mongoDB-权限控制
启动服务
D:\MongoDB\Server\3.6\bin>mongod.exe --dbpath D:\MongoDB\Server\3.6\data 扩展
无认证启动:mongod --port 27017 --dbpath /data/db
认证启动:mongod --auth --port 27017 --dbpath /data/db
连接:mongo --port 27017
查看MongoDB所有Role定义 $ ./mongo.exe
MongoDB shell version v3.6.5
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.6.5
use admin
switched to db admin
db.getRoles(
{
rolesInfo: 1,
showPrivileges:false,
showBuiltinRoles: true
}
)
[
{
"role" : "__queryableBackup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "__system",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "backup",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterManager",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "clusterMonitor",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "dbOwner",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "enableSharding",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "hostManager",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "read",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readWrite",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "readWriteAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "restore",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "root",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "userAdmin",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
},
{
"role" : "userAdminAnyDatabase",
"db" : "admin",
"isBuiltin" : true,
"roles" : [ ],
"inheritedRoles" : [ ]
}
]
创建一个用户(在数据库里新建用户,不指定db默认指向当前db)
创建 db.createUser(用户名,密码,拥有的角色。角色可以写多个)
use test
switched to db test
db.createUser(
{
user: "banana",
pwd: "123456",
roles: [ "readWrite" ]
}
)
Successfully added user: { "user" : "banana", "roles" : [ "readWrite" ] }
db.getUsers()
[
{
"_id" : "test.banana",
"user" : "banana",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
}
]
创建一个用户(在admin数据库里新建用户)
(可以写多个role-db组合)
use admin
switched to db admin
db.createUser(
{
user: "apple",
pwd: "qwer",
roles: [ {role:"read",db:"test"} ]
}
)
Successfully added user: {
"user" : "apple",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
db.getUsers()
[
{
"_id" : "admin.apple",
"user" : "apple",
"db" : "admin",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
]
修改密码
db.changeUserPassword("apple", "niudun")
删除用户(只会删除当前数据库里面的存在的用户)
db.dropUser("apple")
true
下面测试权限,再创建2个用户
test
use test
switched to db test
db.createUser(
{
user: "peach",
pwd: "taozi",
roles: [
{role : "readWrite", db : "test"},
{role : "readWrite", db : "test2"}
]
}
)
Successfully added user: {
"user" : "peach",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "readWrite",
"db" : "test2"
}
]
}
db.getUsers()
[
{
"_id" : "test.banana",
"user" : "banana",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
}
]
},
{
"_id" : "test.peach",
"user" : "peach",
"db" : "test",
"roles" : [
{
"role" : "readWrite",
"db" : "test"
},
{
"role" : "readWrite",
"db" : "test2"
}
]
}
]
admin
use admin
switched to db admin
db.createUser(
{
user: "pineapple",
pwd: "boluo",
roles: [ "readWrite", "userAdmin" ]
}
)
Successfully added user: { "user" : "pineapple", "roles" : [ "readWrite", "userAdmin" ] }
db.getUsers()
[
{
"_id" : "admin.apple",
"user" : "apple",
"db" : "admin",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
},
{
"_id" : "admin.pineapple",
"user" : "pineapple",
"db" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "admin"
},
{
"role" : "userAdmin",
"db" : "admin"
}
]
}
]
先把服务开启认证重启
D:\MongoDB\Server\3.6\bin>mongod.exe --auth --dbpath D:\MongoDB\Server\3.6\data
第一种连接方法(先进去再认证)
[d:\MongoDB\Server\3.6\bin]$ mongo.exe
MongoDB shell version v3.6.5
connecting to: mongodb://127.0.0.1:27017
MongoDB server version: 3.6.5
db.stats()
{
"ok" : 0,
"errmsg" : "not authorized on test to execute command { dbstats: 1.0, scale: undefined, $db: \"test\" }",
"code" : 13,
"codeName" : "Unauthorized"
}
你访问之前需要认证
db.auth("banana","123456")
1
查看数据库状态
db.stats()
{
"db" : "test",
"collections" : 2,
"views" : 0,
"objects" : 4,
"avgObjSize" : 73,
"dataSize" : 292,
"storageSize" : 32768,
"numExtents" : 0,
