主頁(yè) > 知識(shí)庫(kù) > 分布式文檔存儲(chǔ)數(shù)據(jù)庫(kù)之MongoDB訪問(wèn)控制的操作方法

分布式文檔存儲(chǔ)數(shù)據(jù)庫(kù)之MongoDB訪問(wèn)控制的操作方法

熱門標(biāo)簽:小裙科技電銷機(jī)器人怎樣 呼和浩特外呼系統(tǒng)原理是什么 河南電話外呼系統(tǒng)招商 長(zhǎng)沙電銷外呼防封卡是什么 智能外呼系統(tǒng)官網(wǎng) 青白江400企業(yè)電話申請(qǐng) 外呼線路資源屬于電信業(yè)務(wù)嗎 內(nèi)蒙古營(yíng)銷智能外呼系統(tǒng)哪個(gè)好 crm外呼系統(tǒng)聯(lián)系方式

  上一篇博客主要聊了下分布式文檔存儲(chǔ)數(shù)據(jù)庫(kù)之MongoDB備份與恢復(fù),回顧請(qǐng)參考https://www.jb51.net/article/199845.htm;今天我們來(lái)了解下mongodb的訪問(wèn)控制;

  什么是訪問(wèn)控制?

  簡(jiǎn)單講訪問(wèn)控制就是指,哪些用戶可以訪問(wèn)哪些資源,對(duì)資源有哪些操作(權(quán)限);在mongodb中我們把數(shù)據(jù)庫(kù)、或者集合叫做資源;也就說(shuō)訪問(wèn)控制是用來(lái)限制某些用戶對(duì)數(shù)據(jù)庫(kù)或集合的操作;我們?cè)趍ysql數(shù)據(jù)庫(kù)中,我們通過(guò)給賬號(hào)授權(quán)的方式達(dá)到控制哪些用戶可以從哪些主機(jī)訪問(wèn)數(shù)據(jù)庫(kù),對(duì)數(shù)據(jù)庫(kù)有哪些操作;其中賬號(hào)由用戶名稱和主機(jī)地址構(gòu)成;在mongodb中采用的不是用戶+主機(jī)地址的方式,而是通過(guò)給用戶賦予一個(gè)或多個(gè)角色,這個(gè)角色或多個(gè)角色的所有權(quán)限就是這個(gè)用戶擁有的權(quán)限;默認(rèn)情況mongodb是沒(méi)有啟用訪問(wèn)控制的,所以只要能夠連接上mongodb實(shí)例,我們就可以在其上做任何操作,在某種程度上,這是一種極為不安全的方式,為了杜絕這種不安全的訪問(wèn)方式,我們需要對(duì)mongodb進(jìn)行訪問(wèn)控制;

  mongodb中的角色權(quán)限說(shuō)明

  mongodb默認(rèn)內(nèi)置了一些角色,不同的角色擁有不同的權(quán)限,如下圖

  查看mongodb中某個(gè)數(shù)據(jù)庫(kù)所有內(nèi)置角色

> db.runCommand({rolesInfo:1,showBuiltinRoles:true})
{
  "roles" : [
    {
      "role" : "dbAdmin",
      "db" : "test",
      "isBuiltin" : true,
      "roles" : [ ],
      "inheritedRoles" : [ ]
    },
    {
      "role" : "dbOwner",
      "db" : "test",
      "isBuiltin" : true,
      "roles" : [ ],
      "inheritedRoles" : [ ]
    },
    {
      "role" : "enableSharding",
      "db" : "test",
      "isBuiltin" : true,
      "roles" : [ ],
      "inheritedRoles" : [ ]
    },
    {
      "role" : "read",
      "db" : "test",
      "isBuiltin" : true,
      "roles" : [ ],
      "inheritedRoles" : [ ]
    },
    {
      "role" : "readWrite",
      "db" : "test",
      "isBuiltin" : true,
      "roles" : [ ],
      "inheritedRoles" : [ ]
    },
    {
      "role" : "userAdmin",
      "db" : "test",
      "isBuiltin" : true,
      "roles" : [ ],
      "inheritedRoles" : [ ]
    }
  ],
  "ok" : 1
}
>

  提示:以上是mongodb中test庫(kù)的默認(rèn)角色;如果要查看其它庫(kù),我們需要切換到其他庫(kù),然后運(yùn)行上述命令查看即可;

