笔记-security
1. enable access control开启访问控制
Enabling access control on a MongoDB deployment enforces authentication, requiring users to identify themselves. When accessing a MongoDB deployment that has access control enabled, users can only perform actions as determined by their roles.
mongodb开启访问控制会要求用户验证。当访问已开启访问控制的mongodb服务时,用户只能执行角色限定的动作。
User Administrator
With access control enabled, ensure you have a user with userAdmin or userAdminAnyDatabase role in theadmin database. This user can administrate user and roles such as: create users, grant or revoke roles from users, and create or modify customs roles.
简单来说,要有超级管理员的权限。
1.1. 操作过程
启动一个无访问控制的monodb
mongod --port 27017 --dbpath /var/lib/mongodb
连接
mongo –port 27017
创建管理员用户
use admin
db.createUser(
{
user: "***",
pwd: "***",
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
}
)
重启实例
- db.adminCommand( { shutdown: 1 } )
- 退出shell:Exit the mongo shell.
- From the terminal, re-start the mongod instance with the --auth command line option or, if using a configuration file, the security.authorization setting.
- mongod --auth --port 27017 --dbpath /var/lib/mongodb
因为实验环境在win8下
mongod --auth --port 27017 --logpath="d:\Program File*********db.log" --dbpath="d:\。。。。。"
登录
mongo --port 27017 -u **** --authenticationDatabase admin –p
注意:在windows下用户名不要加引号,官网给出的例子是加了引号的。
也可以连接合使用db.auh()方法验证
use test
db.auth("mytester", "xyz123" )
创建新用户:
use db_spider
db.createUser(
{
user: "mytester",
pwd: "xyz123",
roles: [ { role: "readWrite", db: "test" },
{ role: "read", db: "reporting" } ]
}
)
登录新用户并验证
mongo
use test
db.auth("mytester", "xyz123" )
db.foo.insert( { x: 1, y: 1 } )
插入成功
use db_spider
db.foo.insert( { x: 1, y: 1 } )
插入失败,报错no authorized on db_spider to execute command (……)
2. Security Reference
The following lists the security related methods available in the mongo shell as well as additional security reference material.
Security Methods in the mongo Shell
User Management and Authentication Methods
|
Name |
Description |
|
Authenticates a user to a database. |
|
|
Changes an existing user’s password. |
|
|
Creates a new user. |
|
|
Removes a single user. |
|
|
Deletes all users associated with a database. |
|
|
Returns information about the specified user. |
|
|
Returns information about all users associated with a database. |
|
|
Grants a role and its privileges to a user. |
|
|
Deprecated. Removes a user from a database. |
|
|
Removes a role from a user. |
|
|
Updates user data. |
Role Management Methods
|
Name |
Description |
|
Creates a role and specifies its privileges. |
|
|
Deletes a user-defined role. |
|
|
Deletes all user-defined roles associated with a database. |
|
|
Returns information for the specified role. |
|
|
Returns information for all the user-defined roles in a database. |
|
|
Assigns privileges to a user-defined role. |
|
|
Removes the specified privileges from a user-defined role. |
|
|
Specifies roles from which a user-defined role inherits privileges. |
|
|
Removes inherited roles from a role. |
|
|
Updates a user-defined role. |
Security Reference Documentation
Describes the content of the collection that stores user-defined roles.
Describes the content of the collection that stores users’ credentials and role assignments.
Describes the resource document for roles.
List of the actions available for privileges.