Of Stack

mongodb basic User permission Management example tutorial

  • 2020-10-23 20:20:13
  • OfStack

preface

This article focuses on mongodb user rights management, but I won't go into the details of what I did last time

Start mongodb and connect 


./bin/mongod -f conf/mongod.conf
./bin/mongo 127.0.0.1:12345

View the default database status 


> show dbs
admin 0.000GB
local 0.000GB

> use admin
switched to db admin
> show tables
system.version

As you can see, there's nothing in the database right now, except for a little bit of basic information, right

Before creating and setting user permissions, learn 1 thing about documentation

Create a user 


# demo
db.createUser(
 {
 user: "reportsUser",
 pwd: "12345678",
 roles: [
  { role: "read", db: "reporting" },
  { role: "read", db: "products" },
  { role: "read", db: "sales" },
  { role: "readWrite", db: "accounts" }
 ]
 }
)

Database built-in roles

Database user role

read (read the specified database) readWrite (read and write to specified database)

Database management role

dbAdmin (Database Administrator) dbOwner (database owner, merged with readWrite, dbAdmin and userAdmin roles.) userAdmin (User administrator, you can find the specified database to create, delete, and manage users)

Cluster management role

clusterAdmin (Cluster Administrator) clusterManager (Cluster Manager) clusterMonitor (Collection Monitor) hostManager (Host Manager)

Backup recovery role

backup (Backup) restore (Reduction)

All database roles

readAnyDatabase (read any database) readWriteAnyDatabase (read and write to any database) userAdminAnyDatabase (User manages any database) dbAdminAnyDatabase (Any database administrator)

Superuser role

root

Internal role

__system

Now that you have the create syntax, and the parameter specification, it's time to get started.

Note that one more thing, accounts are tied to the database, authorized in that database, verified in that database (auth)
Otherwise it will fail

Create an account that manages authorization 


> db.createUser(
... {
... user: 'admin',
... pwd: '123456',
... roles: [{role: 'userAdminAnyDatabase', db: 'admin'}]
... }
... )
Successfully added user: {
  "user" : "admin",
  "roles" : [
    {
      "role" : "userAdminAnyDatabase",
      "db" : "admin"
    }
  ]
}

And then exit the database 


> use admin
switched to db admin
> db.shutdownServer()

Restart mongodb and remember to add auth = true to the configuration file mongod.conf 


./bin/mongod -f conf/mongod.conf
./bin/mongo 127.0.0.1:12345
> show dbs #  No validation, no permissions, error 
"errmsg" : "not authorized on admin to execute command
> use admin
> db.auth('admin', '123456')
1
#  return  1  Indicates successful authorization, 0 Said failure 
> show dbs # It's authorized. You can view it

Create a read/write access account 


> use book
switched to db book
> db.createUser(
... {
... user: 'zhangsan',
... pwd: 'zhangsan',
... roles: [{role: 'read', db: 'book'}]
... }
... )
Successfully added user: {
  "user" : "zhangsan",
  "roles" : [
    {
      "role" : "read",
      "db" : "book"
    }
  ]
}
> db.createUser(
... {
... user: 'lisi',
... pwd: 'lisi',
... roles: [{role: 'readWrite', db: 'book'}]
... }
... )
Successfully added user: {
  "user" : "lisi",
  "roles" : [
    {
      "role" : "readWrite",
      "db" : "book"
    }
  ]
}
> show users
{
  "_id" : "book.lisi",
  "user" : "lisi",
  "db" : "book",
  "roles" : [
    {
      "role" : "readWrite",
      "db" : "book"
    }
  ]
}
{
  "_id" : "book.zhangsan",
  "user" : "zhangsan",
  "db" : "book",
  "roles" : [
    {
      "role" : "read",
      "db" : "book"
    }
  ]
}

Then verify that the user permissions are correct 


> db.book.insert({book: ' Picture books '}) #  It's not verified, it's an error 
WriteResult({
  "writeError" : {
    "code" : 13,
    "errmsg" : "not authorized on book to execute command { insert: \"book\", docum
ents: [ { _id: ObjectId('5959b56edcc047dfe5c9b336'), book: \" Picture books \" } ], ordered: true }"
  }
})
> db.auth('lisi', 'lisi')
1
> db.book.insert({book: ' Picture books '})
WriteResult({ "nInserted" : 1 })
> db.auth('zhangsan', 'zhangsan') #  The user to  zhangsan
1
> db.book.find() #  You can view 
{ "_id" : ObjectId("5959b59fdcc047dfe5c9b337"), "book" : " Picture books " }
> db.book.insert({book: ' Choose the day to remember '}) #  There is no write Permissions will fail 
WriteResult({
  "writeError" : {
    "code" : 13,
    "errmsg" : "not authorized on book to execute command { insert: \"book\", docum
ents: [ { _id: ObjectId('5959b650dcc047dfe5c9b338'), book: \" Choose the day to remember \" } ], ordered: true }"
  }
})

Create an root super privilege account

This super power, which includes authorization and manipulation of database collection data, is relatively simple and requires only setting role to root 


> use admin
switched to db admin
> db.auth('admin', '123456')
1
> db.createUser(
... {
... user: 'dongsheng',
... pwd: '123456',
... roles: [{role: 'root', db: 'admin'}]
... }
... )
Successfully added user: {
  "user" : "dongsheng",
  "roles" : [
    {
      "role" : "root",
      "db" : "admin"
    }
  ]
}
> db.auth('dongsheng', '123456')
1
> use book
switched to db book
> db.book.insert({book: ' The Legendary Swordsman '})
WriteResult({ "nInserted" : 1 })
> db.book.find()
{ "_id" : ObjectId("5959b59fdcc047dfe5c9b337"), "book" : " Picture books " }
{ "_id" : ObjectId("5959b7abdcc047dfe5c9b339"), "book" : " The Legendary Swordsman " }

conclusion

Related articles: