某库的只读用户
- 在 eryajf 库创建只读用户 test
[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("b1d0e8f4-6c13-4c27-abfa-b8035f983453") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten]
> use eryajf #切换到对应库
> db.createUser({user: "test1",pwd: "test1",roles: [ { role: "read", db: "eryajf" } ]}) #创建对应用户
Successfully added user: {
"user" : "test1",
"roles" : [
{
"role" : "read",
"db" : "eryajf"
}
]
}
> show users #查看用户
{
"_id" : "eryajf.test",
"userId" : UUID("3bd64373-13c5-4a47-95f9-92a2433c0bf4"),
"user" : "test",
"db" : "eryajf",
"roles" : [
{
"role" : "readWrite",
"db" : "eryajf"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
{
"_id" : "eryajf.test1",
"userId" : UUID("eb2e54b8-a036-40a8-b8d4-5c8f5548ad25"),
"user" : "test1",
"db" : "eryajf",
"roles" : [
{
"role" : "read",
"db" : "eryajf"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}- 登录 test 用户,并测试是否只读
[root@localhost bin]$mongo -utest1 -ptest1 eryajf
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/eryajf?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("cca6f744-47e6-4bcb-8682-8c1af7080108") }
MongoDB server version: 4.0.10
> db.getCollectionNames() #可以正常查询
[ "a", "b", "c", "d" ]
> db.createCollection('e') #创建报错
{
"ok" : 0,
"errmsg" : "not authorized on eryajf to execute command { create: \"e\", lsid: { id: UUID(\"cca6f744-47e6-4bcb-8682-8c1af7080108\") }, $db: \"eryajf\" }",
"code" : 13,
"codeName" : "Unauthorized"
}
>3,创建对多库不同权限的用户
- 创建对 test 为读写权限,对 eryajf 库为只读权限的用户
[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("c5e35008-0a1e-4513-9394-947e49f67f81") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten]
> use test #切换到test库
switched to db test
> db.createUser({user: "app",pwd: "app",roles: [ { role: "readWrite", db: "test" },{ role: "read", db: "eryajf" }]}) #创建用户
Successfully added user: {
"user" : "app",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "read",
"db" : "eryajf"
}
]
}
> show users #查看用户
{
"_id" : "test.app",
"userId" : UUID("e25d6c21-190a-44e4-8868-868a474fcf12"),
"user" : "app",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "read",
"db" : "eryajf"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}注意,这个时候创建的用户,是基于 test 库创建的,那么后续登陆等操作,也都需要跟上 test 库,而不能够跟上 eryajf 的库。如果跟上 eryajf 的库,将会报如下错误:
[root@localhost bin]$mongo -uapp -papp eryajf
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/eryajf?gssapiServiceName=mongodb
2019-07-04T00:54:54.617+0800 E QUERY [js] Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:344:17
@(connect):2:6
exception: connect failed- 查看并测试用户
[root@localhost bin]$mongo -uapp -papp test
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/test?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("8cef0c4a-3f3d-4802-8926-79aea22db826") }
MongoDB server version: 4.0.10
> db.createCollection('a')
{ "ok" : 1 }
> db.getCollectionNames()
[ "a" ]
> use eryajf
switched to db eryajf
> db.getCollectionNames()
[ "a", "b", "c", "d" ]4,更改用户权限
其实更改权限无非就是更改用户的角色,因为在 MongoDB 中,角色决定了不同用户的不同权限。
先查看一下当前用户的角色
[root@localhost bin]$mongo -uroot -ptest1 admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("dbda85c8-7a90-4143-a31c-7a8ea58b80cc") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T18:06:24.623+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T18:06:24.623+0800 I CONTROL [initandlisten]
> use eryajf
switched to db eryajf
> show users
{
"_id" : "eryajf.test",
"userId" : UUID("3bd64373-13c5-4a47-95f9-92a2433c0bf4"),
"user" : "test",
"db" : "eryajf",
"roles" : [
{
"role" : "readWrite", #可以看到test用户是readWrite的角色
"db" : "eryajf"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
{
