一、掌握权限,理解下面4条基本上就差不多
1、mongodb是没有默认管理员账号,所以要先添加管理员账号,在开启权限认证。
2、切换到admin数据库,添加的账号才是管理员账号。
3、用户只能在用户所在数据库登录,包括管理员账号。
4、管理员可以管理所有数据库,但是不能直接管理其他数据库,要先在admin数据库认证后才可以。这一点比较怪
现假如需要创建一个帐号,该账号需要有grant权限,即:账号管理的授权权限。注意一点,帐号是跟着库走的,所以在指定库里授权,必须也在指定库里验证(auth)
权限认证参考文档:很详细的
http://www.cnblogs.com/xiaoqian1993/p/5944039.html
http://hae.iteye.com/blog/2183478
下面简单的演示实例:
首先开启auth认证,然后登陆admin库
>use admin
> db.auth("myUserAdmin","abc123");
1
一.创建一个账户:
db.createUser(
{
user: "root",
pwd: "123456",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)
> db.createUser(
... {
... user: "root",
... pwd: "123456",
... roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
... }
... )
Successfully added user: {
"user" : "root",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
>use admin
>db.auth("root","123456")
1
> show collections;
system.indexes
system.users
system.version
> db.system.users.find();
{ "_id" : "admin.root", "user" : "root", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "e4E3GbhPQ0o4VncvLNkx9w==", "storedKey" : "BWspVPoN4cHAnfTMGPdmocxXRXI=", "serverKey" : "r2imS6HjYvOeR2A9vos3q1YiW9A=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
{ "_id" : "admin.myUserAdmin", "user" : "myUserAdmin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "c/5/KlFYNv16HsROHzKRWQ==", "storedKey" : "ZQH0ieZyNlJw0K/q8SZdg5WUonc=", "serverKey" : "2f5uNXkYVuZR7cWnOYXO9n3w7dw=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
二.创建管理dbtest00库的用户:
> use dbtest001;
switched to db dbtest001
> show collections;
2017-08-22T13:00:29.355+0800 E QUERY Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on dbtest001 to execute command { listCollections: 1.0 }",
"code" : 13
}
at Error (
at DB._getCollectionInfosCommand (src/mongo/shell/db.js:646:15)
at DB.getCollectionInfos (src/mongo/shell/db.js:658:20)
at DB.getCollectionNames (src/mongo/shell/db.js:669:17)
at shellHelper.show (src/mongo/shell/utils.js:625:12)
at shellHelper (src/mongo/shell/utils.js:524:36)
at (shellhelp2):1:1 at src/mongo/shell/db.js:646
报错:
原因是未创建管理这个数据库dbtest001的用户
创建管理dbtest00库的用户:
use admin
db.auth("root","123456")
切换到dbtest001库
use dbtest001
db.createUser(
{
user: "DBA1",
pwd: "123456",
roles: [ { role: "readWrite", db: "dbtest001" } ]
}
)
> db.auth("DBA1","123456");
1
> show collections;
chenji
system.indexes
三.创建DBA2dbtest001对数据库dbtest001只读:
db.createUser(
{
user: "DBA2",
pwd: "123456",
roles: [ { role: "read", db: "dbtest001" } ]
}
)
切换到dbtest001库下查看当前的库的管理账户:
> use dbtest001;
switched to db dbtest001
> db.auth("DBA2","123456");
1
> db.chenji.insert({"name":"李旭","年纪":"三年级","年龄":"30"});
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on dbtest001 to execute command { insert: \"chenji\", documents: [ { _id: ObjectId('599bbd47a6bc55821e3b1f8e'), name: \"李旭\", 年纪: \"三年级\", 年龄: \"30\" } ], ordered: true }"
}
})
提示报错:原因是这个DBA2用户对这个dbtest001库是只读权限
> use dbtest001;
switched to db dbtest001
查看有权限管理dbtest001库的用户:
> show users;
{
"_id" : "dbtest001.DBA1",
"user" : "DBA1",
"db" : "dbtest001",
"roles" : [
{
"role" : "readWrite",
"db" : "dbtest001"
}
]
}
{
"_id" : "dbtest001.DBA2",
"user" : "DBA2",
"db" : "dbtest001",
"roles" : [
{
"role" : "read",
"db" : "dbtest001"
}
]
}
四.删除用户
> db.dropUser("DBA1");
true
> show users;
{
"_id" : "dbtest001.DBA2",
"user" : "DBA2",
"db" : "dbtest001",
"roles" : [
{
"role" : "read",
"db" : "dbtest001"
}
]
}
> db.dropUser("DBA2");
true
> show users;
五.超级权限root用户
有没有一个超级权限?不仅可以授权,而且也可以对集合进行任意操作?答案是肯定的,只是不建议使用。那就是role角色设置成root
#超级root帐号
db.createUser(
... {
... user: "jianwei",
... pwd: "123456",
... roles: [
... { role: "root", db: "admin" }
... ]
... }
... )
mongodb 修改用户密码 2种方法
1.正确做法,利用db.createUser
有人会问,这个不是添加用户的方法吗。不错这是添加用户的方法,但是如果用户名相同,密码不同的话,就会更新密码。
2.,正确做法,利用db.changeUserPassword
db.changeUserPassword
> db.changeUserPassword("myUserAdmin","abc123");
> db.auth("myUserAdmin","abc123");
1
> show dbs;
admin 0.078GB
dbtest001 0.078GB
dbtest002 0.078GB
local 0.078GB
temp 0.078GB
注意:此处开启auth 认证