mongodb基于角色的访问控制

Published by 王健 on

一、创建管理员角色

> use admin
switched to db admin
> db.createUser(
... {
... user: "myUserAdmin",
... pwd: "123456",
... roles: [ { role: "userAdminAnyDatabase", db: "admin" },
... "readWriteAnyDatabase" ] }
... )
Successfully added user: {
	"user" : "myUserAdmin",
	"roles" : [
		{
			"role" : "userAdminAnyDatabase",
			"db" : "admin"
		},
		"readWriteAnyDatabase"
	]
}
>

二、查看创建的角色

> db.getUsers()
[
	{
		"_id" : "admin.myUserAdmin",
		"userId" : UUID("17084bff-4674-4348-bbc5-af316094ac70"),
		"user" : "myUserAdmin",
		"db" : "admin",
		"roles" : [
			{
				"role" : "userAdminAnyDatabase",
				"db" : "admin"
			},
			{
				"role" : "readWriteAnyDatabase",
				"db" : "admin"
			}
		],
		"mechanisms" : [
			"SCRAM-SHA-1",
			"SCRAM-SHA-256"
		]
	}
]
>

三、配置访问控制

[root@db1 mongo_backup]# vim /opt/mongo_27017/conf/mongodb.conf
security:
        authorization: enabled

四、重启mongodb

[root@db1 mongo_backup]# systemctl restart mongod

五、使用admin登录

[root@db1 mongo_backup]# mongo  --authenticationDatabase  "admin"  -u "myUserAdmin"  -p
MongoDB shell version v4.0.14
Enter password:

六、使用admin创建普通用户

> use test
switched to db test
> db.createUser(
... {
... user: "myTester",
... pwd: "123456",
... roles: [ { role: "readWrite", db: "db1" },
... { role: "read", db: "db2" } ]
... }
... )
Successfully added user: {
	"user" : "myTester",
	"roles" : [
		{
			"role" : "readWrite",
			"db" : "db1"
		},
		{
			"role" : "read",
			"db" : "db2"
		}
	]
}

七、admin创建测试数据

> use db1
switched to db db1
> db.write.insertOne({"name":"readWrite"})
{
	"acknowledged" : true,
	"insertedId" : ObjectId("5ef9c70ac3a73cf00ae1612a")
}
> use db2
switched to db db2
> db.read.insertOne({"name":"read"})
{
	"acknowledged" : true,
	"insertedId" : ObjectId("5ef9c733c3a73cf00ae1612b")
}

八、使用test用户登录验证

[root@db1 ~]# mongo --authenticationDatabase "test" -u "myTester" -p
MongoDB shell version v4.0.14
Enter password: 
connecting to: mongodb://127.0.0.1:27017/?authSource=test&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("7847592a-ff2b-416a-83a6-e564213edc91") }
MongoDB server version: 4.0.14
> show dbs
db1  0.000GB
db2  0.000GB

九、验证普通用户的权限

> use db1
switched to db db1
> show tables
write
> db.write.find()
{ "_id" : ObjectId("5ef9c70ac3a73cf00ae1612a"), "name" : "readWrite" }
> db.write.insertOne({name:"ok"})  #写ok
{
	"acknowledged" : true,
	"insertedId" : ObjectId("5ef9c85ffc6960b7a1e68259")
}
> use db2
switched to db db2
> show tables
read
> db.read.find()
{ "_id" : ObjectId("5ef9c733c3a73cf00ae1612b"), "name" : "read" }
> db.read.insertOne({name:"ok"})  #不能写
2020-06-29T18:56:19.371+0800 E QUERY    [js] WriteCommandError: not authorized on db2 to execute command { insert: "read", ordered: true, lsid: { id: UUID("7847592a-ff2b-416a-83a6-e564213edc91") }, $readPreference: { mode: "secondaryPreferred" }, $db: "db2" } :
WriteCommandError({
	"ok" : 0,
	"errmsg" : "not authorized on db2 to execute command { insert: \"read\", ordered: true, lsid: { id: UUID(\"7847592a-ff2b-416a-83a6-e564213edc91\") }, $readPreference: { mode: \"secondaryPreferred\" }, $db: \"db2\" }",
	"code" : 13,
	"codeName" : "Unauthorized"
})
WriteCommandError@src/mongo/shell/bulk_api.js:420:48
Bulk/executeBatch@src/mongo/shell/bulk_api.js:902:1
Bulk/this.execute@src/mongo/shell/bulk_api.js:1150:21
DBCollection.prototype.insertOne@src/mongo/shell/crud_api.js:252:9
@(shell):1:1

十、使用admin用户修改普通用户权限

1)查看原有的权限

[root@db1 ~]# mongo --authenticationDatabase "admin" -u "myUserAdmin" -p
MongoDB shell version v4.0.14
Enter password: 
connecting to: mongodb://127.0.0.1:27017/?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("1aea1951-da7e-4114-b8c9-ccf87d2a4278") }
MongoDB server version: 4.0.14
> use test
switched to db test
> db.getUsers()
[
	{
		"_id" : "test.myTester",
		"userId" : UUID("4b78d5da-669d-4d26-b8d4-66973e7992d7"),
		"user" : "myTester",
		"db" : "test",
		"roles" : [
			{
				"role" : "readWrite",
				"db" : "db1"
			},
			{
				"role" : "read",
				"db" : "db2"
			}
		],
		"mechanisms" : [
			"SCRAM-SHA-1",
			"SCRAM-SHA-256"
		]
	}
]

