MongoDB 基础安全性-权限操作

和其他所有数据库一样,权限的管理都差不多一样。mongodb存储所有的用户信息在admin 数据库的集合system.users中,保存用户名、密码和数据库信息。mongodb默认不启用授权认证,只要能连接到该服务器,就可连接到mongod。若要启用安全认证,需要更改配置文件参数auth。
以下测试理解

查看数据库:

> show dbs

发现 admin 竟然没有,于是直接创建用户admin

    use admin  
    db.createUser(  
      {  
        user: "admin",  
        pwd: "admin123456",  
        roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]  
      }  
    )  

成功创建,再查询admin中的集合,有数据了!

    > show collections  
    system.indexes  
    system.users  
    system.version  

查看3个集合的信息:

    > db.system.users.find();  
    { "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "cFISfpbm04pmIFpqiL340g==", "storedKey" : "WG1DSEEEHUZUBjsjsnEA4RFVY2M=", "serverKey" : "9Lm+IX6l9kfaE/4C25/ghsQpDkE=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }  
    >   
    > db.system.indexes.find();  
    { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "admin.system.version" }  
    { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "admin.system.users" }  
    { "v" : 1, "unique" : true, "key" : { "user" : 1, "db" : 1 }, "name" : "user_1_db_1", "ns" : "admin.system.users" }  
    >   
    > db.system.version.find();  
    { "_id" : "authSchema", "currentVersion" : 5 }  
    >   

3.0.3,mongodb加入了SCRAM-SHA-1校验方式,需要第三方工具配合进行验证,下面给出具体解决办法:
修改system.version文档里面的authSchema版本为3,初始安装时候是5,命令行如下:

> use admin
switched to db admin
>  var schema = db.system.version.findOne({"_id" : "authSchema"})
> schema.currentVersion = 3
3
> db.system.version.save(schema)
WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 }) 

现在启用 auth:
[root@localhost ~]# vi /etc/mongod.conf

auth=true 

3.0.8以上版本

security:
  authorization: enabled

重启 mongod 服务:
[root@localhost ~]# service mongod restart
直接默认登录,查看集合,发现无权操作了:
[root@localhost ~]# mongo

    [root@localhost ~]# mongo  
    MongoDB shell version: 3.0.2  
    connecting to: test  
    > show dbs  
    2015-05-09T21:57:03.176-0700 E QUERY    Error: listDatabases failed:{  
        "ok" : 0,  
        "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",  
        "code" : 13  
    }  
        at Error ()  
        at Mongo.getDBs (src/mongo/shell/mongo.js:47:15)  
        at shellHelper.show (src/mongo/shell/utils.js:630:33)  
        at shellHelper (src/mongo/shell/utils.js:524:36)  
        at (shellhelp2):1:1 at src/mongo/shell/mongo.js:47  
    >   

刚才在数据库 admin 创建了一个账户 admin ,先到数据admin进来连接(其他db则失败):

[root@localhost ~]# mongo  
MongoDB shell version: 3.0.2  
connecting to: test  
>  
> db.auth("admin","admin123456")  
Error: 18 Authentication failed.  
0  
> use log  
switched to db log  
> db.auth("admin","admin123456")  
Error: 18 Authentication failed.  
0  
> use admin  
switched to db admin  
> db.auth("admin","admin123456")  
1  
>

db.auth(“admin”,”admin123456″) 返回值为1,说明登录成功!~db.auth(“admin”,”admin123456″) 记录是不存在的,执行完后这一行在shell中不会记录历史。
所以现在创建另一个用户”zeno”

    db.createUser(  
      {  
        user: "zeno",  
        pwd: "zeno123456",  
        roles: [ { role: "readWrite", db: "log" } ]  
      }  
    )  

也可以增删角色:

    #授予角色:db.grantRolesToUser( "userName" , [ { role: "", db: "" } ])  
    db.grantRolesToUser( "zeno" , [ { role: "dbOwner", db: "log" } ])  
    #取消角色:db.grantRolesToUser( "userName" , [ { role: "", db: "" } ])  
    db.revokeRolesFromUser( "zeno" , [ { role: "readWrite", db: "log" } ])  

因为在admin数据库创建的,只能在 admin 数据库中登录:

    > db.auth("zeno","zeno123456")  
    Error: 18 Authentication failed.  
    0  
    >   
    > db  
    log  
    > use admin  
    switched to db admin  
    > db.auth("zeno","zeno");  
    1  
    >   

