【MongoDB 安全篇】MongoDB权限、角色管理

目录

1 软件环境

2 权限、角色管理

2.1 创建角色

2.1.1 语法

2.1.2 示例

2.2 查询角色

2.2.1 语法

2.2.2 示例

2.3 查询所有角色

2.3.1 语法

2.3.2 示例

2.4 删除角色

2.4.1 语法

2.4.2 示例

2.5 删除所有角色

2.5.1 语法

2.5.2 示例

2.6 修改角色

2.6.1 语法

2.6.2 示例

2.7 授予角色权限

2.7.1 语法

2.7.2 示例

2.8 收回角色权限

2.8.1 语法

2.8.2 示例

2.9 授予角色角色

2.9.1 语法

2.9.2 示例

2.10 收回角色角色

2.10.1 语法

2.10.2 示例


MongoDB提供了各种特性,例如身份验证、访问控制、加密以保护MongoDB服务器。本篇主要对MongoDB下的权限及角色相关的指令进行总结。

1 软件环境

使用的软件分别为:

  • VirtualBox 5.2
  • Oracle Linux 6.7
  • MongoDB 4.2.0

2 权限、角色管理

2.1 创建角色

在运行该命令所在的数据库上创建角色,可以通过为角色显式指定权限,或者继承其它角色的权限实现。

2.1.1 语法

db.createRole(role, writeConcern)

其中,role是文档格式,有下面的形式:

{
role: "",
privileges: [
{ resource: {  }, actions: [ "", ... ] },
...
],
roles: [
{ role: "", db: "" } | "",
...
],
authenticationRestrictions: [
{
clientSource: ["" | "", ...],
serverAddress: ["" | "", ...]
},
...
]
}

resource:说明是什么,可以是database、collection、collections或者cluster;

action:说明要干什么,即在resource上的操作。

2.1.2 示例

> use admin
> db.createRole(
... {
... role:"rd",
... privileges:[
... {resource:{db:"hr",collection:""},actions:["find","insert"]}
... ],
... roles:[{role:"read",db:"admin"}]
... }
... )
{
"role" : "rd",
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
}
],
"roles" : [
{
"role" : "read",
"db" : "admin"
}
]
}

2.2 查询角色

查看角色信息,可用于查询用户自定义角色以及内建角色。

2.2.1 语法

db.getRole(rolename, args)

其中,rolename是角色名称,字符串类型;args是文档类型,具体选项如下:

  • showBuiltinRoles,布尔类型,用于显示内建角色,
  • showPrivileges,布尔类型,用于显示角色权限,包含直接定义的权限,以及从其它角色继承的权限。

2.2.2 示例

示例1:

> db.getRole("rd")
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
}

示例2:

> db.getRole("rd",{showBuiltinRoles:true,showPrivileges:true})
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
},
{
"resource" : {
"db" : "admin",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
]
}

2.3 查询所有角色

查询在某个数据库中所有用户自定义的角色信息。

2.3.1 语法

db.getRoles()

该命令不带参数时返回数据库用户自定义的角色信息,带参数时可以显示更多的信息,具体参数如下:

  • rolesInfo:整数类型,设置为1,返回所有用户自定义的角色;
  • showPrivileges:布尔类型,设置为true,查询角色权限,包括直接定义的和从其它角色继承的权限信息;
  • showBuiltinRoles:布尔类型,设置为true,查询内建的和用户自定义的角色信息。

2.3.2 示例

示例1:

> use admin
switched to db admin
> db.getRoles()
[
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
}
]

示例2:

> db.getRoles({rolesInfo:1,showBuiltinRoles:true})
[
{
"role" : "__queryableBackup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "__system",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "backup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterManager",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterMonitor",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbOwner",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "enableSharding",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "hostManager",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
},
{
"role" : "read",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readWrite",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readWriteAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "restore",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "root",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "userAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "userAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
]

2.4 删除角色

删除用户自定义的角色信息。

2.4.1 语法

db.dropRole(rolename, writeConcern)

