MongoDB用户及权限管理(一):角色说明
2017-03-10 15:20
731 查看
mongodb安装完后默认是不开启auth模块的,普通用户和超级管理员均不通过认证就可操作。当然裸奔有风险,安全起见还是开启auth模块。
首先需要了解下面几点:
1、mongodb是没有默认管理员账号,所以要先添加管理员账号,然后开启权限认证。
2、切换到admin数据库,添加的账号才是管理员账号。
3、用户只能在用户所在数据库登录,包括管理员账号。
4、管理员可以管理所有数据库,但是不能直接管理其他数据库,要先在admin数据库认证后才可以。这一点比较怪。
1.用户权限角色说明
1.1 Database User Roles
read
允许用户读取指定数据库
Provides the ability to read data on allnon-system collections and on the following system collections: system.indexes,system.js, and system.namespaces collections.
拥有如下权限:
readWrite
允许用户读写指定数据库
Provides all the privileges of the readrole and the ability to modify data on all non-system collections and thesystem.js collection.
除了具有read权限,还拥有以下权限:
1.2 Database Administration Roles
dbAdmin
允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile
Provides the ability to performadministrative tasks such as schema-related tasks, indexing, gatheringstatistics. This role does not grant privileges for user and role management.
拥有如下权限:
dbOwner
Provides the ability to perform anyadministrative action on the database. This role combines the privilegesgranted by the readWrite, dbAdmin and userAdmin roles.
userAdmin
允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户
Provides the ability to create and modifyroles and users on the current database. Since the userAdmin role allows usersto grant any privilege to any user, including themselves, the role alsoindirectly provides superuser access to either the database or, if scoped tothe admin database, the cluster.
1.3 Cluster Administration Roles
clusterAdmin
只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。
Provides the greatest cluster-managementaccess. This role combines the privileges granted by the clusterManager,clusterMonitor, and hostManager roles. Additionally, the role provides thedropDatabase action.
拥有如下权限:
clusterManager
Provides management and monitoring actionson the cluster. A user with this role can access the config and localdatabases, which are used in sharding and replication, respectively.
clusterMonitor
Provides read-only access to monitoringtools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent.
hostManager
Provides the ability to monitor and manageservers.
1.4 Backup and Restoration Roles
backup
Provides privileges needed to back up data.This role provides sufficient privileges to use the MongoDB Cloud Managerbackup agent, Ops Manager backup agent, or to use mongodump.
restore
Provides privileges needed to restore datawith mongorestore without the --oplogReplay option or without system.profilecollection data.
1.5 All-Database Roles
readAnyDatabase
只在admin数据库中可用,赋予用户所有数据库的读权限
Provides the same read-only permissions asread, except it applies to all but the local and config databases in thecluster. The role also provides the listDatabases action on the cluster as awhole.
readWriteAnyDatabase
只在admin数据库中可用,赋予用户所有数据库的读写权限
Provides the same read and writepermissions as readWrite, except it applies to all but the local and configdatabases in the cluster. The role also provides the listDatabases action onthe cluster as a whole.
userAdminAnyDatabase
只在admin数据库中可用,赋予用户所有数据库的userAdmin权限
Provides the same access to useradministration operations as userAdmin, except it applies to all but the localand config databases in the cluster.
Since the userAdminAnyDatabase role allowsusers to grant any privilege to any user, including themselves, the role alsoindirectly provides superuser access.
dbAdminAnyDatabase
只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。
Provides the same access to databaseadministration operations as dbAdmin, except it applies to all but the localand config databases in the cluster. The role also provides the listDatabasesaction on the cluster as a whole.
1.6 Superuser Roles
root
只在admin数据库中可用。超级账号,超级权限
Provides access to the operations and allthe resources of the readWriteAnyDatabase, dbAdminAnyDatabase,userAdminAnyDatabase, clusterAdmin, restore, and backup combined.
具体权限可参见: https://docs.mongodb.com/manual/reference/built-in-roles/#read
首先需要了解下面几点:
1、mongodb是没有默认管理员账号,所以要先添加管理员账号,然后开启权限认证。
2、切换到admin数据库,添加的账号才是管理员账号。
3、用户只能在用户所在数据库登录,包括管理员账号。
4、管理员可以管理所有数据库,但是不能直接管理其他数据库,要先在admin数据库认证后才可以。这一点比较怪。
1.用户权限角色说明
1.1 Database User Roles
read
允许用户读取指定数据库
Provides the ability to read data on allnon-system collections and on the following system collections: system.indexes,system.js, and system.namespaces collections.
拥有如下权限:
| aggregate,checkShardingIndex,cloneCollectionAsCapped,collStats count,dataSize,dbHash,dbStats,distinct,filemd5 geoNear,geoSearch,geoWalk,group mapReduce (inline output only.),text (beta feature.) |
允许用户读写指定数据库
Provides all the privileges of the readrole and the ability to modify data on all non-system collections and thesystem.js collection.
除了具有read权限,还拥有以下权限:
| cloneCollection (as the target database.),convertToCapped create (and to create collections implicitly.) drop(),dropIndexes,emptycapped,ensureIndex() findAndModify,mapReduce (output to a collection.) renameCollection (within the same database.) read和readWrite只要就是对库中表的操作权限 |
dbAdmin
允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile
Provides the ability to performadministrative tasks such as schema-related tasks, indexing, gatheringstatistics. This role does not grant privileges for user and role management.