  查詢當(dāng)前數(shù)據(jù)中的某個(gè)角色

> db
test
> db.runCommand({rolesInfo:"userAdmin"})
{
  "roles" : [
    {
      "role" : "userAdmin",
      "db" : "test",
      "isBuiltin" : true,
      "roles" : [ ],
      "inheritedRoles" : [ ]
    }
  ],
  "ok" : 1
}
>

  查詢其他數(shù)據(jù)庫(kù)中指定的角色權(quán)限

> db.runCommand({rolesInfo:{role:"userAdmin",db:"config"}})
{
  "roles" : [
    {
      "role" : "userAdmin",
      "db" : "config",
      "isBuiltin" : true,
      "roles" : [ ],
      "inheritedRoles" : [ ]
    }
  ],
  "ok" : 1
}
> db.runCommand({rolesInfo:{role:"root",db:"config"}})
{ "roles" : [ ], "ok" : 1 }
> db.runCommand({rolesInfo:{role:"root",db:"admin"}})
{
  "roles" : [
    {
      "role" : "root",
      "db" : "admin",
      "isBuiltin" : true,
      "roles" : [ ],
      "inheritedRoles" : [ ]
    }
  ],
  "ok" : 1
}
>

  創(chuàng)建一個(gè)用戶名為tom,其角色為超級(jí)管理員角色root

> use admin
switched to db admin
> db.createUser({user:"tom",pwd:"admin123.com",roles:[{"role":"root","db":"admin"}]})
Successfully added user: {
  "user" : "tom",
  "roles" : [
    {
      "role" : "root",
      "db" : "admin"
    }
  ]
}
>

  查看當(dāng)前庫(kù)用戶列表

> db
admin
> db.getUsers()
[
  {
    "_id" : "admin.tom",
    "userId" : UUID("67bf434a-49fc-4ed5-9e9b-23c443a2fc93"),
    "user" : "tom",
    "db" : "admin",
    "roles" : [
      {
        "role" : "root",
        "db" : "admin"
      }
    ],
    "mechanisms" : [
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
    ]
  }
]
>

  創(chuàng)建數(shù)據(jù)庫(kù)管理員用戶

> db.createUser({user:"jerry",pwd:"admin123.com",roles:["userAdminAnyDatabase"]})
Successfully added user: { "user" : "jerry", "roles" : [ "userAdminAnyDatabase" ] }
> db.getUsers()
[
  {
    "_id" : "admin.jerry",
    "userId" : UUID("5d0b77f2-b7f1-40cd-8149-f08b2e1e6a80"),
    "user" : "jerry",
    "db" : "admin",
    "roles" : [
      {
        "role" : "userAdminAnyDatabase",
        "db" : "admin"
      }
    ],
    "mechanisms" : [
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
    ]
  },
  {
    "_id" : "admin.tom",
    "userId" : UUID("67bf434a-49fc-4ed5-9e9b-23c443a2fc93"),
    "user" : "tom",
    "db" : "admin",
    "roles" : [
      {
        "role" : "root",
        "db" : "admin"
      }
    ],
    "mechanisms" : [
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
    ]
  }
]
>

  提示:如果創(chuàng)建用戶時(shí),未指定db,則表示當(dāng)前該用戶對(duì)當(dāng)前所在db生效;

  刪除用戶

> db.dropUser("jerry")
true
> db.getUsers()
[
  {
    "_id" : "admin.tom",
    "userId" : UUID("67bf434a-49fc-4ed5-9e9b-23c443a2fc93"),
    "user" : "tom",
    "db" : "admin",
    "roles" : [
      {
        "role" : "root",
        "db" : "admin"
      }
    ],
    "mechanisms" : [
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
    ]
  }
]
>

  提示:刪除用戶,需切換到對(duì)應(yīng)數(shù)據(jù)下,指定對(duì)應(yīng)用戶名稱即可;在mongodb中用戶是對(duì)應(yīng)數(shù)據(jù)庫(kù)的,一個(gè)用戶可以對(duì)應(yīng)一個(gè)或多個(gè)數(shù)據(jù)庫(kù),在指定數(shù)據(jù)庫(kù)刪除用戶,就表示刪除指定用戶對(duì)指定數(shù)據(jù)庫(kù)的訪問(wèn)權(quán)限;

  修改指定用戶的密碼

> db
admin
> db.changeUserPassword("tom","123456")
>

  提示:修改用戶密碼,第一個(gè)是指定用戶的名稱,第二個(gè)是指定新密碼;

