当前位置:首页 -> 基础 -> 数据库编程

MongoDB基础(六)安全性(权限操作)(二)

2015-07-24 08:32:36 · 作者: · 浏览: 1
标签: MongoDB 基础 安全性 权限 操作
建用户"userkk"。

?

?

use admin

db.auth("admin","admin")

use mydb

db.createUser(
  {
    user: "userkk",
    pwd: "userkk",
    roles: [ { role: "dbOwner", db: "mydb" } ]
  }
)

db.auth("userkk","userkk")


?

------------------------------------------------------------------------------------------------------------------

华丽分割

------------------------------------------------------------------------------------------------------------------

现在授权测试:

#先访问到admin数据库

?

use admin

db.auth("admin","admin")

?

#切换到 mydb ,在数据库 mydb 中创建角色
#roles: 创建角色"testRole"在数据库 "mydb" 中
#privileges: 该角色可查看"find"数据库"mydb"的所有集合
#db.dropRole("testRole") 
use mydb

db.createRole({ 
 role: "testRole",
 privileges: [{ resource: { db: "mydb", collection: "" }, actions: [ "find" ] }],
 roles: []
})

#在admin数据库生成集合system.roles。查看角色。

?

> use admin
switched to db admin
> 
> show collections
system.indexes
system.roles
system.users
system.version
> 
> db.system.roles.find();
{ "_id" : "mydb.testRole", "role" : "testRole", "db" : "mydb", "privileges" : [ { "resource" : { "db" : "mydb", "collection" : "" }, "actions" : [ "find" ] } ], "roles" : [ ] }
>

#回到mydb,在数据库mydb中创建用户并授予角色"testRole"
#db.dropUser("userkk")

?

?

use mydb

db.createUser(
  {
    user: "userkk",
    pwd: "userkk",
    roles: [ { role: "testRole", db: "mydb" } ]
  }
)

退出mongodb,重新登录进行操作。发现只能使用find
>exit

?

?

[root@localhost ~]# mongo
MongoDB shell version: 3.0.2
connecting to: test
> use mydb
switched to db mydb
> 
> db.auth("userkk","userkk")
1
> 
> db.tab.find({"id":999})
{ "_id" : ObjectId("554ef5ac1b590330c00c7d02"), "id" : 999 }
> 
> db.tab.insert({"id":1000})
WriteResult({
	"writeError" : {
		"code" : 13,
		"errmsg" : "not authorized on mydb to execute command { insert: \"tab\", documents: [ { _id: ObjectId('554f145cdf782b42499d80e5'), id: 1000.0 } ], ordered: true }"
	}
})
>

给角色 "testRole" 添加3个 “Privileges”权限: "update", "insert", "remove"。再重新操作。

?

?

use admin

db.auth("admin","admin")

use mydb

#添加Privileges给角色
db.grantPrivilegesToRole("testRole",
 [{ resource: { db: "mydb", collection: "" },actions: [ "update", "insert", "remove" ]}
])


exit #退出mongodb重新登录


use mydb

db.auth("userkk","userkk")


#增删数据可以操作了!~
db.tab.insert({"id":1000})
db.tab.find({"id":1000})
db.tab.remove({"id":1000})


#此时admin的角色记录为:
> db.system.roles.find();
{ "_id" : "mydb.testRole", "role" : "testRole", "db" : "mydb", "privileges" : [ { "resource" : { "db" : "mydb", "collection" : "" }, "actions" : [ "find", "insert", "remove", "update" ] } ], "roles" : [ ] }
>

#更改角色 roles,把roles值全部更新。同样Privileges也可以更新替换!~

?

?

use admin

db.auth("admin","admin")

use mydb

db.updateRole("testRole",{ roles:[{ role: "readWrite",db: "mydb"}]},{ w:"majority" })

db.auth("userkk","userkk")

show dbs


?

关于角色,参考官方文档提取总结如下:

?

角色分类

角色

权限及角色

(本文大小写可能有些变化,使用时请参考官方文档)

Database User Roles

read

CollStats,dbHash,dbStats,find,killCursors,listIndexes,listCollections

readWrite

CollStats,ConvertToCapped,CreateCollection,DbHash,DbStats,

DropCollection,CreateIndex,DropIndex,Emptycapped,Find,

Insert,KillCursors,ListIndexes,ListCollections,Remove,

RenameCollectionSameDB,update

Database Admin