1, Common permissions
| jurisdiction | explain |
|---|---|
| read | Allows the user to read the specified database |
| readWrite | Allows users to read and write to the specified database |
| userAdmin | Allow users to send messages to system The users collection is written, and users can be created, deleted and managed in the specified database |
| dbAdmin | Allows users to perform management functions in specified data, such as index creation, deletion, viewing statistics or accessing system profile |
| clusterAdmin | It must be defined in the admin database, and all partition and replica set related functions and administrative permissions must be given to the user |
| readAnyDatabase | It must be defined in the admin database to give users read permission to all databases |
| readWriteAnyDatabase | It must be defined in the admin database to give users read and write permissions to all databases |
| userAdminAnyDatabase | It must be defined in the admin database to give users userAdmin permission for all databases |
| dbAdminAnyDatabase | It must be defined in the admin database to give users dbAdmin permission for all databases |
| root | Super account and super permission must be defined in admin database |
2, Create administrative user
MongoDB There is a user management mechanism, which is simply described as managing user groups. The users of this group are specially set up to manage ordinary users, and they are temporarily called administrators.
Administrators usually do not have read-write permissions on the database, but only the permissions of operating users. We just give administrators`userAdminAnyDatabase`Role. In addition, the administrator account must be in admin Create under database.
Since users can only log in to which database they are created in, all users are created in admin Database. In this way, we don't need to log in frequently when switching databases.
before `use admin` Switch to admin Log in to the database, and then use Switch to other databases for operation. Second time use Don't log in again. MongoDB set up use In the second database, if the login user has high permissions, you can directly operate the second database without logging in.2.1 switching database
Administrator needs to be in admin Database, so we need to switch to admin database
2.2 viewing users
adopt db.system.users.find() Function view admin All user information in the database, currently admin There is no user in database, so there is no result.
2.3 creating users
DB. Can be used in MongoDB The CREATEUSER ({user information}) function creates a user
db.createUser({
user: "<name>",
pwd: "<cleartext password>",
customData: { <any information> },
roles: [
{ role: "<role>", db: "<database>" } | "<role>",
...
]
});- User: user name
- pwd: password
- customData: stores user-defined data related to users. This attribute can also be ignored
- roles: array type to configure user permissions
Examples are as follows:
db.createUser({user:"uadd",pwd:"uadd",roles:[{role:"userAdminAnyDatabase",db:"admin"}]})
2.4 restart service
After the administrator account is created, you need to restart MongoDB and turn on the authentication function.
First pass dB The shutdown server() function shuts down the service
$ mongod -f /opt/mongodb/bin/mongodb.conf --auth
Or in the original mongodb Additional configuration in conf file
# Data storage directory dbpath = /opt/mongodb/data/db # Log file storage directory logpath = /opt/mongodb/logs/mongodb.log # Log by appending logappend = true # The default port is 27017 port = 27017 # There is no restriction on the access IP address. The default is the local address bind_ip = 0.0.0.0 # Start as a daemon, that is, run in the background fork = true # Turn on identity authentication auth = true
Use dB Auth ("user name", "password") performs identity authentication, and returns a result of 1, indicating successful authentication and 0, indicating failure.
3, Create normal user
Requirements: create a test database, add a user to the database, the user name is testuser, the password is 123456, and grant the user read and write permission to the test database.
3.1 administrator login database
Ordinary users need to be created by the administrator, so use the administrator user to log in to the database first.
>use admin
switched to db admin
>db.auth("uadd","uadd")
13.2 creating database
MongoDB does not have a specific syntax for creating databases. When using use to switch databases, if the corresponding database does not exist, it will be created and switched directly.
>use test switched to db test
3.3 creating users
$ db.createUser({user:"testuser",pwd:"123456",roles:[{role:"readWrite",db:"test"}]})
3.4 identity authentication
After logging in successfully, you can perform other operations on the permissions corresponding to the role owned by the user. Execute the following statement to test whether the user's read-write permissions are available.
>db.user.insert({"name":"zhangsan"})
4, Update user
If we need to modify the role of an existing user, you can use db.updateUser() Function to update the user role. Note: executing this function requires the current user to have userAdmin or userAdminAnyDatabase or root Role.
db.updateUser("user name",{"roles":[{"roles":"Role name",db:"database"},{"Update item 2":"Update content"}]})
For example, for just now `uadd` User add again `readWriteAnyDatabase`and`dbAdminAnyDatabase`jurisdiction.>db.updateUser("uadd",{"roles":[{role:"userAdminAnyDatabase",db:"admin"},{role:"readWriteAnyDatabase",db:"admin"},{role:"dbAdminAnyDatabase",db:"admin"}]})
>show users
Update password
There are two ways to update a user's password. You need to switch the database of the user when updating the password. Note: you need to use userAdmin or userAdminAnyDatabase or root User execution of role
use db.updateUser("user name",{"pwd":"New password"}) Function update password
use db.changeUserPassword("user name","New password") Function update passworddelete user
adopt db.dropUser() Function can delete the specified user. It will be returned after the deletion is successful true. When deleting a user, you need to switch to the database where the user is located. Note: you need to use userAdmin or userAdminAnyDatabase or root Only users in the role can delete other users.
