共計 4833 個字符,預計需要花費 13 分鐘才能閱讀完成。
這篇文章給大家分享的是有關 MongoDB 用戶及權限管理之角色說明的示例分析的內容。丸趣 TV 小編覺得挺實用的,因此分享給大家做個參考,一起跟隨丸趣 TV 小編過來看看吧。
mongodb 安裝完后默認是不開啟 auth 模塊的,普通用戶和超級管理員均不通過認證就可操作。當然裸奔有風險,安全起見還是開啟 auth 模塊。
首先需要了解下面幾點:
1、mongodb 是沒有默認管理員賬號,所以要先添加管理員賬號,然后開啟權限認證。
2、切換到 admin 數據庫,添加的賬號才是管理員賬號。
3、用戶只能在用戶所在數據庫登錄,包括管理員賬號。
4、管理員可以管理所有數據庫,但是不能直接管理其他數據庫,要先在 admin 數據庫認證后才可以。這一點比較怪。
1. 用戶權限角色說明
1.1 Database User Roles
read
允許用戶讀取指定數據庫
Provides the ability to read data on allnon-system collections and on the following system collections: system.indexes,system.js, and system.namespaces collections.
擁有如下權限:
aggregate,checkShardingIndex,cloneCollectionAsCapped,collStats
count,dataSize,dbHash,dbStats,distinct,filemd5
geoNear,geoSearch,geoWalk,group
mapReduce (inline output only.),text (beta feature.)
readWrite
允許用戶讀寫指定數據庫
Provides all the privileges of the readrole and the ability to modify data on all non-system collections and thesystem.js collection.
除了具有 read 權限,還擁有以下權限:
cloneCollection (as the target database.),convertToCapped
create (and to create collections implicitly.)
drop(),dropIndexes,emptycapped,ensureIndex()
findAndModify,mapReduce (output to a collection.)
renameCollection (within the same database.)
read 和 readWrite 只要就是對庫中表的操作權限
1.2 Database Administration Roles
dbAdmin
允許用戶在指定數據庫中執行管理函數,如索引創建、刪除,查看統計或訪問 system.profile
Provides the ability to performadministrative tasks such as schema-related tasks, indexing, gatheringstatistics. This role does not grant privileges for user and role management.
擁有如下權限:
clean,collMod,collStats,compact,convertToCapped
create,db.createCollection(),dbStats,drop(),dropIndexes,ensureIndex()
indexStats,profile,reIndex,renameCollection (within a single database.),validate
dbOwner
Provides the ability to perform anyadministrative action on the database. This role combines the privilegesgranted by the readWrite, dbAdmin and userAdmin roles.
userAdmin
允許用戶向 system.users 集合寫入,可以找指定數據庫里創建、刪除和管理用戶
Provides the ability to create and modifyroles and users on the current database. Since the userAdmin role allows usersto grant any privilege to any user, including themselves, the role alsoindirectly provides superuser access to either the database or, if scoped tothe admin database, the cluster.
1.3 Cluster Administration Roles
clusterAdmin
只在 admin 數據庫中可用,賦予用戶所有分片和復制集相關函數的管理權限。
Provides the greatest cluster-managementaccess. This role combines the privileges granted by the clusterManager,clusterMonitor, and hostManager roles. Additionally, the role provides thedropDatabase action.
擁有如下權限:
addShard,closeAllDatabases,connPoolStats,connPoolSync,_cpuProfilerStart
_cpuProfilerStop,cursorInfo,diagLogging,dropDatabase
enableSharding,flushRouterConfig,fsync,db.fsyncUnlock()
getCmdLineOpts,getLog,getParameter,getShardMap,getShardVersion
hostInfo,db.currentOp(),db.killOp(),listDatabases,listShards
logRotate,moveChunk,movePrimary,netstat,removeShard,unsetSharding
repairDatabase,replSetFreeze,replSetGetStatus,replSetInitiate
replSetMaintenance,replSetReconfig,replSetStepDown,replSetSyncFrom
resync,serverStatus,setParameter,setShardVersion,shardCollection
shardingState,shutdown,splitChunk,splitVector,split,top,touch
clusterManager
Provides management and monitoring actionson the cluster. A user with this role can access the config and localdatabases, which are used in sharding and replication, respectively.
clusterMonitor
Provides read-only access to monitoringtools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent.
hostManager
Provides the ability to monitor and manageservers.
1.4 Backup and Restoration Roles
backup
Provides privileges needed to back up data.This role provides sufficient privileges to use the MongoDB Cloud Managerbackup agent, Ops Manager backup agent, or to use mongodump.
restore
Provides privileges needed to restore datawith mongorestore without the –oplogReplay option or without system.profilecollection data.
1.5 All-Database Roles
readAnyDatabase
只在 admin 數據庫中可用,賦予用戶所有數據庫的讀權限
Provides the same read-only permissions asread, except it applies to all but the local and config databases in thecluster. The role also provides the listDatabases action on the cluster as awhole.
readWriteAnyDatabase
只在 admin 數據庫中可用,賦予用戶所有數據庫的讀寫權限
Provides the same read and writepermissions as readWrite, except it applies to all but the local and configdatabases in the cluster. The role also provides the listDatabases action onthe cluster as a whole.
userAdminAnyDatabase
只在 admin 數據庫中可用,賦予用戶所有數據庫的 userAdmin 權限
Provides the same access to useradministration operations as userAdmin, except it applies to all but the localand config databases in the cluster.
Since the userAdminAnyDatabase role allowsusers to grant any privilege to any user, including themselves, the role alsoindirectly provides superuser access.
dbAdminAnyDatabase
只在 admin 數據庫中可用,賦予用戶所有數據庫的 dbAdmin 權限。
Provides the same access to databaseadministration operations as dbAdmin, except it applies to all but the localand config databases in the cluster. The role also provides the listDatabasesaction on the cluster as a whole.
1.6 Superuser Roles
root
只在 admin 數據庫中可用。超級賬號,超級權限
Provides access to the operations and allthe resources of the readWriteAnyDatabase, dbAdminAnyDatabase,userAdminAnyDatabase, clusterAdmin, restore, and backup combined.
感謝各位的閱讀!關于“MongoDB 用戶及權限管理之角色說明的示例分析”這篇文章就分享到這里了,希望以上內容可以對大家有一定的幫助,讓大家可以學到更多知識,如果覺得文章不錯,可以把它分享出去讓更多的人看到吧!
