标签:角色 database mongodb privileges db system 笔记 role user
笔记-mongodb-用户及角色
1. users
其实mongodb支持多种验证方式,本文只提及最简单也最常用的方式。
1.1. Authentication Database
When adding a user, you create the user in a specific database. This database is the authentication database for the user.
A user can have privileges across different databases; that is, a user’s privileges are not limited to their authentication database. By assigning to the user roles in other databases, a user created in one database can have permissions to act on other databases. For more information on roles, see Role-Based Access Control.
The user’s name and authentication database serve as a unique identifier for that user. That is, if two users have the same name but are created in different databases, they are two separate users. If you intend to have a single user with permissions on multiple databases, create a single user with roles in the applicable databases instead of creating the user multiple times in different databases.
1.mongodb的用户是依赖于database的;一个用户可以描述为username@database,不同数据库下的同名用户视为不同的用户;
2.用户的权限是可以跨database的,这依赖于role;
1.2. Authenticate a User
验证用户有两种方式:
mongod命令
db.auth()方法
1.3. create user
使用createUser()方法创建用户。
use reporting
db.createUser(
{
user: "reportsUser",
pwd: "12345678",
roles: [
{ role: "read", db: "reporting" },
{ role: "read", db: "products" },
{ role: "read", db: "sales" },
{ role: "readWrite", db: "accounts" }
]
}
)
role代表角色,在下面的章节中会列出常用role;
db代表数据库。
1.4. 启用验证enable auth
有两种方式:
- 命令:mongod 命令带上—auth参数
- 配置文件:在配置文件中添加auth=true #具体可能会因为版本不同有所差别
2. ROLE
mongodb内置了一些角色,也可以由用户创建,跟其它数据库差不多;
2.1. Database User Roles
Every database includes the following roles:
最常用的两种角色。
Role |
Short Description |
Provides the ability to read data on all non-system collections and on the following system collections: system.indexes, system.js, and system.namespacescollections. For the specific privileges granted by the role, see read. |
|
Provides all the privileges of the read role and the ability to modify data on all non-system collections and the system.js collection. For the specific privileges granted by the role, see readWrite. |
2.2. Database Administration Roles
Every database includes the following database administration roles:
Role |
Short Description |
Provides the ability to perform administrative tasks such as schema-related tasks, indexing, gathering statistics. This role does not grant privileges for user and role management. For the specific privileges granted by the role, see dbAdmin. |
|
Provides the ability to perform any administrative action on the database. This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles. |
|
Provides the ability to create and modify roles and users on the current database. Since the userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster. For the specific privileges granted by the role, see userAdmin. |
2.3. All-Database Roles
Changed in version 3.4.
These roles in the admin database apply to all but the local and config databases in a mongod instance:
Role |
Short Description |
略 |
|
略 |
|
略 |
|
略 |
还有一个super role角色叫root,基本就是上面四个角色的合体版。
2.4. collection-level access control
在角色中可以设置privileges属性,它提供了针对集合层级的权限控制。
privileges: [
{ resource: { db: "products", collection: "inventory" }, actions: [ "find", "update", "insert" ] },
{ resource: { db: "products", collection: "orders" }, actions: [ "find" ] }
]
创建角色:
use admin
db.createRole(
{
role: "manageOpRole",
privileges: [
{ resource: { cluster: true }, actions: [ "killop", "inprog" ] },
{ resource: { db: "", collection: "" }, actions: [ "killCursors" ] }
],
roles: []
}
)
标签:角色,database,mongodb,privileges,db,system,笔记,role,user 来源: https://www.cnblogs.com/wodeboke-y/p/10992064.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。