本文将与您分享关于MongoDB用户的角色描述和权限管理的示例分析的内容。我觉得边肖很实用,就和大家分享一下作为参考。让我们跟着边肖看一看。
安装GodB后,默认不开启auth模块,普通用户和超级管理员无需认证即可操作。当然裸奔是有风险的。为了安全起见,请打开身份验证模块。
首先,你需要知道以下几点:
1.mongodb没有默认的管理员帐户,所以需要先添加一个管理员帐户,然后打开权限验证。
2.切换到管理数据库,添加的帐户就是管理员帐户。
3.用户只能登录到用户的数据库,包括管理员帐户。
4.管理员可以管理所有数据库,但不能直接管理其他数据库。他们只能在管理数据库验证后才能这样做。这很奇怪。
1.用户权限角色的描述
1.1数据库用户角色
read
允许用户读取指定的数据库。
提供读取所有非系统集合和下列系统集合的数据的能力。
拥有以下权限:
聚合、检查切片索引、克隆选择映射、统计
计数、dataSize、dbHash、dbStats、distinct、filemd5
地理近距、地理搜索、地理行走、群组
mapReduce(仅内联输出。),文本(测试版功能。)
readWrite
允许用户读写指定的数据库
提供readrole的所有权限以及修改所有非系统集合和system.js集合上的数据的能力。
除了读取权限,它还具有以下权限:
克隆选择(作为目标数据库。),convertToCapped
创建(并隐式创建集合。)
drop()、dropIndexes、emptycapped、ensureIndex()
findAndModify,mapReduce(输出到集合。)
renameCollection(在同一个数据库中。)
读和读写只是对库中表的操作权限。
1.2数据库管理角色
数据库管理
允许用户在指定的数据库中执行管理功能,如创建、删除索引、查看统计信息或访问system.profile
提供执行管理任务的能力,例如与架构相关的任务、索引、收集统计信息。此角色不授予用户和角色管理权限。
拥有以下权限:
干净、简洁、紧凑、转换定位
create,db.createCollection(),dbStats,drop(),dropIndexes,ens
ureIndex()
indexStats,profile,reIndex,renameCollection (within a single database.),validate
-
dbOwner
Provides the ability to perform anyadministrative action on the database. This role combines the privilegesgranted by the readWrite, dbAdmin and userAdmin roles.
-
userAdmin
允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户
Provides the ability to create and modifyroles and users on the current database. Since the userAdmin role allows usersto grant any privilege to any user, including themselves, the role alsoindirectly provides superuser access to either the database or, if scoped tothe admin database, the cluster.
1.3 Cluster Administration Roles
-
clusterAdmin
只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。
Provides the greatest cluster-managementaccess. This role combines the privileges granted by the clusterManager,clusterMonitor, and hostManager roles. Additionally, the role provides thedropDatabase action.
拥有如下权限:
|
addShard,closeAllDatabases,connPoolStats,connPoolSync,_cpuProfilerStart _cpuProfilerStop,cursorInfo,diagLogging,dropDatabase enableSharding,flushRouterConfig,fsync,db.fsyncUnlock() getCmdLineOpts,getLog,getParameter,getShardMap,getShardVersion hostInfo,db.currentOp(),db.killOp(),listDatabases,listShards logRotate,moveChunk,movePrimary,netstat,removeShard,unsetSharding repairDatabase,replSetFreeze,replSetGetStatus,replSetInitiate replSetMaintenance,replSetReconfig,replSetStepDown,replSetSyncFrom resync,serverStatus,setParameter,setShardVersion,shardCollection shardingState,shutdown,splitChunk,splitVector,split,top,touch |
-
clusterManager
Provides management and monitoring actionson the cluster. A user with this role can access the config and localdatabases, which are used in sharding and replication, respectively.
-
clusterMonitor
Provides read-only access to monitoringtools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent.
-
hostManager
Provides the ability to monitor and manageservers.
1.4 Backup and Restoration Roles
-
backup
Provides privileges needed to back up data.This role provides sufficient privileges to use the MongoDB Cloud Managerbackup agent, Ops Manager backup agent, or to use mongodump.
-
restore
Provides privileges needed to restore datawith mongorestore without the --oplogReplay option or without system.profilecollection data.
1.5 All-Database Roles
-
readAnyDatabase
只在admin数据库中可用,赋予用户所有数据库的读权限
Provides the same read-only permissions asread, except it applies to all but the local and config databases in thecluster. The role also provides the listDatabases action on the cluster as awhole.
-
readWriteAnyDatabase
只在admin数据库中可用,赋予用户所有数据库的读写权限
Provides the same read and writepermissions as readWrite, except it applies to all but the local and configdatabases in the cluster. The role also provides the listDatabases action onthe cluster as a whole.
-
userAdminAnyDatabase
只在admin数据库中可用,赋予用户所有数据库的userAdmin权限
Provides the same access to useradministration operations as userAdmin, except it applies to all but the localand config databases in the cluster.
Since the userAdminAnyDatabase role allowsusers to grant any privilege to any user, including themselves, the role alsoindirectly provides superuser access.
-
dbAdminAnyDatabase
只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。
Provides the same access to databaseadministration operations as dbAdmin, except it applies to all but the localand config databases in the cluster. The role also provides the listDatabasesaction on the cluster as a whole.
1.6 Superuser Roles
-
root
只在admin数据库中可用。超级账号,超级权限
Provides access to the operations and allthe resources of the readWriteAnyDatabase, dbAdminAnyDatabase,userAdminAnyDatabase, clusterAdmin, restore, and backup combined.
感谢各位的阅读!关于“MongoDB用户及权限管理之角色说明的示例分析”这篇文章就分享到这里了,希望
内容来源网络,如有侵权,联系删除,本文地址:https://www.230890.com/zhan/116460.html