  驗(yàn)證用戶名和密碼

  給錯(cuò)誤的密碼

> db
admin
> db.auth("tom","admin")
Error: Authentication failed.
0
>

 給正確的密碼

> db
admin
> db.auth("tom","123456")
1
>

  創(chuàng)建一個(gè)普通用戶

> use testdb
switched to db testdb
> db.createUser({user:"test",pwd:"admin",roles:[{role:"readWrite",db:"testdb"}]})
Successfully added user: {
  "user" : "test",
  "roles" : [
    {
      "role" : "readWrite",
      "db" : "testdb"
    }
  ]
}
> db.getUsers()
[
  {
    "_id" : "testdb.test",
    "userId" : UUID("95ecb34c-46f4-44fa-8948-4f0875499d8e"),
    "user" : "test",
    "db" : "testdb",
    "roles" : [
      {
        "role" : "readWrite",
        "db" : "testdb"
      }
    ],
    "mechanisms" : [
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
    ]
  }
]
>

 提示:以上就創(chuàng)建了一個(gè)名為test的用戶,它可對(duì)testdb這個(gè)庫(kù)下的所有collection做讀寫操作;

  創(chuàng)建一個(gè)多角色的用戶

> db
testdb
> db.createUser(
... {
... user:"jerry1",
... pwd:"admin123.com",
... roles:[
... {role:"clusterAdmin",db:"admin"},
... {role:"readWrite",db:"testdb"},
... {role:"read",db:"testdb1"}
... ]
... })
Successfully added user: {
  "user" : "jerry1",
  "roles" : [
    {
      "role" : "clusterAdmin",
      "db" : "admin"
    },
    {
      "role" : "readWrite",
      "db" : "testdb"
    },
    {
      "role" : "read",
      "db" : "testdb1"
    }
  ]
}
> db.getUsers()
[
  {
    "_id" : "testdb.jerry1",
    "userId" : UUID("43d66bf8-1e3a-4c14-ad73-5961b5a7660f"),
    "user" : "jerry1",
    "db" : "testdb",
    "roles" : [
      {
        "role" : "clusterAdmin",
        "db" : "admin"
      },
      {
        "role" : "readWrite",
        "db" : "testdb"
      },
      {
        "role" : "read",
        "db" : "testdb1"
      }
    ],
    "mechanisms" : [
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
    ]
  },
  {
    "_id" : "testdb.test",
    "userId" : UUID("95ecb34c-46f4-44fa-8948-4f0875499d8e"),
    "user" : "test",
    "db" : "testdb",
    "roles" : [
      {
        "role" : "readWrite",
        "db" : "testdb"
      }
    ],
    "mechanisms" : [
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
    ]
  }
]
>

  提示:在mongodb中一個(gè)用戶可以授權(quán)擁有多個(gè)角色權(quán)限;

  開啟mongodb服務(wù)端訪問(wèn)控制配置

  重啟服務(wù)

[root@node12 ~]# systemctl restart mongod.service
[root@node12 ~]# ss -tnl
State  Recv-Q Send-Q   Local Address:Port      Peer Address:Port    
LISTEN  0  128      *:22          *:*     
LISTEN  0  100    127.0.0.1:25          *:*     
LISTEN  0  128      *:27017         *:*     
LISTEN  0  128      :::22         :::*     
LISTEN  0  100      ::1:25         :::*     
[root@node12 ~]#

  測(cè)試:現(xiàn)在連接mongodb,看看會(huì)發(fā)生什么?

[root@node12 ~]# mongo
MongoDB shell version v4.4.1
connecting to: mongodb://127.0.0.1:27017/?compressors=disabledgssapiServiceName=mongodb
Implicit session: session { "id" : UUID("68fa2f83-64a4-42c2-8d64-9ee73a77e883") }
MongoDB server version: 4.4.1
> show dbs
> db
test
> show tables
Warning: unable to run listCollections, attempting to approximate collection names by parsing connectionStatus
>

  提示:現(xiàn)在我們直接連接mongodb是可以正常連接,但是我們沒(méi)法查看數(shù)據(jù)列表以及collections了;這個(gè)時(shí)候我們就需要進(jìn)行用戶認(rèn)證了;

  認(rèn)證用戶

> db
test
> db.auth("test","admin")
Error: Authentication failed.
0
> use testdb
switched to db testdb
> db.auth("test","admin")
1
> show dbs
> show collections
>

