bigdata

Mongodb 3.x 用户认证

Mongodb 3.x 的用户认证和 2.x 方式不一样,创建用户的语法已由 addUser 成成 createUser 了。

创建账号

首先不使用 --auth 参数启动Mongodb,

1
/opt/local/mongodb/mongodb-3.0/bin/mongod -f /opt/local/mongodb/etc/mongod.conf

此时登陆Mongodb并执行 show dbs 命令,只会看到一个 local 数据库,而文档里那个 admin 是不存在。使用 mongo 登陆,并创建用户。
Mongodb推荐创建一个只能管理用户的用户来做角色权限分配工作:userAdminAnyDatabase

1
2
3
4
5
6
7
8
9
use admin
db.createUser({
  user: "sc-admin",
  pwd: "xxxxxxxx",
  roles: [{
    role: "userAdminAnyDatabase",
    db: "admin"
  }]
})
  • roles 中的 db 参数是必选的,不然会报错:*
1
2
3
4
5
> db.createUser({user:"admin",pwd:"xxxxxxxx",roles:[{role:"userAdminAnyDatabase"}]})
2016-01-11T17:02:46.417+0800 E QUERY    Error: couldn't add user: Missing expected field "db"
    at Error (<anonymous>)
    at DB.createUser (src/mongo/shell/db.js:1101:11)
    at (shell):1:4 at src/mongo/shell/db.js:1101

启动Mongodb服务

设置完成后停止Mongodb服务,使用 kill [pid]kill -2 [pid]

连接Mongodb

使用 --auth 参数或在配置文件设置:security.authorization: enabled 启用用户权限认证功能。重启 Mongodb 服务,并打开 mongo shell:

1
2
use admin
db.auth("sc-admin", "xxxxxxxx")

db.auth 返回 1 代表认证成功。

或者使用命令行参数:mongo -u sc-admin -p xxxxxxxx --authenticationDatabase admin

此时执行 show collections 命令,Mongodb 会报错:

1
2
3
4
5
6
7
8
9
10
11
12
13
> show collections
2016-01-11T17:13:37.275+0800 E QUERY    Error: listCollections failed: {
	"ok" : 0,
	"errmsg" : "not authorized on admin to execute command { listCollections: 1.0 }",
	"code" : 13
}
    at Error (<anonymous>)
    at DB._getCollectionInfosCommand (src/mongo/shell/db.js:646:15)
    at DB.getCollectionInfos (src/mongo/shell/db.js:658:20)
    at DB.getCollectionNames (src/mongo/shell/db.js:669:17)
    at shellHelper.show (src/mongo/shell/utils.js:625:12)
    at shellHelper (src/mongo/shell/utils.js:524:36)
    at (shellhelp2):1:1 at src/mongo/shell/db.js:646

这是因为 sc-admin 账号只有用户管理权限,并未其分配数据库相关读、写权限。

为数据库创建用户

创建普通用户

接着为各数据库创建相关用户,推荐每个用户都跟着库走。

1
2
3
4
5
6
7
8
9
> use test
> db.createUser({
  user: "test",
  pwd: "testtest",
  roles: [{
    { role: "readWrite": db: "test" },
    { role: "read", db: "local" }
  }]
})

可以看到为 test 用户分配了 test 数据库的读写权限、local数据库的只读权限。

查看刚刚创建的用户:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
> show users
{
	"_id" : "test.test",
	"user" : "test",
	"db" : "test",
	"roles" : [
		{
			"role" : "readWrite",
			"db" : "test"
		},
		{
			"role" : "read",
			"db" : "local"
		}
	]
}

也可以查看整个Mongodb数据库的全部用户:

1
2
3
4
> use admin
> db.system.users.find()
{ "_id" : "admin.sc-admin", "user" : "sc-admin", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "Toe8Z9AhYBmI+fHFhOHA1Q==", "storedKey" : "8y0LenFMPX0b7FYFDN38odJYW4M=", "serverKey" : "qVcYyJL13Tg2UdzsIIlyl3jbc+s=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
{ "_id" : "test.test", "user" : "test", "db" : "test", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "cUw0r5tEihHgxWTcCEV8LA==", "storedKey" : "vPZpRaY0P4x0733tQnVllI6og5U=", "serverKey" : "eKQ2sdQTtas8HfgCMKhhdf9ndRs=" } }, "roles" : [ { "role" : "readWrite", "db" : "test" }, { "role" : "read", "db" : "local" } ] }

使用普通用户操作

现在使用 test 用户登录做此操作。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ mongo 192.168.31.101/test -u test -p testtest --authenticationDatabase test
MongoDB shell version: 3.0.7
connecting to: 192.168.31.101/test
> show collections
people
> use local
switched to db local
> show collections
startup_log
> db.test_coll.insert({"test":"test"})
WriteResult({
	"writeError" : {
		"code" : 13,
		"errmsg" : "not authorized on local to execute command { insert: \"test_coll\", documents: [ { _id: ObjectId('569374f512032e2e67470c98'), test: \"test\" } ], ordered: true }"
	}
})
> use test
switched to db test
> db.test_coll.insert({"test":"test"})
WriteResult({ "nInserted" : 1 })

参考

分享到