在 Mongo 数据库实例中为特定数据库创建只读用户
[英]Create Read only user in Mongo DB Instance for a particular database
问题描述
I have created a user " mongo01testro " in the mongo01test database.
我在mongo01test数据库中创建了一个用户“ mongo01testro ”。
use mongo01test
db.addUser( "mongo01testro", "pwd01", true );
db.system.users.find();
{ "_id" : ObjectId("53xyz"), "user" : "mongo01testro", "readOnly" : true, "pwd" : "b9eel61" }
When I logged in from another session as this newly created user, I am able to insert documents into the collection which is strange.当我以这个新创建的用户身份从另一个会话登录时,我能够将文档插入到集合中,这很奇怪。
I am looking to do the following:我希望执行以下操作:
- Create 2 separate users one for read only and one for read write for each database.为每个数据库创建 2 个单独的用户,一个用于只读,一个用于读写。
- Create an admin user which have sysadmin/dba access to all the databases in MongoDB instance used for Backup/Recovery or admin purpose.创建一个管理员用户,该用户对 MongoDB 实例中用于备份/恢复或管理目的的所有数据库具有 sysadmin/dba 访问权限。
Please kindly help.请帮助。
Regards, Parag问候, 帕拉格
4 个解决方案
解决方案1
15 2014-08-14 13:33:51
You forgot --auth to enable你忘了 --auth 启用
Create Users创建用户
// ensure that we have new db, no roles, no users
use products
db.dropDatabase()
// create admin user
use products
db.createUser({
"user": "prod-admin",
"pwd": "prod-admin",
"roles": [
{"role": "clusterAdmin", "db": "admin" },
{"role": "readAnyDatabase", "db": "admin" },
"readWrite"
]},
{ "w": "majority" , "wtimeout": 5000 }
)
// login via admin acont in order to create readonly user
// mongo --username=prod-admin --password=prod-admin products
db.createUser({
"user": "prod-r",
"pwd": "prod-r",
"roles": ["read"]
})
Enable auth:启用身份验证:
sudo vim /etc/mongod.conf # edit file
# Turn on/off security. Off is currently the default
#noauth = true
auth = true
sudo service mongod restart # reload configuiration
Check write restriction:检查写入限制:
# check if write operation for readonly user
$ mongo --username=prod-r --password=prod-r products
MongoDB shell version: 2.6.4
connecting to: products
> db.laptop.insert({"name": "HP"})
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on products to execute command { insert: \"laptop\", documents: [ { _id: ObjectId('53ecb7115f0bfc61d8b1113e'), name: \"HP\" } ], ordered: true }"
}
})
# check write operation for admin user
$ mongo --username=prod-admin --password=prod-admin products
MongoDB shell version: 2.6.4
connecting to: products
> db.laptop.insert({"name": "HP"})
WriteResult({ "nInserted" : 1 })
# check read operation for readonly user
$ mongo --username=prod-r --password=prod-r products
MongoDB shell version: 2.6.4
connecting to: products
> db.laptop.findOne()
{ "_id" : ObjectId("53ecb54798da304f99625d05"), "name" : "HP" }
解决方案2
2 2016-01-24 10:02:37
MongoDB changed the way it handles users in versions >= 2.2 and 2.6 and if you are updating mongodb you will have to Upgrade User Authorization Data to 2.6 Format . MongoDB 更改了它在版本 >= 2.2 和 2.6 中处理用户的方式,如果您要更新 mongodb,则必须将User Authorization Data 升级到 2.6 Format 。
In versions < 2.2 (legacy) you use the db.addUser(username, password, readOnly) function as @Hüseyin BABAL suggested.在版本 < 2.2 (旧版)中,您使用 @Hüseyin BABAL 建议的db.addUser(username, password, readOnly)函数。 If you are using version > 2.2 or 2.6 you have a lot more control over what you can do with roles and privileges.如果您使用的版本大于 2.2 或 2.6,则您可以更好地控制角色和权限的操作。
So assuming you use mongo v > 2.6 you can create something like:因此,假设您使用 mongo v > 2.6,您可以创建如下内容:
use admin
db.createUser({
user: "myUsername",
pwd: "mypwd",
roles: [{
role: "userAdminAnyDatabase",
db: "admin"
}]
})
db.addUser({
user: "username",
pwd: "password",
roles: [{
role: "readWrite",
db: "myDBName"
}]
})
You can use the Build in Roles or you can even create custom roles .您可以使用内置角色,甚至可以创建自定义角色。
So as you can see you clearly have a lot more options when using v > 2.6 when it comes to authentication and role management.因此,如您所见,在使用 v > 2.6 进行身份验证和角色管理时,您显然有更多选择。
解决方案3
1 2018-11-30 14:48:37
if the Access control is enabled on the MongoDB deployment, Then you should login by authenticating to the relevant database with admin user (or user with userAdmin role) which you want to control the access.如果在 MongoDB 部署上启用了访问控制,那么您应该通过使用要控制访问的管理员用户(或具有 userAdmin 角色的用户)对相关数据库进行身份验证来登录。 to do that要做到这一点
mongo <db_name> -u <user_name> -p <user_password>
ex: mongo mongo01test -u admin -p admin_paaswrod例如: mongo mongo01test -u admin -p admin_paaswrod
then execute the following query to create a read only user for current connected database,然后执行以下查询为当前连接的数据库创建只读用户,
db.createUser({user:"user_name",pwd:"password",roles:[{role:"read", db:"db_name"}]});
ex: db.createUser({user:"user_rd",pwd:"password",roles:[{role:"read", db:"mongo01test"}]});例如: db.createUser({user:"user_rd",pwd:"password",roles:[{role:"read", db:"mongo01test"}]});
create a user with both readWrite access ,创建一个具有读写访问权限的用户,
db.createUser({user:"user_name",pwd:"password",roles:[{role:"readWrite", db:"db_name"}]});
ex: db.createUser({user:"user_rw",pwd:"pass_rw",roles:[{role:"readWrite", db:"mongo01test"}]});例如: db.createUser({user:"user_rw",pwd:"pass_rw",roles:[{role:"readWrite", db:"mongo01test"}]});
to create a user with admin privileges,创建具有管理员权限的用户,
use admin;
db.createUser({user:"admin_user_name",pwd:"password", roles:[{role:"dbAdmin", db:"admin"},{role:"readWriteAnyDatabase", db:"admin"},{role:"backup", db:"admin"},{role:"restore", db:"admin"}]});
解决方案4
0 2014-01-21 11:14:16
Here is my scneario;这是我的场景;
// Create admin user
use admin
db.addUser('root', 'strong_password');
// Read only user
use dbforuser1
db.addUser('user1', 'user1_pass', true);
// Read / Write access
use dbforuser2
db.addUser('user2', 'user2_pass');
If you want to login to dbforuser1如果你想登录到 dbforuser1
use dbforuser1
db.auth('user1', 'user1_pass')
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.