mongodb安裝完後預設是不開啟auth子產品的,普通使用者和超級管理者均不通過認證就可操作。當然裸奔有風險,安全起見還是開啟auth子產品。
首先需要了解下面幾點:
1、mongodb是沒有預設管理者賬号,是以要先添加管理者賬号,然後開啟權限認證。
2、切換到admin資料庫,添加的賬号才是管理者賬号。
3、使用者隻能在使用者所在資料庫登入,包括管理者賬号。
4、管理者可以管理所有資料庫,但是不能直接管理其他資料庫,要先在admin資料庫認證後才可以。這一點比較怪。
1.使用者權限角色說明
1.1 Database User Roles
- read
允許使用者讀取指定資料庫
Provides the ability to read data on allnon-system collections and on the following system collections: system.indexes,system.js, and system.namespaces collections.
擁有如下權限:
aggregate,checkShardingIndex,cloneCollectionAsCapped,collStats count,dataSize,dbHash,dbStats,distinct,filemd5 geoNear,geoSearch,geoWalk,group mapReduce (inline output only.),text (beta feature.) |
- readWrite
允許使用者讀寫指定資料庫
Provides all the privileges of the readrole and the ability to modify data on all non-system collections and thesystem.js collection.
除了具有read權限,還擁有以下權限:
cloneCollection (as the target database.),convertToCapped create (and to create collections implicitly.) drop(),dropIndexes,emptycapped,ensureIndex() findAndModify,mapReduce (output to a collection.) renameCollection (within the same database.) read和readWrite隻要就是對庫中表的操作權限 |
1.2 Database Administration Roles
- dbAdmin
允許使用者在指定資料庫中執行管理函數,如索引建立、删除,檢視統計或通路system.profile
Provides the ability to performadministrative tasks such as schema-related tasks, indexing, gatheringstatistics. This role does not grant privileges for user and role management.
擁有如下權限:
clean,collMod,collStats,compact,convertToCapped create,db.createCollection(),dbStats,drop(),dropIndexes,ensureIndex() indexStats,profile,reIndex,renameCollection (within a single database.),validate |
- dbOwner
Provides the ability to perform anyadministrative action on the database. This role combines the privilegesgranted by the readWrite, dbAdmin and userAdmin roles.
- userAdmin
允許使用者向system.users集合寫入,可以找指定資料庫裡建立、删除和管理使用者
Provides the ability to create and modifyroles and users on the current database. Since the userAdmin role allows usersto grant any privilege to any user, including themselves, the role alsoindirectly provides superuser access to either the database or, if scoped tothe admin database, the cluster.
1.3 Cluster Administration Roles
- clusterAdmin
隻在admin資料庫中可用,賦予使用者所有分片和複制集相關函數的管理權限。
Provides the greatest cluster-managementaccess. This role combines the privileges granted by the clusterManager,clusterMonitor, and hostManager roles. Additionally, the role provides thedropDatabase action.
擁有如下權限:
addShard,closeAllDatabases,connPoolStats,connPoolSync,_cpuProfilerStart _cpuProfilerStop,cursorInfo,diagLogging,dropDatabase enableSharding,flushRouterConfig,fsync,db.fsyncUnlock() getCmdLineOpts,getLog,getParameter,getShardMap,getShardVersion hostInfo,db.currentOp(),db.killOp(),listDatabases,listShards logRotate,moveChunk,movePrimary,netstat,removeShard,unsetSharding repairDatabase,replSetFreeze,replSetGetStatus,replSetInitiate replSetMaintenance,replSetReconfig,replSetStepDown,replSetSyncFrom resync,serverStatus,setParameter,setShardVersion,shardCollection shardingState,shutdown,splitChunk,splitVector,split,top,touch |
- clusterManager
Provides management and monitoring actionson the cluster. A user with this role can access the config and localdatabases, which are used in sharding and replication, respectively.
- clusterMonitor
Provides read-only access to monitoringtools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent.
- hostManager
Provides the ability to monitor and manageservers.
1.4 Backup and Restoration Roles
- backup
Provides privileges needed to back up data.This role provides sufficient privileges to use the MongoDB Cloud Managerbackup agent, Ops Manager backup agent, or to use mongodump.
- restore
Provides privileges needed to restore datawith mongorestore without the --oplogReplay option or without system.profilecollection data.
1.5 All-Database Roles
- readAnyDatabase
隻在admin資料庫中可用,賦予使用者所有資料庫的讀權限
Provides the same read-only permissions asread, except it applies to all but the local and config databases in thecluster. The role also provides the listDatabases action on the cluster as awhole.
- readWriteAnyDatabase
隻在admin資料庫中可用,賦予使用者所有資料庫的讀寫權限
Provides the same read and writepermissions as readWrite, except it applies to all but the local and configdatabases in the cluster. The role also provides the listDatabases action onthe cluster as a whole.
- userAdminAnyDatabase
隻在admin資料庫中可用,賦予使用者所有資料庫的userAdmin權限
Provides the same access to useradministration operations as userAdmin, except it applies to all but the localand config databases in the cluster.
Since the userAdminAnyDatabase role allowsusers to grant any privilege to any user, including themselves, the role alsoindirectly provides superuser access.
- dbAdminAnyDatabase
隻在admin資料庫中可用,賦予使用者所有資料庫的dbAdmin權限。
Provides the same access to databaseadministration operations as dbAdmin, except it applies to all but the localand config databases in the cluster. The role also provides the listDatabasesaction on the cluster as a whole.
1.6 Superuser Roles
- root
隻在admin資料庫中可用。超級賬号,超級權限
Provides access to the operations and allthe resources of the readWriteAnyDatabase, dbAdminAnyDatabase,userAdminAnyDatabase, clusterAdmin, restore, and backup combined.
具體權限可參見:
https://docs.mongodb.com/manual/reference/built-in-roles/#read
轉載于:https://blog.51cto.com/showing/1905159