mongodb的訪問控制

內建角色，具體參考：https://docs.mongodb.com/manual/reference/built-in-roles

Read：容許用戶讀取指定數據庫
readWrite：容許用戶讀寫指定數據庫
dbAdmin：容許用戶在指定數據庫中執行管理函數，如索引建立、刪除，查看統計或訪問system.profile
userAdmin：容許用戶向system.users集合寫入，能夠找指定數據庫裏建立、刪除和管理用戶
clusterAdmin：只在admin數據庫中可用，賦予用戶全部分片和複製集相關函數的管理權限。
readAnyDatabase：只在admin數據庫中可用，賦予用戶全部數據庫的讀權限
readWriteAnyDatabase：只在admin數據庫中可用，賦予用戶全部數據庫的讀寫權限
userAdminAnyDatabase：只在admin數據庫中可用，賦予用戶全部數據庫的userAdmin權限
dbAdminAnyDatabase：只在admin數據庫中可用，賦予用戶全部數據庫的dbAdmin權限。
root：只在admin數據庫中可用。超級帳號，超級權限

用戶文件在admin庫下的system.users表裏，默認MongoDB沒有訪問密碼，不太安全

1.添加數據庫管理員用戶adminUser和普通用戶herrywen

mongo --port 27017
use admin
db.createUser(
{
user: "adminUser",
pwd: "adminPass",
roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
}
)

use herrywen
db.createUser(
{
user: "herrywen",
pwd: "herrywen",
roles: [ { role: "readWrite", db: "herrywen" },
{ role: "read", db: "admin" } ]
}
)

2.在192.168.255.134增長配置文件，開啓驗證

cat /etc/mongod.conf
security:
authorization: enabled

3.重啓mongdb服務
systemctl restart mongdb

4.測試看下是否能夠訪問了

[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017 -u adminUser -p adminPass --authenticationDatabase "admin"
MongoDB shell version v4.2.1
connecting to: mongodb://192.168.255.134:27017/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("f5114890-0b2e-43a2-8a60-a8b265e68a44") }
MongoDB server version: 4.2.1
MongoDB Enterprise > use admin;
switched to db admin
MongoDB Enterprise > show collections;
system.users
system.version
MongoDB Enterprise > exit
bye

5.若是直接登錄，在切換admin庫時，提示沒有任何權限。須要使用db.auth()進行驗證

[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017
MongoDB shell version v4.2.1
connecting to: mongodb://192.168.255.134:27017/?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("9bcb1b37-7cfa-4aff-8947-6d633eee01be") }
MongoDB server version: 4.2.1
MongoDB Enterprise > use admin
switched to db admin
MongoDB Enterprise > show collections;
Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus
MongoDB Enterprise > show collections;
Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus
MongoDB Enterprise > db.auth("adminUser","adminPass")
1
MongoDB Enterprise > show collections;
system.users
system.version

6.直接登錄herrywen庫

[root@worker1 ~]# mongo --host 192.168.255.134 --port 27017 -u herrywen -p herrywen --authenticationDatabase "herrywen"
MongoDB shell version v4.2.1
connecting to: mongodb://192.168.255.134:27017/?authSource=herrywen&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("9d906997-681a-43b4-b541-dbe5d197cd1f") }
MongoDB server version: 4.2.1
MongoDB Enterprise > use herrywen
switched to db herrywen
MongoDB Enterprise > show collections;
MongoDB Enterprise > db.test3.insert({title: 'MongoDB',
... description: 'hello,world',
... by: 'herrywen',
... url: 'http://www.51cto.com',
... tags: ['mongodb', 'database', 'NoSQL'],
... likes: 100})
WriteResult({ "nInserted" : 1 })
MongoDB Enterprise > show collections;

7.給adminUser用戶增長對herrywen庫的讀寫權限
use admin
db.grantRolesToUser( "adminUser", [ { role: "readWrite", db: "herrywen" } ] )
db.system.users.find().pretty();

8.給herrywen用戶增長herrywen1庫的讀寫權限和admin數據庫的讀權限
use herrywen
db.grantRolesToUser( "herrywen", [ { role: "readWrite", db: "herrywen1" } ,{ role: "read", db: "admin" } ] )

查看當前用戶有哪些權限

show users

9.撤銷herrywen對herrywen1庫的讀寫權限和admin數據庫的讀權限
db.revokeRolesFromUser(
"herrywen",
[
{
"role" : "read",
"db" : "admin"
},
{
"role" : "readWrite",
"db" : "herrywen1"
}
]
)

10.查看當前herrywen用戶的權限，也能夠切換heryrwen數據庫下，使用db.getUser('herrywen')查看，可是比較麻煩

MongoDB Enterprise > show users
{
"_id" : "herrywen.herrywen",
"userId" : UUID("68fc696d-9825-43b6-9afb-d4a040b480a3"),
"user" : "herrywen",
"db" : "herrywen",
"roles" : [
{
"role" : "readWrite",
"db" : "herrywen"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}

11.修改herrywen用戶的密碼
db.changeUserPassword("herrywen","herrywen-2")

12.刪除herrywen用戶db.dropUser("herrywen")