  提示:認(rèn)證用戶必須切換到對(duì)應(yīng)的數(shù)據(jù)庫(kù)下做認(rèn)證;我這里test用戶只能對(duì)testdb庫(kù)下的所有collection進(jìn)行讀寫,所以認(rèn)證以后,我們?cè)谑褂?show dbs命令就看不到系統(tǒng)admin和config庫(kù)了;除了上述連接數(shù)據(jù)庫(kù)以后使用db.auth()做用戶認(rèn)證,我們也可直接在連接數(shù)據(jù)庫(kù)時(shí)指定用戶名和密碼,如下

[root@node12 ~]# mongo -utest -padmin testdb
MongoDB shell version v4.4.1
connecting to: mongodb://127.0.0.1:27017/testdb?compressors=disabledgssapiServiceName=mongodb
Implicit session: session { "id" : UUID("60c43e94-04c6-46f4-be07-07ca8fa06b2f") }
MongoDB server version: 4.4.1
> show dbs
> exit
bye
[root@node12 ~]# mongo -utest -padmin 192.168.0.52:27017/testdb
MongoDB shell version v4.4.1
connecting to: mongodb://192.168.0.52:27017/testdb?compressors=disabledgssapiServiceName=mongodb
Implicit session: session { "id" : UUID("a30dbd64-7b59-4a8e-b95d-02ff30e256f3") }
MongoDB server version: 4.4.1
> show dbs
> show tables
>

  以上就是在mongodb中開啟訪問(wèn)控制,創(chuàng)建用戶,授權(quán)的操作;我們只需要在配置文件中指定開啟認(rèn)證功能,然后使用具有創(chuàng)建用戶權(quán)限的用戶登錄數(shù)據(jù)庫(kù)創(chuàng)建用戶授權(quán)即可;

到此這篇關(guān)于分布式文檔存儲(chǔ)數(shù)據(jù)庫(kù)之MongoDB訪問(wèn)控制的操作方法的文章就介紹到這了,更多相關(guān)MongoDB訪問(wèn)控制內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家!

您可能感興趣的文章:
  • 分布式文檔存儲(chǔ)數(shù)據(jù)庫(kù)之MongoDB備份與恢復(fù)的實(shí)踐詳解
  • 分布式文檔存儲(chǔ)數(shù)據(jù)庫(kù)之MongoDB分片集群的問(wèn)題
  • SpringDataMongoDB多文檔事務(wù)的實(shí)現(xiàn)
  • mongodb如何對(duì)文檔內(nèi)數(shù)組進(jìn)行過(guò)濾的方法步驟
  • MongoDB中文檔的更新操作示例詳解
  • MongoDB數(shù)據(jù)庫(kù)文檔操作方法(必看篇)
  • mongodb 數(shù)據(jù)類型(null/字符串/數(shù)字/日期/內(nèi)嵌文檔/數(shù)組等)
  • PHP庫(kù) 查詢Mongodb中的文檔ID的方法
  • MongoDB如何更新多級(jí)文檔的數(shù)據(jù)

標(biāo)簽:楚雄 菏澤 池州 白山 呼倫貝爾 安順 舟山 黃石

巨人網(wǎng)絡(luò)通訊聲明:本文標(biāo)題《分布式文檔存儲(chǔ)數(shù)據(jù)庫(kù)之MongoDB訪問(wèn)控制的操作方法》,本文關(guān)鍵詞  分布式,文檔,存儲(chǔ),數(shù)據(jù)庫(kù),;如發(fā)現(xiàn)本文內(nèi)容存在版權(quán)問(wèn)題,煩請(qǐng)?zhí)峁┫嚓P(guān)信息告之我們,我們將及時(shí)溝通與處理。本站內(nèi)容系統(tǒng)采集于網(wǎng)絡(luò),涉及言論、版權(quán)與本站無(wú)關(guān)。
  • 相關(guān)文章
  • 下面列出與本文章《分布式文檔存儲(chǔ)數(shù)據(jù)庫(kù)之MongoDB訪問(wèn)控制的操作方法》相關(guān)的同類信息!
  • 本頁(yè)收集關(guān)于分布式文檔存儲(chǔ)數(shù)據(jù)庫(kù)之MongoDB訪問(wèn)控制的操作方法的相關(guān)信息資訊供網(wǎng)民參考!
  • 推薦文章