堆栈内存溢出
  简体   繁体   English

Mongodb集群:可以查询普通集合,但不能查询system.users

[英]Mongodb cluster:can query on normal collections ,but not on system.users

 原文  2014-01-20 05:58:08       mongodb/ authentication/ admin/ roles

问题描述

I use keyFile to authenticate my mongodb cluster system.I have already had an administrator role against admin db: 我使用keyFile来验证我的mongodb集群系统。我已经对admin db拥有管理员角色:

So , at first I login with authentication: 因此,首先我使用身份验证登录: 

mongo localhost:40000/admin -u root -p 123456
mongos> use admin
switched to db admin
mongos> db.system.users.find()
{ "_id" : ObjectId("52dcb305398751501c530378"), "user" : "root", "pwd" : "a02786431d8419bbebee7aa4dad6aee9", "roles" : [  "clusterAdmin",  "userAdmin",  "readWriteAnyDatabase",  "dbAdmin",  "read" ] }

After I log in with such a role ,I can do any thing(including query,delete,modify and so on) on admin and any other normal databases except for addUser operation! 以这种角色登录后,除了addUser操作外,我可以在admin和任何其他普通数据库上执行任何操作(包括查询,删除,修改等)!

For example, for a normal database genbank ,I tried to add a user : 例如,对于普通数据库genbank ,我尝试添加一个用户: 

mongos> use genbank
switched to db genbank
mongos> db.addUser({user:"genbankReader",pwd:"123456",roles:["read"]})
{
        "user" : "genbankReader",
        "pwd" : "6f755264f6d28045198f6ae53523005e",
        "roles" : [
                "read"
        ],
        "_id" : ObjectId("52dcb8495ec4b673f09b66eb")
}
Mon Jan 20 13:46:49.007 couldn't add user: not authorized for insert on genbank.system.users at src/mongo/shell/db.js:128

But for database admin ,I can do addUser() as I want: 但是对于数据库管理员,我可以根据需要执行addUser(): 

mongos> use admin
switched to db admin
mongos> db.addUser({user:"adminReader",pwd:"123456",roles:["read"]})
{
        "user" : "adminReader",
        "pwd" : "60c67cf3181b8b8570583ddfb62dd32e",
        "roles" : [
                "read"
        ],
        "_id" : ObjectId("52dcb8b25ec4b673f09b66ec")
}

It is really strange! 真是奇怪!

1 个解决方案

解决方案1
 0  2014-01-20 06:50:58

After I change the root roles from 在我更改根角色后 

[  "clusterAdmin",  "userAdmin",  "readWriteAnyDatabase",  "dbAdmin",  "read" ]

to 

[ "clusterAdmin", "userAdminAnyDatabase",  "dbAdminAnyDatabase", "readWriteAnyDatabase" ]

,problem solved! ,问题解决了!

It seems that the problem comes from the role type "userAdmin".From mongodb doc , the user admin role against db admin is the same as userAdminAnyDatabase: 看来问题出在角色类型“ userAdmin”。从mongodb doc ,针对db admin的user admin角色与userAdminAnyDatabase相同: 

Note The userAdmin role is a database-specific privilege, and only grants a user the ability to administer users on a single database. However, for the admin database, userAdmin **allows a user the ability to gain userAdminAnyDatabase**. Thus, for the admin database only, these roles are effectively the same.

So , the role type userAdmin against database admin doesn't provide us directly the ability to administer users on other dbs , but user under this role can create another role 'userAdminAnyDatabase' and only under this can user administer other db's users. 因此,针对数据库admin的角色类型userAdmin不能直接为我们提供在其他dbs上管理用户的功能,但是具有该角色的用户可以创建另一个角色“ userAdminAnyDatabase”,并且只有在该角色下,用户才能管理其他db的用户。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 mongodb-滥用system.users集合? - mongodb - abuse of system.users collection? 如何使用 mongodb 和 PHP 从“system.users”中删除用户? - how can I drop user from "system.users" using mongodb and PHP? MongoDB changeStreams可以侦听系统级别的集合吗? - Can MongoDB changeStreams listen to system level collections? MongoDB 无权查询 admin.system.users - MongoDB not authorized for query admin.system.users MongoDB-查询两个集合 - MongoDB - query with two collections MongoDb 查询两个集合 - MongoDb query on two collections 2个集合中的mongodb查询 - mongodb query in 2 collections 将“普通” MongoDB集合导入DerbyJS 0.6 - Import “normal” MongoDB collections into DerbyJS 0.6 为跟踪系统构建MongoDb集合 - Structuring MongoDb Collections for a tracking system 如何同时查询 mongodb 中的多个集合? - How can I query multiple collections in mongodb at the same time?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM