一、权限:
一,不使用 --auth
1.首先,不使用--auth参数启动MongoDB:
./mongodb-linux-i686-3.0.0/bin/mongod -f mongodb-linux-i686-3.0.0/mongodb.conf
2.接着,在命令窗口中输入:
show dbs
看到只有一个local数据库,admin是不存在的(这是3.0以上版本改变了的),我们需要自己给他创建个admin数据库。
3.打开 mongo shell:
./mongodb-linux-i686-3.0.0/bin/mongo
4.添加管理用户
use admin db.createUser( { user: "admin", pwd: "admin", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )
roles 中的 db 参数是必须的,不然会报错:Error: couldn’t add user: Missing expected field “db”。另外,有很多文章记录的是使用 db.addUser(…) 方法,这个方法是旧版的,3.0中已经不存在。详细:点击打开链接
5.切换到admin下,查看刚才创建的用户:
show users
或
db.system.users.find()
{ "_id" : "admin.buru", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "gwVwuA/dXvxgSHavEnlyvA==", "storedKey" : "l2QEVTEujpkCuqDEKqfIWbSv4ms=", "serverKey" : "M1ofNKXg2sNCsFrBJbX4pXbSgvg=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
怎么关闭 mongoDB?千万不要 kill -9 pid,可以 kill -2 pid 或 db.shutdownServer()
二,使用--auth
1.使用--auth参数启动MongoDB:
./mongodb-linux-i686-3.0.0/bin/mongod --auth -f mongodb-linux-i686-3.0.0/mongodb.conf
2.再次打开 mongo shell:
./mongodb-linux-i686-3.0.0/bin/mongo use admin db.auth("admin","admin") #认证,返回1表示成功 或 ./mongodb-linux-i686-3.0.0/bin/mongo -u admin -p admin --authenticationDatabase admin
此时
show collections
报错
2015-03-17T10:15:56.011+0800 EQUERYError: listCollections failed: { "ok" : 0, "errmsg" : "not authorized on admin to execute command { listCollections: 1.0 }", "code" : 13 } at Error (<anonymous>) at DB._getCollectionInfosCommand (src/mongo/shell/db.js:643:15) at DB.getCollectionInfos (src/mongo/shell/db.js:655:20) at DB.getCollectionNames (src/mongo/shell/db.js:666:17) at shellHelper.show (src/mongo/shell/utils.js:625:12) at shellHelper (src/mongo/shell/utils.js:524:36) at (shellhelp2):1:1 at src/mongo/shell/db.js:643
因为,用户admin只有用户管理的权限。
3.下面创建用户,用户都跟着库走,创建的用户都是
use test db.createUser( { user: "test1", pwd: "test1", roles: [ { role: "readWrite", db: "test" } ] } )
4.查看刚刚创建的用户
show users
{ "_id" : "test.test1", "user" : "test1", "db" : "test", "roles" : [ { "role" : "readWrite", "db" : "test" } ] }
5.查看整个mongoDB全部的用户:
use admin db.system.users.find() use admin db.system.users.find() { "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "gwVwuA/dXvxgSHavEnlyvA==", "storedKey" : "l2QEVTEujpkCuqDEKqfIWbSv4ms=", "serverKey" : "M1ofNKXg2sNCsFrBJbX4pXbSgvg=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] } { "_id" : "test.test1", "user" : "test1", "db" : "test", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "//xy1V1fbqEHC1gzQqZHGQ==", "storedKey" : "ZS/o54zzl/FdcXLQJ98KdAVTfF0=", "serverKey" : "iIpNYz2Gk8KhyK3zgz6muBt0PI4=" } }, "roles" : [ { "role" : "readWrite", "db" : "test" } ] }
6.创建完毕,验证一下:
use admin show collections 2015-03-17T10:30:06.461+0800 EQUERYError: listCollections failed: { "ok" : 0, "errmsg" : "not authorized on buru to execute command { listCollections: 1.0 }", "code" : 13 } at Error (<anonymous>) at DB._getCollectionInfosCommand (src/mongo/shell/db.js:643:15) at DB.getCollectionInfos (src/mongo/shell/db.js:655:20) at DB.getCollectionNames (src/mongo/shell/db.js:666:17) at shellHelper.show (src/mongo/shell/utils.js:625:12) at shellHelper (src/mongo/shell/utils.js:524:36) at (shellhelp2):1:1 at src/mongo/shell/db.js:643
7.显然没权限,先auth:
db.auth("test1","test1") 1 show collections news system.indexes
二、role类型:
数据库用户角色(Database User Roles):
- read:授予User只读数据的权限
- readWrite:授予User读写数据的权限
数据库管理角色(Database Administration Roles):
- dbAdmin:在当前dB中执行管理操作
- dbOwner:在当前DB中执行任意操作
- userAdmin:在当前DB中管理User
备份和还原角色(Backup and Restoration Roles):
- backup
- restore
跨库角色(All-Database Roles):
- readAnyDatabase:授予在所有数据库上读取数据的权限
- readWriteAnyDatabase:授予在所有数据库上读写数据的权限
- userAdminAnyDatabase:授予在所有数据库上管理User的权限
- dbAdminAnyDatabase:授予管理所有数据库的权限
集群管理角色(Cluster Administration Roles):
- clusterAdmin:授予管理集群的最高权限
- clusterManager:授予管理和监控集群的权限,A user with this role can access the config and local databases, which are used in sharding and replication, respectively.
- clusterMonitor:授予监控集群的权限,对监控工具具有readonly的权限
- hostManager:管理Server
三、设置超级管理员
1)不带--auth参数启动数据库,所以不需要帐号即可连上MongoDB。
2)新建一个角色,比如叫 sysadmin,需要先切换到admin库进行如下操作
> use admin switched to db admin > db.createRole({role:'sysadmin',roles:[], ... privileges:[ ... {resource:{anyResource:true},actions:['anyAction']} ... ]})
3)然后,新建一个用户,使用这个角色,注意,这个角色的db是admin,操作如下:
> use woplus switched to db woplus > db.createUser({ ... user:'woplus', ... pwd:'wo@1990', ... roles:[ ... {role:'sysadmin',db:'admin'} ... ]})
4)OK,我们看看效果。先看看用户情况,如下:
> use admin switched to db admin > db.system.users.find() { "_id" : "admin.root", "user" : "root", "db" : "admin", "credentials" : { "MONGODB-CR" : "dfda4d4e75995650c3e1b3f2b65b1920" }, "roles" : [ { "role" : "root", "db" : "admin" } ] } { "_id" : "woplus.woplus", "user" : "woplus", "db" : "woplus", "credentials" : { "MONGODB-CR" : "bcabae4fe4d7951fad37cb2d099437e8" }, "roles" : [ { "role" : "sysadmin", "db" : "admin" } ] }
5)然后,我们重启数据库,加上 --auth 参数。
再从客户端使用帐号登录MongoDB。
./mongo -u woplus -p wo@1990 192.168.1.84/woplus MongoDB shell version: 2.6.8 connecting to: 192.168.1.84/woplus > > use woplus switched to db woplus > db.eval('return 222') 222