MongoDB user and authority management

1, Common permissions

jurisdiction explain
read Allows the user to read the specified database
readWrite Allows users to read and write to the specified database
userAdmin Allow users to send messages to system The users collection is written, and users can be created, deleted and managed in the specified database
dbAdmin Allows users to perform management functions in specified data, such as index creation, deletion, viewing statistics or accessing system profile
clusterAdmin It must be defined in the admin database, and all partition and replica set related functions and administrative permissions must be given to the user
readAnyDatabase It must be defined in the admin database to give users read permission to all databases
readWriteAnyDatabase It must be defined in the admin database to give users read and write permissions to all databases
userAdminAnyDatabase It must be defined in the admin database to give users userAdmin permission for all databases
dbAdminAnyDatabase It must be defined in the admin database to give users dbAdmin permission for all databases
root Super account and super permission must be defined in admin database

2, Create administrative user

    MongoDB There is a user management mechanism, which is simply described as managing user groups. The users of this group are specially set up to manage ordinary users, and they are temporarily called administrators.
    Administrators usually do not have read-write permissions on the database, but only the permissions of operating users. We just give administrators`userAdminAnyDatabase`Role. In addition, the administrator account must be in admin Create under database.
    Since users can only log in to which database they are created in, all users are created in admin Database. In this way, we don't need to log in frequently when switching databases.
    before `use admin` Switch to admin Log in to the database, and then use Switch to other databases for operation. Second time use Don't log in again. MongoDB set up use In the second database, if the login user has high permissions, you can directly operate the second database without logging in.

2.1 switching database

Administrator needs to be in admin Database, so we need to switch to admin database

2.2 viewing users

adopt db.system.users.find() Function view admin All user information in the database, currently admin There is no user in database, so there is no result.

2.3 creating users

DB. Can be used in MongoDB The CREATEUSER ({user information}) function creates a user

    user: "<name>",
    pwd: "<cleartext password>",
    customData: { <any information> },
    roles: [
        { role: "<role>", db: "<database>" } | "<role>",
  • User: user name
  • pwd: password
  • customData: stores user-defined data related to users. This attribute can also be ignored
  • roles: array type to configure user permissions

Examples are as follows:


2.4 restart service

After the administrator account is created, you need to restart MongoDB and turn on the authentication function.
First pass dB The shutdown server() function shuts down the service

$ mongod -f /opt/mongodb/bin/mongodb.conf --auth

Or in the original mongodb Additional configuration in conf file

# Data storage directory
dbpath = /opt/mongodb/data/db
# Log file storage directory
logpath = /opt/mongodb/logs/mongodb.log
# Log by appending
logappend = true
# The default port is 27017
port = 27017
# There is no restriction on the access IP address. The default is the local address
bind_ip =
# Start as a daemon, that is, run in the background
fork = true
# Turn on identity authentication
auth = true

Use dB Auth ("user name", "password") performs identity authentication, and returns a result of 1, indicating successful authentication and 0, indicating failure.

3, Create normal user

Requirements: create a test database, add a user to the database, the user name is testuser, the password is 123456, and grant the user read and write permission to the test database.

3.1 administrator login database

Ordinary users need to be created by the administrator, so use the administrator user to log in to the database first.

>use admin
switched to db admin

3.2 creating database

MongoDB does not have a specific syntax for creating databases. When using use to switch databases, if the corresponding database does not exist, it will be created and switched directly.

>use test
switched to db test

3.3 creating users

$ db.createUser({user:"testuser",pwd:"123456",roles:[{role:"readWrite",db:"test"}]})

3.4 identity authentication

After logging in successfully, you can perform other operations on the permissions corresponding to the role owned by the user. Execute the following statement to test whether the user's read-write permissions are available.


4, Update user

    If we need to modify the role of an existing user, you can use db.updateUser() Function to update the user role. Note: executing this function requires the current user to have userAdmin or userAdminAnyDatabase or root Role.
db.updateUser("user name",{"roles":[{"roles":"Role name",db:"database"},{"Update item 2":"Update content"}]})

For example, for just now `uadd` User add again `readWriteAnyDatabase`and`dbAdminAnyDatabase`jurisdiction.
>show users

Update password

There are two ways to update a user's password. You need to switch the database of the user when updating the password. Note: you need to use userAdmin or userAdminAnyDatabase or root User execution of role
 use db.updateUser("user name",{"pwd":"New password"}) Function update password
 use db.changeUserPassword("user name","New password") Function update password

delete user

adopt db.dropUser()  Function can delete the specified user. It will be returned after the deletion is successful true. When deleting a user, you need to switch to the database where the user is located. Note: you need to use userAdmin or userAdminAnyDatabase or root Only users in the role can delete other users.

Keywords: Spring

Added by anon_login_001 on Thu, 13 Jan 2022 21:33:08 +0200