身份验证是验证客户端身份的过程,启用访问控制后,Mongodb要求所有客户端进行身份验证才能确定其访问权限。尽管身份验证和授权紧密相连,但是身份验证与授权是不一样的,身份验证验证用户身份,授权决定了验证用户对资源的操作权限。
1、Mongodb4.0开始,弃用了(`MONGODB-CR)身份验证方式。
内部认证: 除了验证客户端的身份,MongoDB还需要副本集和分片群集的成员向其各自的副本集或分片群集验证其成员身份。在分片群集中,客户端通常直接向mongos实例进行身份验证。关于副本集认证授权见文章 认证方式: 要以用户身份进行身份验证,必须提供用户名,密码以及与该用户关联的身份验证数据库。 要使用mongo shell进行身份验证,请执行以下任一操作: 连接到mongod或mongos实例时,请使用mongo命令行身份验证选项(--username,-password和--authenticationDatabase),或者 首先连接到mongod或mongos实例,然后对身份验证数据库运行authenticate命令或db.auth()方法。
2、以副本集为例为用户授权
我们使用超级用户,创建了普通用户haijiao,授权了对数据库test_jia有读写权限,如果我们新项目创建了新的数据库,也需要用户haijiao有读写权限怎么操作呢。 可以使用db.updateUser()命令:
#/root/mongodb-4.2.1/bin/mongo localhost:27031/admin -u mydba -p12348970 //mongoshell连接数据库
rs02:PRIMARY> db.updateUser( "haijiao",
... {
... roles : [
... { role : "readWrite", db : "test_jia" },
... { role : "readWrite", db : "user_info"}
... ]
... } )
rs02:PRIMARY> db.getUsers()
[
{
"_id" : "test_jia.haijiao",
"userId" : UUID("965b7b25-d738-484c-9f23-7abd46635132"),
"user" : "haijiao",
"db" : "admin",
"roles" : [
{
"role" : "readWrite",
"db" : "test_jia"
},
{
"role" : "readWrite",
"db" : "user_info"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
]
rs02:PRIMARY>
2.1 普通用户登录验证:
# /root/mongodb-4.2.1/bin/mongo localhost:27031/admin -u haijiao -p87690544
rs02:PRIMARY> show dbs; //可以查看到已授权的数据库
test_jia 0.000GB
user_info 0.000GB
rs02:PRIMARY> use user_info
switched to db user_info
rs02:PRIMARY> db.test1.insert({"test":1,"age":22}) //插入数据
WriteResult({ "nInserted" : 1 })
rs02:PRIMARY> db.test1.find()
{ "_id" : ObjectId("6343ccf437872d8b5e68226c"), "test" : 1, "age" : 22 } //查看数据
rs02:PRIMARY>
2.2 授权用户对user_hobby库有只读权限:
# /root/mongodb-4.2.1/bin/mongo localhost:27031/admin -u haijiao -p87690544
rs02:PRIMARY> show dbs; //查看数据库
test_jia 0.000GB
user_hobby 0.000GB
user_info 0.000GB
rs02:PRIMARY> use user_hobby
switched to db user_hobby
rs02:PRIMARY> show tables;
hh
rs02:PRIMARY> db.hh.find() //查看数据
{ "_id" : ObjectId("6343cc99f24417821bb42f13"), "name" : "haha", "sex" : "男" }
rs02:PRIMARY> db.hh.insert({"name" : "zhangsan", "sex" : "女"}) //插入数据失败
WriteCommandError({
"operationTime" : Timestamp(1665389849, 1),
"ok" : 0,
"errmsg" : "not authorized on user_hobby to execute command { insert: \"hh\", ordered: true, lsid: { id: UUID(\"cc0486d5-959b-4a2e-84ea-6cc0f0266abf\") }, $clusterTime: { clusterTime: Timestamp(1665389849, 1), signature: { hash: BinData(0, 7C18748140E9C75308E16B6B6D55E042F0BA022E), keyId: 7152775128156209153 } }, $db: \"user_hobby\" }",
"code" : 13,
"codeName" : "Unauthorized",
"$clusterTime" : {
"clusterTime" : Timestamp(1665389849, 1),
"signature" : {
"hash" : BinData(0,"fBh0gUDpx1MI4WtrbVXgQvC6Ai4="),
"keyId" : NumberLong("7152775128156209153")
}
}
})
rs02:PRIMARY>
3、自定义角色:
MongoDB提供了许多内置角色。如果这些角色不能满足需求,可以创建新的角色。 为了添加角色,MongoDB提供了db.createRole()方法
#/root/mongodb-4.2.1/bin/mongo localhost:27031/admin -u mydba -p12348970 //mongoshell连接数据库
rs02:PRIMARY> use store_pay //为数据库store_pay创建角色
switched to db store_pay
rs02:PRIMARY> db.createRole( {
role: "appsort",
privileges: [{ resource: { db: "store_pay", collection: "pay" }, actions: [ "find", "update", "insert", "remove" ] }],
roles: [{ role: "read", db: "store_pay" }]}, //只有对pay集合有"find", "update", "insert", "remove"权限,其它集合只读权限
{ w: "majority" , wtimeout: 5000 } )
rs02:PRIMARY> use admin
switched to db admin
rs02:PRIMARY> db.updateUser( "haijiao", //因为用户haijiao的认证数据库是admin,所有我们在admin数据库进行授权
{
roles : [
{ role : "readWrite", db : "test_jia" },