"indexes" : 2,
"indexSize" : 32768,
"fsUsedSize" : 41188569088,
"fsTotalSize" : 332861009920,
"ok" : 1
}
查看集合(也可以用show collections)
show tables
aaa
my_collection
查看集合里面的数据(已有的)
db.aaa.find()
{ "_id" : NumberLong(1), "name" : "BBB", "_class" : "com.example.demo.entity.Book" }
{ "_id" : NumberLong(2), "name" : "CCC", "_class" : "com.example.demo.entity.Book" }
切换admin数据库
use admin
switched to db admin
show tables
2018-08-10T12:59:43.551+0800 E QUERY [thread1] Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listCollections: 1.0, filter: {}, $db: \"admin\" }",
"code" : 13,
"codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:941:1
DB.prototype.getCollectionInfos@src/mongo/shell/db.js:953:19
DB.prototype.getCollectionNames@src/mongo/shell/db.js:964:16
shellHelper.show@src/mongo/shell/utils.js:842:9
shellHelper@src/mongo/shell/utils.js:739:15
@(shellhelp2):1:1
(可以得出结论:用户存在哪一个数据库,就只能在那一个数据库上认证)
先用Apple认证(因为没有赋予高级角色,所以不能访问高级内容)
db.auth("apple","niudun")
1
show dbs
2018-08-10T13:07:10.786+0800 E QUERY [thread1] Error: listDatabases failed:{
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, $db: \"admin\" }",
"code" : 13,
"codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:65:1
shellHelper.show@src/mongo/shell/utils.js:849:19
shellHelper@src/mongo/shell/utils.js:739:15
@(shellhelp2):1:1
我们知道这个apple是拥有test的读取权限的,但是它却存储在admin里,我们用它访问test试试
use admin
switched to db admin
db.auth("apple","niudun")
1
use test
switched to db test
show tables
aaa
my_collection
db.aaa.find()
{ "_id" : NumberLong(1), "name" : "BBB", "_class" : "com.example.demo.entity.Book" }
{ "_id" : NumberLong(2), "name" : "CCC", "_class" : "com.example.demo.entity.Book" }
我们还有一个pineapple,没有与test的联系,看他能不能访问
use admin
switched to db admin
db.auth("pineapple","boluo")
1
use test
switched to db test
show tables
2018-08-10T13:51:49.650+0800 E QUERY [thread1] Error: listCollections failed: {
"ok" : 0,
"errmsg" : "not authorized on test to execute command { listCollections: 1.0, filter: {}, $db: \"test\" }",
"code" : 13,
"codeName" : "Unauthorized"
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype._getCollectionInfosCommand@src/mongo/shell/db.js:941:1
DB.prototype.getCollectionInfos@src/mongo/shell/db.js:953:19
DB.prototype.getCollectionNames@src/mongo/shell/db.js:964:16
shellHelper.show@src/mongo/shell/utils.js:842:9
shellHelper@src/mongo/shell/utils.js:739:15
@(shellhelp2):1:1
那么暂时得出结论:创建在admin里面的用户,如果赋予访问其他数据库的权限,则在admin上通过认证之后,可以访问它权限范围内的数据库;否则不能。
那么普通数据库呢?
use test
switched to db test
db.auth("peach","taozi")
1
db.stats()
{
"db" : "test",
"collections" : 2,
"views" : 0,
"objects" : 4,
"avgObjSize" : 73,
"dataSize" : 292,
"storageSize" : 32768,
"numExtents" : 0,
"indexes" : 2,
"indexSize" : 32768,
"fsUsedSize" : 41192714240,
"fsTotalSize" : 332861009920,
"ok" : 1
}
use test2
switched to db test2
show tables
bbb
db.bbb.find()
{ "_id" : ObjectId("5b6d29e778212a9cb2bbd958"), "name" : "test2.bbb.data" }
这个peach用户拥有对test2数据库的访问权限。那么说:无论admin还是普通数据库,只要对创建的用户赋予访问其它数据库的权限,都是可以访问的。
如果说,我不想去指定用户能不能访问某个数据库,用户也可以访问。那可以通过赋予高级权限来搞定
// 这里的pineapple拥有创建用户权限,所以这里可以直接创建新用户并赋予权限
use admin
switched to db admin
db.auth("pineapple","boluo")
1
db.createUser(
{
user: "peach",
pwd: "taozi",
roles: ["dbAdminAnyDatabase"]
}
)
Successfully added user: { "user" : "peach", "roles" : [ "dbAdminAnyDatabase" ] }
db.getUsers()
[
{
"_id" : "admin.apple",
"user" : "apple",
"db" : "admin",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
},
{
"_id" : "admin.peach",
"user" : "peach",
"db" : "admin",
"roles" : [
{
"role" : "dbAdminAnyDatabase",
"db" : "admin"
}
]
},
{
"_id" : "admin.pineapple",
"user" : "pineapple",
"db" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "admin"
},
{
"role" : "userAdmin",
"db" : "admin"
}
]
}
]
db.auth("peach","taozi")
1
use test
switched to db test
show tables
aaa
my_collection
use test2
switched to db test2
show tables
bbb
无意间又发现:不同数据库的用户即使相同,它们之间也互不影响!因为我的peach用户在test数据库也有了,admin中也有。
大概就这么多,有新的会补上
第二种连接方法(登录的时候就认证)
mongo.exe --port 27017 -u "用户名" -p "密码" --authenticationDatabase "认证数据库"
..
[d:\MongoDB\Server\3.6\bin]$ mongo.exe --port 27017 -u "peach" -p "taozi" --authenticationDatabase "admin"
MongoDB shell version v3.6.5
connecting to: mongodb://127.0.0.1:27017/
MongoDB server version: 3.6.5
db.stats()
{
"db" : "test",
"collections" : 2,
"views" : 0,
"objects" : 4,
"avgObjSize" : 73,
"dataSize" : 292,
"storageSize" : 32768,
"numExtents" : 0,
"indexes" : 2,
"indexSize" : 32768,
"fsUsedSize" : 41195212800,
"fsTotalSize" : 332861009920,
"ok" : 1
}
2018-08-10T14:42:32.210+0800 I CONTROL [thread2] CTRL_CLOSE_EVENT signal
2018-08-10T14:42:32.210+0800 I CONTROL [consoleTerminate] got CTRL_CLOSE_EVENT, will terminate after current cmd ends
2018-08-10T14:42:32.211+0800 I CONTROL [consoleTerminate] shutting down with code:12 [d:\MongoDB\Server\3.6\bin]$ mongo.exe --port 27017 -u "pineapple" -p "boluo" --authenticationDatabase "admin"
MongoDB shell version v3.6.5
connecting to: mongodb://127.0.0.1:27017/
MongoDB server version: 3.6.5
db.stats()
{
"ok" : 0,
"errmsg" : "not authorized on test to execute command { dbstats: 1.0, scale: undefined, $db: \"test\" }",
"code" : 13,
"codeName" : "Unauthorized"
}
我先用peach登录,因为它拥有所有数据库的权限,所以默认进来test,可以直接访问的。然而我用pineapple登录,它仅仅拥有admin的权限,所以进来test是不能访问的。
我想说什么呢,我以为会自动进入你输入的认证数据库,结果不是。
最后总结一下用到的命令
| 命令 | 说明 |
| mongod.exe --auth --dbpath D:\MongoDB\Server\3.6\data | 启动服务(认证状态) |
| use [db] | 切换数据库,不存在即创建 |
| show dbs | 查看数据库列表 |
| db.dropDatabase() | 删除当前数据库 |
| db.stats() | 查看数据库状态信息 |
| show tables/collections | 查看当前数据库里的表(集合) |
| mongo.exe --port 27017 -u "peach" -p "taozi" --authenticationDatabase "admin" | 以用户名密码认证登录 |
use admin |
创建用户,可以指定role-db。只有role-默认当前数据库 |
|
use admin |
修改密码。当前数据库下的已存在的用户 |
|
use admin db.dropUser("peach") |
删除用户 |
|
db.dropAllUsers() |
删除所有用户 |
|
use admin db.getUser("peach") |
获取用户信息 |
|
use admin db.getUsers() |
获取所有用户 |
|
use admin db.auth("peach", "123" ) |
认证 |
|
db.collection.find() |
列出集合里面的数据 |
|
db.collection.dataSize() |
集合大小 |
|
db.collection.drop() |
删除集合 |
|
db.collection.insert( { item: "card", qty: 15 } ) |
添加数据 |
概念对比:
mongoDB-权限控制的更多相关文章
- MongoDB 安全和访问权限控制
MongoDB的访问控制能够有效保证数据库的安全,访问控制是指绑定Application监听的IP地址,设置监听端口,使用账户和密码登录 一,访问控制的参数 1,绑定IP地址 mongod 参数:-- ...
- aProxy: 带认证授权和权限控制的反向代理
前段时间很多数据库因为没有做好权限控制暴露在外网被删然后遭勒索的事件,而类似的有些内网的web服务也会被开放到公网并且没有做任何权限控制的,这样也会有一定的风险.所以就决定写篇文章简单介绍一个小工具. ...
- MongoDB——权限管理
MongoDB--权限管理 MongoDB默认是没有权限验证的,但生产环境中,没有权限控制是很不安全的. 我们先不详谈太多概念,直接动手创建两个典型的账号: 超级管理员,类似sql server的sa ...
- 单点登录(十八)----cas4.2.x客户端增加权限控制shiro
我们在上面章节已经完成了cas4.2.x登录启用mongodb的验证方式. 单点登录(十三)-----实战-----cas4.2.X登录启用mongodb验证方式完整流程 也完成了获取管理员身份属性 ...