此时是可以切换到所在的数据库进行相关操作:

    > use log  
    switched to db log  
    >   
    > db.tab.save({"id":999});  
    WriteResult({ "nInserted" : 1 })  
    >   
    > db.tab.find({"id":999});  
    { "_id" : ObjectId("554ef5ac1b590330c00c7d02"), "id" : 999 }  
    >   
    > show collections  
    system.indexes  
    tab  
    >   

在创建用户时可以在其数据库中创建,这样不用每次都进入admin数据库登录后再切换。如在数据库”log”创建用户”userkk”。

    use admin  
      
    db.auth("admin","admin123456")  
      
    use log  
      
    db.createUser(  
      {  
        user: "zeno",  
        pwd: "zeno123456",  
        roles: [ { role: "dbOwner", db: "log" } ]  
      }  
    )  
      
    db.auth("zeno","zeno123456")  

现在授权测试:
#先访问到admin数据库

    use admin  
    db.auth("admin","admin123456")  

#切换到 log ,在数据库 log 中创建角色
#roles: 创建角色”testRole”在数据库 “log” 中
#privileges: 该角色可查看”find”数据库”log”的所有集合
#db.dropRole(“testRole”)

    use log  
      
    db.createRole({   
     role: "testRole",  
     privileges: [{ resource: { db: "log", collection: "" }, actions: [ "find" ] }],  
     roles: []  
    })  

#在admin数据库生成集合system.roles。查看角色。

> use admin
switched to db admin
> 
> show collections
system.indexes
system.roles
system.users
system.version
> 
> db.system.roles.find();
{ "_id" : "log.testRole", "role" : "testRole", "db" : "log", "privileges" : [ { "resource" : { "db" : "log", "collection" : "" }, "actions" : [ "find" ] } ], "roles" : [ ] }
> 

#回到log,在数据库log中创建用户并授予角色”testRole”
#db.dropUser(“userkk”)

use log
db.createUser(
  {
    user: "userkk",
    pwd: "userkk",
    roles: [ { role: "testRole", db: "log" } ]
  }
)

退出mongodb,重新登录进行操作。发现只能使用find
>exit

[root@localhost ~]# mongo
MongoDB shell version: 3.0.2
connecting to: test
> use log
switched to db log
> 
> db.auth("zeno","zeno123456")
1
> 
> db.tab.find({"id":999})
{ "_id" : ObjectId("554ef5ac1b590330c00c7d02"), "id" : 999 }
> 
> db.tab.insert({"id":1000})
WriteResult({
	"writeError" : {
		"code" : 13,
		"errmsg" : "not authorized on log to execute command { insert: \"tab\", documents: [ { _id: ObjectId('554f145cdf782b42499d80e5'), id: 1000.0 } ], ordered: true }"
	}
})
> 

给角色 “testRole” 添加3个 “Privileges”权限: “update”, “insert”, “remove”。再重新操作。

use admin
db.auth("admin","admin123456")
use log
#添加Privileges给角色
db.grantPrivilegesToRole("testRole",
 [{ resource: { db: "log", collection: "" },actions: [ "update", "insert", "remove" ]}
])

exit #退出mongodb重新登录
use log
db.auth("zeno","zeno123456")
#增删数据可以操作了!~
db.tab.insert({"id":1000})
db.tab.find({"id":1000})
db.tab.remove({"id":1000})
#此时admin的角色记录为:
> db.system.roles.find();
{ "_id" : "log.testRole", "role" : "testRole", "db" : "log", "privileges" : [ { "resource" : { "db" : "log", "collection" : "" }, "actions" : [ "find", "insert", "remove", "update" ] } ], "roles" : [ ] }
> 

#更改角色 roles,把roles值全部更新。同样Privileges也可以更新替换!~

    use admin  
    db.auth("admin","admin123456")  
    use log  
    db.updateRole("testRole",{ roles:[{ role: "readWrite",db: "log"}]},{ w:"majority" })  
    db.auth("zeno","zeno123456")  
    show dbs  

关于Zeno Chen

本人涉及的领域较多,杂而不精 程序设计语言: Perl, Java, PHP, Python; 数据库系统: MySQL,Oracle; 偶尔做做电路板的开发,主攻STM32单片机
此条目发表在NoSQL分类目录。将固定链接加入收藏夹。