{ role : "readWrite", db : "user_info"},
{ role : "read", db : "user_hobby"},
{ role : "appsort", db: "store_pay"}
]
} )
3.1 切换到普通用户进行验证:
[root@k8s-master02 ~]# /root/mongodb-4.2.1/bin/mongo localhost:27031/admin -u haijiao -p87690544
rs02:PRIMARY> show dbs; //可以看到store_pay数据库了
store_pay 0.000GB
test_jia 0.000GB
user_hobby 0.000GB
user_info 0.000GB
rs02:PRIMARY> use store_pay
switched to db store_pay
rs02:PRIMARY> show tables; //可以看到数据库下的三个集合
pay
pay2
pay3
rs02:PRIMARY> db.pay2.insert({"apple" : 999, "bike" : 800, "macbookpro" : 9999}) //pay2集合写入数据失败
WriteCommandError({
"operationTime" : Timestamp(1665555436, 1),
"ok" : 0,
"errmsg" : "not authorized on store_pay to execute command { insert: \"pay2\", ordered: true, lsid: { id: UUID(\"1312547e-cbe1-4dcc-959a-796cadd71c4f\") }, $clusterTime: { clusterTime: Timestamp(1665555416, 1), signature: { hash: BinData(0, E0C56D5605BAAAB9D3D8E7ED356E20EA16E3E7FF), keyId: 7152775128156209153 } }, $db: \"store_pay\" }",
"code" : 13,
"codeName" : "Unauthorized",
"$clusterTime" : {
"clusterTime" : Timestamp(1665555436, 1),
"signature" : {
"hash" : BinData(0,"SgP6I173blUdxrJNVjrJksvsAu0="),
"keyId" : NumberLong("7152775128156209153")
}
}
})
rs02:PRIMARY> db.pay3.insert({"apple" : 999, "bike" : 800, "macbookpro" : 9999}) //pay3集合写入数据失败
WriteCommandError({
"operationTime" : Timestamp(1665555466, 1),
"ok" : 0,
"errmsg" : "not authorized on store_pay to execute command { insert: \"pay3\", ordered: true, lsid: { id: UUID(\"1312547e-cbe1-4dcc-959a-796cadd71c4f\") }, $clusterTime: { clusterTime: Timestamp(1665555456, 1), signature: { hash: BinData(0, 246B4F3174B96ABF72E6B9A5457BF6E1165E5B4D), keyId: 7152775128156209153 } }, $db: \"store_pay\" }",
"code" : 13,
"codeName" : "Unauthorized",
"$clusterTime" : {
"clusterTime" : Timestamp(1665555466, 1),
"signature" : {
"hash" : BinData(0,"WwzTFCAtFbHaxfn41WCs3AIBHvg="),
"keyId" : NumberLong("7152775128156209153")
}
}
})
rs02:PRIMARY> db.pay.insert({"apple" : 999, "bike" : 800, "macbookpro" : 9999}) //pay集合写入数据成功
WriteResult({ "nInserted" : 1 })
rs02:PRIMARY> db.pay.find()
{ "_id" : ObjectId("634651120b8f190f1dd428a1"), "apple" : 999, "bike" : 800, "macbook" : 9000 }
{ "_id" : ObjectId("63465c1400e225418e22d139"), "apple" : 999, "bike" : 800, "macbookpro" : 9999 }
rs02:PRIMARY> db.pay.remove({"macbook" : 9000}) //pay集合移除数据成功
WriteResult({ "nRemoved" : 1 })
3.2 创建索引
rs02:PRIMARY> db.pay.createIndex({"apple":1})
{
"operationTime" : Timestamp(1665555556, 1),
"ok" : 0,
"errmsg" : "not authorized on store_pay to execute command { createIndexes: \"pay\", indexes: [ { key: { apple: 1.0 }, name: \"apple_1\" } ], lsid: { id: UUID(\"1312547e-cbe1-4dcc-959a-796cadd71c4f\") }, $clusterTime: { clusterTime: Timestamp(1665555536, 1), signature: { hash: BinData(0, 8B364B566E95ABCC2EC35E9AA8A237A8152B669C), keyId: 7152775128156209153 } }, $db: \"store_pay\" }",
"code" : 13,
"codeName" : "Unauthorized",
"$clusterTime" : {
"clusterTime" : Timestamp(1665555556, 1),
"signature" : {
"hash" : BinData(0,"roTl69rANWj9/jy0L6jN05DFmxY="),
"keyId" : NumberLong("7152775128156209153")
}
}
}
rs02:PRIMARY>
mongodb 内置的角色readWrite,是有创建索引的权限,MongoDB4.2版本之前,前台索引构建会阻塞数据库上的所有其他操作,4.2版本之前创建索引需要添加 background指定为true,默认为false。指定在后台生成索引,这样操作不会阻止其他数据库操作。如果使用的是4.2之前的版本,我们可以通过自定义角色来授权用户(应用程序访问可以给予数据库[ "find", "update", "insert", "remove" ] 权限)。
标签:Mongodb,clusterTime,rs02,db,PRIMARY,认证,user,pay,授权 From: https://blog.51cto.com/jiachen/5751192