- 尝试asp.net mvc 基于controller action 方式权限控制方案可行性
微软在推出mvc框架不久,短短几年里,版本更新之快,真是大快人心,微软在这种优秀的框架上做了大量的精力投入,是值得赞同的,毕竟程序员驾驭在这种框架上,能够强力的精化代码,代码层次也更加优雅,扩展较为方 ...
- WebGIS中快速整合管理多源矢量服务以及服务权限控制的一种设计思路
文章版权由作者李晓晖和博客园共有,若转载请于明显处标明出处:http://www.cnblogs.com/naaoveGIS/ 1.背景 在真实项目中,往往GIS服务数据源被其他多个信息中心或者第三方 ...
- ASP.NET MVC实现权限控制
这篇分享一下 ASP.NET MVC权限控制.也就是说某一用户登录之后,某一个用户是否有权限访问Controller,Action(操作),视图等 想实现这些功能,需要在数据库创建好几个表:[User ...
- springmvc+spring+mybatis+maven项目集成shiro进行用户权限控制【转】
项目结构: 1.maven项目的pom中引入shiro所需的jar包依赖关系 ? 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ...
- Appfuse:权限控制
Appfuse的权限控制依赖于Struts的Menu机制,common下的menu.jsp是对菜单顺序的定义,详细的菜单项和菜单链接及权限再menu-config.xml中控制,如下: <Men ...
- .NET WebAPI 用ActionFilterAttribute实现token令牌验证与对Action的权限控制
项目背景是一个社区类的APP(求轻吐...),博主主要负责后台业务及接口.以前没玩过webAPI,但是领导要求必须用这个(具体原因鬼知道),只好硬着头皮上了. 最近刚做完权限这一块,分享出来给大家.欢 ...
随机推荐
- C-LODOP设置同一页面 手机电脑都打印
C-Lodop有四种角色,1:客户端本地打印方式客户端访问web,调用客户端本地的打印机进行打印,这时候调用的安装在客户端本地的c-lodop服务,实际调用的是http://Localhost:800 ...
- .net core Include问题
本文章为原创文章,转载请注明出处 当时不知道为什么这样写,可能是突然间脑子停止了转动,既然犯过这样的错误,就记录下来吧 错误示例 ).Include(a=>a.User).Select(a =& ...
- linux shell系列9 统计用户的权限
#!/bin/bash #set -x host=`hostname` ip=`ifconfig $(ip a|grep eth|head -n1|awk -F: '{print $2}') |gre ...
- BZOJ4317Atm的树&BZOJ2051A Problem For Fun&BZOJ2117[2010国家集训队]Crash的旅游计划——二分答案+动态点分治(点分树套线段树/点分树+vector)
题目描述 Atm有一段时间在虐qtree的题目,于是,他满脑子都是tree,tree,tree…… 于是,一天晚上他梦到自己被关在了一个有根树中,每条路径都有边权,一个神秘的声音告诉他,每个点到其他的 ...
- #191 sea(动态规划)
假设已经求出了i个点j个桥的连通图数量f[i][j],容易由此推出最终答案,套路地枚举1号点所在连通块大小即可. 假设已经求出了i个点的边双连通图数量h[i],考虑由此推出f[i][j].可以枚举其中 ...
- HDU2710-Max Factor-分解质因子
给出N个MAXN以内的不同的数,求出素因子最大的数. 使用朴素的方法分解素因子即可.时间复杂度为N*log(MAXN) #include <cstdio> #include <alg ...
- Asteroids POJ - 3041 匈牙利算法+最小点覆盖König定理
题意: 给出一个N*N的地图N 地图里面有K个障碍 你每次可以选择一条直线 消除这条直线上的所有障碍 (直线只能和列和行平行) 问最少要消除几次 题解: 如果(x,y)上有一个障碍 则把 ...
- 【XSY1594】棋盘控制 概率DP
题目描述 给你一个\(n\times m\)的棋盘,每次随机在棋盘上放一个国际象棋中的车,不能和以前放的重叠.每个车可以控制当前行和当前列.当所有行和所有列都被控制时结束游戏.问你结束时期望放了多少个 ...
- 【BZOJ4316】小C的独立集(动态规划)
[BZOJ4316]小C的独立集(动态规划) 题面 BZOJ 题解 考虑树的独立集求法 设\(f[i][0/1]\)表示\(i\)这个点一定不选,以及\(i\)这个点无所谓的最大值 转移\(f[u][ ...
- Atcoder | AT2665 【Moderate Differences】
又是一道思路特别清奇的题qwq...(瞪了一上午才发现O(1)的结论...差点还想用O(n)解决) 问题可以转化为是否能够由\(f_{1}=a\)通过\(\pm x \in[c,d]\)得到\(f_{ ...