database 在 Mongo 数据库实例中为特定数据库创建只读用户
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/21256293/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Create Read only user in Mongo DB Instance for a particular database
提问by user3111436
I have created a user "mongo01testro" in mongo01test database.
我在 mongo01test 数据库中创建了一个用户“mongo01testro”。
use mongo01test
db.addUser( "mongo01testro", "pwd01", true );
db.system.users.find();
{ "_id" : ObjectId("53xyz"), "user" : "mongo01testro", "readOnly" : true, "pwd" : "b9eel61" }
When I logged in from another session as this new created user, I am able to insert documents in collection which is strange.
当我以这个新创建的用户身份从另一个会话登录时,我能够在集合中插入文档,这很奇怪。
I am looking to do following:
我希望做以下事情:
- Create 2 separate users one for read only and one for read write for each database.
- Create admin user which have sysadmin/dba access to all the databases in Mongodb instance used for Backup/Recovery or admin purpose.
- 为每个数据库创建 2 个单独的用户,一个用于只读,一个用于读写。
- 创建管理员用户,该用户对 Mongodb 实例中用于备份/恢复或管理目的的所有数据库具有 sysadmin/dba 访问权限。
Please kindly help.
请帮助。
Regards, Parag
问候, 帕拉格
回答by Andrei.Danciuc
You forgot --auth to enable
你忘了 --auth 启用
Create Users
创建用户
// ensure that we have new db, no roles, no users
use products
db.dropDatabase()
// create admin user
use products
db.createUser({
"user": "prod-admin",
"pwd": "prod-admin",
"roles": [
{"role": "clusterAdmin", "db": "admin" },
{"role": "readAnyDatabase", "db": "admin" },
"readWrite"
]},
{ "w": "majority" , "wtimeout": 5000 }
)
// login via admin acont in order to create readonly user
// mongo --username=prod-admin --password=prod-admin products
db.createUser({
"user": "prod-r",
"pwd": "prod-r",
"roles": ["read"]
})
Enable auth:
启用身份验证:
sudo vim /etc/mongod.conf # edit file
# Turn on/off security. Off is currently the default
#noauth = true
auth = true
sudo service mongod restart # reload configuiration
Check write restriction:
检查写入限制:
# check if write operation for readonly user
$ mongo --username=prod-r --password=prod-r products
MongoDB shell version: 2.6.4
connecting to: products
> db.laptop.insert({"name": "HP"})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on products to execute command { insert: \"laptop\", documents: [ { _id: ObjectId('53ecb7115f0bfc61d8b1113e'), name: \"HP\" } ], ordered: true }"
}
})
# check write operation for admin user
$ mongo --username=prod-admin --password=prod-admin products
MongoDB shell version: 2.6.4
connecting to: products
> db.laptop.insert({"name": "HP"})
WriteResult({ "nInserted" : 1 })
# check read operation for readonly user
$ mongo --username=prod-r --password=prod-r products
MongoDB shell version: 2.6.4
connecting to: products
> db.laptop.findOne()
{ "_id" : ObjectId("53ecb54798da304f99625d05"), "name" : "HP" }
回答by Victor Axelsson
MongoDB changed the way it handles users in versions >= 2.2 and 2.6 and if you are updating mongodb you will have to Upgrade User Authorization Data to 2.6 Format.
MongoDB 在版本 >= 2.2 和 2.6 中更改了处理用户的方式,如果您要更新 mongodb,则必须将User Authorization Data 升级到 2.6 Format。
In versions < 2.2(legacy) you use the db.addUser(username, password, readOnly)function as @Hüseyin BABAL suggested. If you are using version > 2.2 or 2.6 you have a lot more control over what you can do with roles and privileges.
在版本 < 2.2(legacy) 中,您使用db.addUser(username, password, readOnly)@Hüseyin BABAL 建议的函数。如果您使用的版本大于 2.2 或 2.6,则您可以更好地控制角色和权限的操作。
So assuming you use mongo v > 2.6 you can create something like:
因此,假设您使用 mongo v > 2.6,您可以创建如下内容:
use admin
db.createUser({
user: "myUsername",
pwd: "mypwd",
roles: [{
role: "userAdminAnyDatabase",
db: "admin"
}]
})
db.addUser({
user: "username",
pwd: "password",
roles: [{
role: "readWrite",
db: "myDBName"
}]
})
You can use the Build in Rolesor you can even create custom roles.
So as you can see you clearly have a lot more options when using v > 2.6 when it comes to authentication and role management.
因此,如您所见,在使用 v > 2.6 进行身份验证和角色管理时,您显然有更多选择。
回答by ThilankaD
if the Access control is enabled on the MongoDB deployment, Then you should login by authenticating to the relevant database with admin user (or user with userAdmin role) which you want to control the access. to do that
如果在 MongoDB 部署上启用了访问控制,那么您应该通过使用要控制访问的管理员用户(或具有 userAdmin 角色的用户)对相关数据库进行身份验证来登录。要做到这一点
mongo <db_name> -u <user_name> -p <user_password>
ex: mongo mongo01test -u admin -p admin_paaswrod
前任: mongo mongo01test -u admin -p admin_paaswrod
then execute the following query to create a read only userfor current connected database,
然后执行以下查询为当前连接的数据库创建只读用户,
db.createUser({user:"user_name",pwd:"password",roles:[{role:"read", db:"db_name"}]});
ex:db.createUser({user:"user_rd",pwd:"password",roles:[{role:"read", db:"mongo01test"}]});
前任:db.createUser({user:"user_rd",pwd:"password",roles:[{role:"read", db:"mongo01test"}]});
create a user with both readWrite access,
创建一个具有读写访问权限的用户,
db.createUser({user:"user_name",pwd:"password",roles:[{role:"readWrite", db:"db_name"}]});
ex:db.createUser({user:"user_rw",pwd:"pass_rw",roles:[{role:"readWrite", db:"mongo01test"}]});
前任:db.createUser({user:"user_rw",pwd:"pass_rw",roles:[{role:"readWrite", db:"mongo01test"}]});
to create a user with admin privileges,
创建具有管理员权限的用户,
use admin;
db.createUser({user:"admin_user_name",pwd:"password", roles:[{role:"dbAdmin", db:"admin"},{role:"readWriteAnyDatabase", db:"admin"},{role:"backup", db:"admin"},{role:"restore", db:"admin"}]});
回答by Hüseyin BABAL
Here is my scneario;
这是我的场景;
// Create admin user
use admin
db.addUser('root', 'strong_password');
// Read only user
use dbforuser1
db.addUser('user1', 'user1_pass', true);
// Read / Write access
use dbforuser2
db.addUser('user2', 'user2_pass');
If you want to login to dbforuser1
如果你想登录到 dbforuser1
use dbforuser1
db.auth('user1', 'user1_pass')
