目录
1 软件环境
2 权限、角色管理
2.1 创建角色
2.1.1 语法
2.1.2 示例
2.2 查询角色
2.2.1 语法
2.2.2 示例
2.3 查询所有角色
2.3.1 语法
2.3.2 示例
2.4 删除角色
2.4.1 语法
2.4.2 示例
2.5 删除所有角色
2.5.1 语法
2.5.2 示例
2.6 修改角色
2.6.1 语法
2.6.2 示例
2.7 授予角色权限
2.7.1 语法
2.7.2 示例
2.8 收回角色权限
2.8.1 语法
2.8.2 示例
2.9 授予角色角色
2.9.1 语法
2.9.2 示例
2.10 收回角色角色
2.10.1 语法
2.10.2 示例
MongoDB提供了各种特性,例如身份验证、访问控制、加密以保护MongoDB服务器。本篇主要对MongoDB下的权限及角色相关的指令进行总结。
使用的软件分别为:
在运行该命令所在的数据库上创建角色,可以通过为角色显式指定权限,或者继承其它角色的权限实现。
db.createRole(role, writeConcern)
其中,role是文档格式,有下面的形式:
{
role: "",
privileges: [
{ resource: { }, actions: [ "", ... ] },
...
],
roles: [
{ role: "", db: "" } | "",
...
],
authenticationRestrictions: [
{
clientSource: ["" | "", ...],
serverAddress: ["" | "", ...]
},
...
]
}
resource:说明是什么,可以是database、collection、collections或者cluster;
action:说明要干什么,即在resource上的操作。
> use admin
> db.createRole(
... {
... role:"rd",
... privileges:[
... {resource:{db:"hr",collection:""},actions:["find","insert"]}
... ],
... roles:[{role:"read",db:"admin"}]
... }
... )
{
"role" : "rd",
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
}
],
"roles" : [
{
"role" : "read",
"db" : "admin"
}
]
}
查看角色信息,可用于查询用户自定义角色以及内建角色。
db.getRole(rolename, args)
其中,rolename是角色名称,字符串类型;args是文档类型,具体选项如下:
示例1:
> db.getRole("rd")
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
}
示例2:
> db.getRole("rd",{showBuiltinRoles:true,showPrivileges:true})
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
},
{
"resource" : {
"db" : "admin",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
]
}
查询在某个数据库中所有用户自定义的角色信息。
db.getRoles()
该命令不带参数时返回数据库用户自定义的角色信息,带参数时可以显示更多的信息,具体参数如下:
示例1:
> use admin
switched to db admin
> db.getRoles()
[
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
}
]
示例2:
> db.getRoles({rolesInfo:1,showBuiltinRoles:true})
[
{
"role" : "__queryableBackup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "__system",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "backup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterManager",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterMonitor",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbOwner",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "enableSharding",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "hostManager",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "rd",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
},
{
"role" : "read",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readWrite",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readWriteAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "restore",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "root",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "userAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "userAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
]
删除用户自定义的角色信息。
db.dropRole(rolename, writeConcern)
其中,rolename是字符类型,为角色的名称。
> use admin
switched to db admin
> db.dropRole("rd")
true
> db.getRoles()
[ ]
删除数据库中所有用户自定义的角色信息。
db.dropAllRoles(writeConcern)
> use admin
> db.createRole({role:"r1",privileges:[{resource:{db:"hr",collection:""},actions:["find"]}],roles:[]})
{
"role" : "r1",
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"roles" : [ ]
}
> db.createRole({role:"r2",privileges:[{resource:{db:"test",collection:""},actions:["find","insert"]}],roles:["readWrite"]})
{
"role" : "r2",
"privileges" : [
{
"resource" : {
"db" : "test",
"collection" : ""
},
"actions" : [
"find",
"insert"
]
}
],
"roles" : [
"readWrite"
]
}
> db.dropAllRoles()
NumberLong(2)
在运行角色的数据库中修改用户定义的角色信息。修改字段的操作是完全替换旧值,如果是授权或收回权限,可以使用授权或收回权限的方法。
db.updateRole(
"",
{
privileges:
[
{ resource: { }, actions: [ "", ... ] },
...
],
roles:
[
{ role: "", db: "" } | "",
...
],
authenticationRestrictions:
[
{
clientSource: ["" | "", ...],
serverAddress: ["", | "", ...]
},
...
]
},
{ }
)
1)查看角色信息
> use admin
switched to db admin
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "hr"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "hr"
}
],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "hr",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "hr",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
}
]
}
2)修改角色
> db.updateRole(
... "r11",
... {roles:[]}
... )
3)查看修改后的角色
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
]
}
给用户定义的角色授予权限。
db.grantPrivilegesToRole(
"< rolename >",
[
{ resource: { }, actions: [ "", ... ] },
...
],
{ < writeConcern > }
)
1)查看角色信息
> use admin
switched to db admin
> db.getRoles({showPrivileges:true})
[
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
}
]
}
]
2)授予角色权限
> db.grantPrivilegesToRole(
... "r11",
... [
... {resource:{db:"hr",collection:"test"},actions:["find"]}
... ]
... )
3)查看授权后的角色信息
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "scott",
"collection" : ""
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}
从用户定义的角色中收回特定的权限信息,收回的权限,必须和已有的权限文档精确匹配方可进行权限的回收。
db.revokePrivilegesFromRole(
"",
[
{ resource: { }, actions: [ "", ... ] },
...
],
{ }
)
1)收回权限
> use admin
switched to db admin
> db.revokePrivilegesFromRole( "r11", [{resource:{db:"scott",collection:""},actions:["find"]}] )
2)查看权限
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}
将角色(包括内建角色和用户定义的角色)授予用户定义的角色。
db.grantRolesToRole( "", [ ], { } )
1)查看角色信息
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ], <---------------角色为空
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}
2)授予角色
> db.grantRolesToRole(
... "r11",
... ["readWrite"]
... )
3)查看授权后的角色信息
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ <---------------授权后,角色数组包含具体的角色
{
"role" : "readWrite",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "readWrite",
"db" : "admin"
}
],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
},
{
"resource" : {
"db" : "admin",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"createIndex",
"dbHash",
"dbStats",
"dropCollection",
"dropIndex",
"emptycapped",
"find",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead",
"remove",
"renameCollectionSameDB",
"update"
]
},
{
"resource" : {
"db" : "admin",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"createIndex",
"dbHash",
"dbStats",
"dropCollection",
"dropIndex",
"emptycapped",
"find",
"insert",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead",
"remove",
"renameCollectionSameDB",
"update"
]
}
]
}
从角色中收回对应的角色。
db.revokeRolesFromRole( "", [ ], { } )
1)收回角色信息
> use admin
switched to db admin
> db.revokeRolesFromRole(
... "r11",
... ["readWrite"]
... )
2)查看角色信息
> db.getRole("r11",{showPrivileges:true})
{
"role" : "r11",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "hr",
"collection" : "test"
},
"actions" : [
"find"
]
}
]
}