笔记-mongodb-用户及角色

笔记-mongodb-用户及角色

1.      users

其实mongodb支持多种验证方式，本文只提及最简单也最常用的方式。

1.1.  Authentication Database

When adding a user, you create the user in a specific database. This database is the authentication database for the user.

A user can have privileges across different databases; that is, a user’s privileges are not limited to their authentication database. By assigning to the user roles in other databases, a user created in one database can have permissions to act on other databases. For more information on roles, see Role-Based Access Control.

The user’s name and authentication database serve as a unique identifier for that user. That is, if two users have the same name but are created in different databases, they are two separate users. If you intend to have a single user with permissions on multiple databases, create a single user with roles in the applicable databases instead of creating the user multiple times in different databases.

1．mongodb的用户是依赖于database的；一个用户可以描述为username@database，不同数据库下的同名用户视为不同的用户；

2．用户的权限是可以跨database的，这依赖于role；

1.2.    Authenticate a User

验证用户有两种方式：

mongod命令

db.auth()方法

1.3.    create user

使用createUser()方法创建用户。

use reporting

db.createUser(

{

user: "reportsUser",

pwd: "12345678",

roles: [

{ role: "read", db: "reporting" },

{ role: "read", db: "products" },

{ role: "read", db: "sales" },

{ role: "readWrite", db: "accounts" }

]

}

)

role代表角色，在下面的章节中会列出常用role；

db代表数据库。

1.4.    启用验证enable auth

有两种方式：

1. 命令：mongod 命令带上—auth参数
2. 配置文件：在配置文件中添加auth=true #具体可能会因为版本不同有所差别

2.      ROLE

mongodb内置了一些角色，也可以由用户创建，跟其它数据库差不多；

2.1.    Database User Roles

Every database includes the following roles:

最常用的两种角色。

Role	Short Description
read	Provides the ability to read data on all non-system collections and on the following system collections: system.indexes, system.js, and system.namespacescollections. For the specific privileges granted by the role, see read.
readWrite	Provides all the privileges of the read role and the ability to modify data on all non-system collections and the system.js collection. For the specific privileges granted by the role, see readWrite.

2.2.    Database Administration Roles

Every database includes the following database administration roles:

Role	Short Description
dbAdmin	Provides the ability to perform administrative tasks such as schema-related tasks, indexing, gathering statistics. This role does not grant privileges for user and role management. For the specific privileges granted by the role, see dbAdmin.
dbOwner	Provides the ability to perform any administrative action on the database. This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles.
userAdmin	Provides the ability to create and modify roles and users on the current database. Since the userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster. For the specific privileges granted by the role, see userAdmin.

2.3.    All-Database Roles

Changed in version 3.4.

These roles in the admin database apply to all but the local and config databases in a mongod instance:

Role	Short Description
readAnyDatabase	略
readWriteAnyDatabase	略
userAdminAnyDatabase	略
dbAdminAnyDatabase	略

还有一个super role角色叫root，基本就是上面四个角色的合体版。

2.4.    collection-level access control

在角色中可以设置privileges属性，它提供了针对集合层级的权限控制。

privileges: [

{ resource: { db: "products", collection: "inventory" }, actions: [ "find", "update", "insert" ] },

{ resource: { db: "products", collection: "orders" },  actions: [ "find" ] }

]

创建角色：

use admin

db.createRole(

{

role: "manageOpRole",

privileges: [

{ resource: { cluster: true }, actions: [ "killop", "inprog" ] },

{ resource: { db: "", collection: "" }, actions: [ "killCursors" ] }

],

roles: []

}

)