拥有如下权限:
| clean,collMod,collStats,compact,convertToCapped create,db.createCollection(),dbStats,drop(),dropIndexes,ensureIndex() indexStats,profile,reIndex,renameCollection (within a single database.),validate |
Provides the ability to perform anyadministrative action on the database. This role combines the privilegesgranted by the readWrite, dbAdmin and userAdmin roles.
userAdmin
允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户
Provides the ability to create and modifyroles and users on the current database. Since the userAdmin role allows usersto grant any privilege to any user, including themselves, the role alsoindirectly provides superuser access to either the database or, if scoped tothe admin database, the cluster.
1.3 Cluster Administration Roles
clusterAdmin
只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。
Provides the greatest cluster-managementaccess. This role combines the privileges granted by the clusterManager,clusterMonitor, and hostManager roles. Additionally, the role provides thedropDatabase action.
拥有如下权限:
| addShard,closeAllDatabases,connPoolStats,connPoolSync,_cpuProfilerStart _cpuProfilerStop,cursorInfo,diagLogging,dropDatabase enableSharding,flushRouterConfig,fsync,db.fsyncUnlock() getCmdLineOpts,getLog,getParameter,getShardMap,getShardVersion hostInfo,db.currentOp(),db.killOp(),listDatabases,listShards logRotate,moveChunk,movePrimary,netstat,removeShard,unsetSharding repairDatabase,replSetFreeze,replSetGetStatus,replSetInitiate replSetMaintenance,replSetReconfig,replSetStepDown,replSetSyncFrom resync,serverStatus,setParameter,setShardVersion,shardCollection shardingState,shutdown,splitChunk,splitVector,split,top,touch |
Provides management and monitoring actionson the cluster. A user with this role can access the config and localdatabases, which are used in sharding and replication, respectively.
clusterMonitor
Provides read-only access to monitoringtools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent.
hostManager
Provides the ability to monitor and manageservers.
1.4 Backup and Restoration Roles
backup
Provides privileges needed to back up data.This role provides sufficient privileges to use the MongoDB Cloud Managerbackup agent, Ops Manager backup agent, or to use mongodump.
restore
Provides privileges needed to restore datawith mongorestore without the --oplogReplay option or without system.profilecollection data.
1.5 All-Database Roles
readAnyDatabase
只在admin数据库中可用,赋予用户所有数据库的读权限
Provides the same read-only permissions asread, except it applies to all but the local and config databases in thecluster. The role also provides the listDatabases action on the cluster as awhole.
readWriteAnyDatabase
只在admin数据库中可用,赋予用户所有数据库的读写权限
Provides the same read and writepermissions as readWrite, except it applies to all but the local and configdatabases in the cluster. The role also provides the listDatabases action onthe cluster as a whole.
userAdminAnyDatabase
只在admin数据库中可用,赋予用户所有数据库的userAdmin权限
Provides the same access to useradministration operations as userAdmin, except it applies to all but the localand config databases in the cluster.
Since the userAdminAnyDatabase role allowsusers to grant any privilege to any user, including themselves, the role alsoindirectly provides superuser access.
dbAdminAnyDatabase
只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。
Provides the same access to databaseadministration operations as dbAdmin, except it applies to all but the localand config databases in the cluster. The role also provides the listDatabasesaction on the cluster as a whole.
1.6 Superuser Roles
root
只在admin数据库中可用。超级账号,超级权限
Provides access to the operations and allthe resources of the readWriteAnyDatabase, dbAdminAnyDatabase,userAdminAnyDatabase, clusterAdmin, restore, and backup combined.
具体权限可参见: https://docs.mongodb.com/manual/reference/built-in-roles/#read
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- MONGODB用户、角色和权限管理
- ASP.NET MVC+EF框架+EasyUI实现权限管理系列(21)-用户角色权限基本的实现说明
- ASP.NET MVC+EF框架+EasyUI实现权限管理系列(21)-用户角色权限基本的实现说明
- MONGODB用户、角色和权限管理
- ASP.NET MVC+EF框架+EasyUI实现权限管理系列(21)-用户角色权限基本的实现说明
- mongodb之用户/认证/角色/权限管理
- 用户、权限、角色(1)- 用户管理
- 用户、角色、权限管理-设计方案之权限检测
- Oracle用户角色权限管理
- 用户、权限、角色(2)- 权限管理
- Oracle用户、权限、角色管理
- 用户权限管理设计[图文说明]
- Oracle用户角色权限管理
- 管理站点中的角色和用户and管理文档库的权限
- 用户、权限、角色(1)- 用户管理
- 关于用户角色权限管理的探讨
- 用户、角色、权限管理-设计方案之权限检测
- RedGlovePermission 权限管理系统源码(支持自定义权限、模块,支持角色权限,用户独立权限以及多角色权限)
- RedGlovePermission 权限管理系统源码(支持自定义权限、模块,支持角色权限,用户独立权限以及多角色权限)
- 用户、权限、角色(3)- 权限管理(扩展1)