"_id" : "eryajf.test1",
"userId" : UUID("eb2e54b8-a036-40a8-b8d4-5c8f5548ad25"),
"user" : "test1",
"db" : "eryajf",
"roles" : [
{
"role" : "read", #可以看到test1用户是read的角色
"db" : "eryajf"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}- 更改用户角色
[root@localhost bin]$mongo -uroot -ptest1 admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("dbda85c8-7a90-4143-a31c-7a8ea58b80cc") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T18:06:24.623+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T18:06:24.623+0800 I CONTROL [initandlisten]
> use eryajf
switched to db eryajf
> db.updateUser("test",{roles:[{role:"dbAdmin",db:"eryajf"}]})
> show users
{
"_id" : "eryajf.test",
"userId" : UUID("3bd64373-13c5-4a47-95f9-92a2433c0bf4"),
"user" : "test",
"db" : "eryajf",
"roles" : [
{
"role" : "dbAdmin", #可以看到权限已经更新
"db" : "eryajf"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
{
"_id" : "eryajf.test1",
"userId" : UUID("eb2e54b8-a036-40a8-b8d4-5c8f5548ad25"),
"user" : "test1",
"db" : "eryajf",
"roles" : [
{
"role" : "read",
"db" : "eryajf"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}5,删除用户
- 删除 app 用户:先登录到 admin 数据库
[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("6edeba63-e2bf-477c-a098-965767d105b6") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten]
>- 进入 test 库删除 app 用户
> use test
switched to db test
> show users
{
"_id" : "test.app",
"userId" : UUID("e25d6c21-190a-44e4-8868-868a474fcf12"),
"user" : "app",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "read",
"db" : "eryajf"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
> db.dropUser("app")
true
> show users到这里,基本上能够体会到,MongoDB 当中那些关于角色用户权限规则的定义与配置了,MongoDB 自身已经定义好了许多个角色,这些角色针对全局,而在创建用户的时候,用户,角色,库这三个概念又是分离的,因此要多多体会,去理解三者的关系。
6,其他授权
- 创建 app 数据库的管理员:先登录到 admin 数据库
[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("572862cc-456d-4f5f-98ea-e65054411de6") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten]
> use app
switched to db app
> db.createUser({user: "admin",pwd: "admin",roles: [ { role: "dbAdmin", db: "app" } ]})
Successfully added user: {
"user" : "admin",
"roles" : [
{
"role" : "dbAdmin",
"db" : "app"
}
]
}
> show users
{
"_id" : "app.admin",
"userId" : UUID("01e196c8-2119-488b-9d11-b969db266aea"),
"user" : "admin",
"db" : "app",
"roles" : [
{
"role" : "dbAdmin",
"db" : "app"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}- 创建 app 数据库读写权限的用户并具有 clusterAdmin 权限,要当心,这个用户的权限可是相当大的。
[root@localhost bin]$mongo -uroot -proot admin
MongoDB shell version v4.0.10
connecting to: mongodb://127.0.0.1:27017/admin?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("572862cc-456d-4f5f-98ea-e65054411de6") }
MongoDB server version: 4.0.10
Server has startup warnings:
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten] ** WARNING: You are running this process as the root user, which is not recommended.
2019-07-04T00:16:54.097+0800 I CONTROL [initandlisten]
> use app
switched to db app
> db.createUser({user: "super-app",pwd: "super-app",roles: [ { role: "readWrite", db: "app" },{ role: "clusterAdmin", db: "admin" }]})
Successfully added user: {
"user" : "super-app",
"roles" : [
{
"role" : "readWrite",
"db" : "app"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
]
}
> show users
{
"_id" : "app.super-app",
"userId" : UUID("7533af91-3063-4460-8cb5-f77061eb5680"),
"user" : "super-app",
"db" : "app",
"roles" : [
{
"role" : "readWrite",
"db" : "app"
},
{
"role" : "clusterAdmin",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}4,官方文档
如果想要更加深入钻研用户权限问题,可以参考官方文档:https://docs.mongodb.com/manual/reference/method/js-user-management/