2)修改权限

> db.updateUser(
... "myTester", {
... roles: [ { role: "read", db: "db1" },
... { role: "readWrite", db: "db2" },
... { role: "readWrite", db: "test" }]
... } )

3)查看权限

> db.getUsers()
[
	{
		"_id" : "test.myTester",
		"userId" : UUID("4b78d5da-669d-4d26-b8d4-66973e7992d7"),
		"user" : "myTester",
		"db" : "test",
		"roles" : [
			{
				"role" : "read",
				"db" : "db1"
			},
			{
				"role" : "readWrite",
				"db" : "db2"
			},
			{
				"role" : "readWrite",
				"db" : "test"
			}
		],
		"mechanisms" : [
			"SCRAM-SHA-1",
			"SCRAM-SHA-256"
		]
	}
]

4)写入数据

> db.user.insert({name:"test"})
WriteResult({ "nInserted" : 1 })

十一、切换普通用户进行测试

1)登录test用户

[root@db1 ~]# mongo --authenticationDatabase "test" -u "myTester" -p
MongoDB shell version v4.0.14
Enter password: 
connecting to: mongodb://127.0.0.1:27017/?authSource=test&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("c4ae17d5-be89-47dd-ad68-1b85b7df7785") }
MongoDB server version: 4.0.14
> show dbs
db1   0.000GB
db2   0.000GB
test  0.000GB

2)进入db1验证可读不可写的权限

> use db1
switched to db db1
> show tables 
write
> db.write.find()  #可读
{ "_id" : ObjectId("5ef9c70ac3a73cf00ae1612a"), "name" : "readWrite" }
{ "_id" : ObjectId("5ef9c85ffc6960b7a1e68259"), "name" : "ok" }

> db.write.insertOne({name:"okk"}) #不可写
2020-06-29T19:08:27.581+0800 E QUERY    [js] WriteCommandError: not authorized on db1 to execute command { insert: "write", ordered: true, lsid: { id: UUID("c4ae17d5-be89-47dd-ad68-1b85b7df7785") }, $readPreference: { mode: "secondaryPreferred" }, $db: "db1" } :
WriteCommandError({
	"ok" : 0,
	"errmsg" : "not authorized on db1 to execute command { insert: \"write\", ordered: true, lsid: { id: UUID(\"c4ae17d5-be89-47dd-ad68-1b85b7df7785\") }, $readPreference: { mode: \"secondaryPreferred\" }, $db: \"db1\" }",
	"code" : 13,
	"codeName" : "Unauthorized"
})
WriteCommandError@src/mongo/shell/bulk_api.js:420:48
Bulk/executeBatch@src/mongo/shell/bulk_api.js:902:1
Bulk/this.execute@src/mongo/shell/bulk_api.js:1150:21
DBCollection.prototype.insertOne@src/mongo/shell/crud_api.js:252:9
@(shell):1:1

3)进入db2验证读和写的权限

> use db2
switched to db db2
> show tables
read
> db.read.find()  #可读
{ "_id" : ObjectId("5ef9c733c3a73cf00ae1612b"), "name" : "read" }
{ "_id" : ObjectId("5ef9cc1027f7e93477ceba8a"), "name" : "okk" }
> db.read.insertOne({name:"okk"}) #可写
{
	"acknowledged" : true,
	"insertedId" : ObjectId("5ef9cc1027f7e93477ceba8a")
}
>

4)进入test验证读写权限

> use test
switched to db test
> show tables
user
> db.user.find() #可读
{ "_id" : ObjectId("5ef9ca45ef431045c2252e8b"), "name" : "test" }
> db.user.insertOne({name:"okk"}) #可写
{
	"acknowledged" : true,
	"insertedId" : ObjectId("5ef9cca827f7e93477ceba8b")
}
>

十二、删除用户

[root@db1 ~]# mongo --authenticationDatabase "admin" -u "myUserAdmin" -p
MongoDB shell version v4.0.14
Enter password: 
connecting to: mongodb://127.0.0.1:27017/?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("074d3d68-6bdd-48b5-9989-b6d0f416dd20") }
MongoDB server version: 4.0.14
> use test
switched to db test
> db.dropUser("myTester")
true

Categories: 数据库
Tags:

0 Comments

发表评论

Avatar placeholder

邮箱地址不会被公开。 必填项已用*标注

Related Posts

数据库

mongodb模拟误删库恢复

一、写入数据 二、当天晚上全备 三、第二天又有新的数据写入 四、发生误 Read more…

数据库

用mongodb作为数据库搭建网站

一、下载软件包 二、解压node软件包 三、node目录重命名 四、授 Read more…

数据库

mongodb副本集

一、创建3个节点目录 二、创建配置文件 三、配置文件拷贝到其他节点 四 Read more…