其中,rolename是字符类型,为角色的名称。

2.4.2 示例

> use admin
switched to db admin
> db.dropRole("rd")
true
> db.getRoles()
[ ]

2.5 删除所有角色

删除数据库中所有用户自定义的角色信息。

2.5.1 语法

db.dropAllRoles(writeConcern)

2.5.2 示例

> use admin
> db.createRole({role:"r1",privileges:[{resource:{db:"hr",collection:""},actions:["find"]}],roles:[]})
{
"role" : "r1",
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"roles" : [ ]
}
> db.createRole({role:"r2",privileges:[{resource:{db:"test",collection:""},actions:["find","insert"]}],roles:["readWrite"]})
{
"role" : "r2",
"privileges" : [
{
"resource" : {
"db" : "test",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
}
],
"roles" : [
"readWrite"
]
}
> db.dropAllRoles()
NumberLong(2)

2.6 修改角色

在运行角色的数据库中修改用户定义的角色信息。修改字段的操作是完全替换旧值,如果是授权或收回权限,可以使用授权或收回权限的方法。

2.6.1 语法

db.updateRole(
"",
{
privileges:
[
{ resource: {  }, actions: [ "", ... ] },
...
],
roles:
[
{ role: "", db: "" } | "",
...
],
authenticationRestrictions:
[
{
clientSource: ["" | "", ...],
serverAddress: ["", | "", ...]
},
...
]
},
{  }
)

2.6.2 示例

1)查看角色信息

> use admin
switched to db admin
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "hr"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "hr"
}
],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "hr",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
]
}

2)修改角色

> db.updateRole(
... "r11",
... {roles:[]}
... )

3)查看修改后的角色

> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
]
}

2.7 授予角色权限

给用户定义的角色授予权限。

2.7.1 语法

db.grantPrivilegesToRole(
"< rolename >",
[
{ resource: {  }, actions: [ "", ... ] },
...
],
{ < writeConcern > }
)

2.7.2 示例

1)查看角色信息

> use admin
switched to db admin
> db.getRoles({showPrivileges:true})
[
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
]
}
]

2)授予角色权限

> db.grantPrivilegesToRole(
... "r11",
... [
... {resource:{db:"hr",collection:"test"},actions:["find"]}
... ]
... )

3)查看授权后的角色信息

> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}

2.8 收回角色权限

从用户定义的角色中收回特定的权限信息,收回的权限,必须和已有的权限文档精确匹配方可进行权限的回收。

2.8.1 语法

db.revokePrivilegesFromRole(
"",
[
{ resource: {  }, actions: [ "", ... ] },
...
],
{  }
)

2.8.2 示例

1)收回权限

> use admin
switched to db admin
> db.revokePrivilegesFromRole( "r11", [{resource:{db:"scott",collection:""},actions:["find"]}] )

2)查看权限

> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}

2.9 授予角色角色

将角色(包括内建角色和用户定义的角色)授予用户定义的角色。

2.9.1 语法

db.grantRolesToRole( "", [  ], {  } )

2.9.2 示例

1)查看角色信息

> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ], <---------------角色为空
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}

2)授予角色

> db.grantRolesToRole(
... "r11",
... ["readWrite"]
... )

3)查看授权后的角色信息

> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ <---------------授权后,角色数组包含具体的角色
{
"role" : "readWrite",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "readWrite",
"db" : "admin"
}
],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "admin",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"createIndex",
"dbHash",
"dbStats",
"dropCollection",
"dropIndex",
"emptycapped",
"find",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead",
"remove",
"renameCollectionSameDB",
"update"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"createIndex",
"dbHash",
"dbStats",
"dropCollection",
"dropIndex",
"emptycapped",
"find",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead",
"remove",
"renameCollectionSameDB",
"update"
]
}
]
}

2.10 收回角色角色

从角色中收回对应的角色。

2.10.1 语法

db.revokeRolesFromRole( "", [  ], {  } )

2.10.2 示例

1)收回角色信息

> use admin
switched to db admin
> db.revokeRolesFromRole(
... "r11",
... ["readWrite"]
... )

2)查看角色信息

> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}

你可能感兴趣的:(MongoDB)