On this page本页内容
This tutorial provides examples for user and role management under the MongoDB's authorization model. 本教程提供了MongoDB授权模型下的用户和角色管理示例。Create a User describes how to add a new user to MongoDB.创建用户描述如何向MongoDB添加新用户。
If you have enabled access control for your deployment, you must authenticate as a user with the required privileges specified in each section. 如果已为部署启用访问控制,则必须以用户身份验证,并在每个部分中指定所需的权限。A user administrator with the 具有userAdminAnyDatabase role, or userAdmin role in the specific databases, provides the required privileges to perform the operations listed in this tutorial. userAdminAnyDatabase角色或特定数据库中的userAdmin角色的用户管理员提供执行本教程中列出的操作所需的权限。See Enable Access Control for details on adding user administrator as the first user.有关将用户管理员添加为第一个用户的详细信息,请参阅启用访问控制。
Roles grant users access to MongoDB resources. 角色授予用户访问MongoDB资源的权限。MongoDB provides a number of built-in roles that administrators can use to control access to a MongoDB system. MongoDB提供了许多内置角色,管理员可以使用这些角色来控制对MongoDB系统的访问。However, if these roles cannot describe the desired set of privileges, you can create new roles in a particular database.但是,如果这些角色无法描述所需的权限集,则可以在特定数据库中创建新角色。
Except for roles created in the 除了在admin database, a role can only include privileges that apply to its database and can only inherit from other roles in its database.admin数据库中创建的角色外,角色只能包含应用于其数据库的权限,并且只能从其数据库中的其他角色继承。
A role created in the 在admin database can include privileges that apply to the admin database, other databases or to the cluster resource, and can inherit from roles in other databases as well as the admin database.admin数据库中创建的角色可以包括应用于admin数据库、其他数据库或群集资源的权限,并且可以从其他数据库以及admin数据库中的角色继承。
To create a new role, use the 要创建新角色,请使用db.createRole() method, specifying the privileges in the privileges array and the inherited roles in the roles array.db.createRole()方法,在privileges数组中指定权限,并在roles数组中指定继承的角色。
MongoDB uses the combination of the database name and the role name to uniquely define a role. MongoDB使用数据库名称和角色名称的组合来唯一定义角色。Each role is scoped to the database in which you create the role, but MongoDB stores all role information in the 每个角色的作用域都是您在其中创建角色的数据库,但MongoDB将所有角色信息存储在admin数据库的admin.system.roles collection in the admin database.admin.system.roles集合中。
To create a role in a database, you must have:要在数据库中创建角色,您必须具有:
createRole action on that database resource.createRole操作。grantRole action on that database to specify privileges for the new role as well as to specify roles to inherit from.grantRole操作,用于指定新角色的权限以及要从中继承的角色。Built-in roles 内置角色userAdmin and userAdminAnyDatabase provide createRole and grantRole actions on their respective resources.userAdmin和userAdminAnyDatabase在各自的资源上提供createRole和grantRole操作。
To create a role with 要创建指定了authenticationRestrictions specified, you must have the setAuthenticationRestrictionaction on the database resource which the role is created.authenticationRestrictions的角色,必须在创建该角色的数据库资源上具有setAuthenticationRestriction操作。
The following example creates a role named 下面的示例创建了一个名为manageOpRole which provides only the privileges to run both db.currentOp() and db.killOp(). manageOpRole的角色,该角色只提供运行db.currentOp()和db.killOp()的权限。[1]
Starting in MongoDB 3.2.9, users do not need any specific privileges to view or kill their own operations on 从MongoDB 3.2.9开始,用户不需要任何特定的权限来查看或终止自己在mongod instances. mongod实例上的操作。See 有关详细信息,请参阅db.currentOp() and db.killOp() for details.db.currentOp()和db.killOp()。
Connect to 使用先决条件部分中指定的权限连接到mongod or mongos with the privileges specified in the Prerequisites section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
The myUserAdmin has privileges to create roles in the admin as well as other databases.myUserAdmin具有在admin和其他数据库中创建角色的权限。
manageOpRole has privileges that act on multiple databases as well as the cluster resource. 具有对多个数据库以及群集资源起作用的权限。As such, you must create the role in the 因此,您必须在admin database.admin数据库中创建角色。
use admin
db.createRole(
{
role: "manageOpRole",
privileges: [
{ resource: { cluster: true }, actions: [ "killop", "inprog" ] },
{ resource: { db: "", collection: "" }, actions: [ "killCursors" ] }
],
roles: []
}
)
The new role grants permissions to kill any operations.新角色授予终止任何操作的权限。
Terminate running operations with extreme caution. 终止运行操作时要格外小心。Only use the 只能使用db.killOp() method or killOp command to terminate operations initiated by clients and do not terminate internal database operations.db.killOp()方法或killOp命令来终止客户端启动的操作,而不要终止内部数据库操作。
| [1] | clusterMonitor also provides the privilege to run db.currentOp() along with other privileges, and the built-in role hostManager provides the privilege to run db.killOp() along with other privileges.clusterMonitor还提供了与其他权限一起运行db.currentOp()的权限,内置角色hostManager提供了与其它权限一起运行db.killOp()的权限。 |
mongostatmongostatThe following example creates a role named 下面的示例创建了一个名为mongostatRole that provides only the privileges to run mongostat. mongostatRole的角色,该角色仅提供运行mongostat的权限。[2]
Connect to 使用先决条件部分中指定的权限连接到mongod or mongos with the privileges specified in the Prerequisites section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
The myUserAdmin has privileges to create roles in the admin as well as other databases.myUserAdmin具有在admin和其他数据库中创建角色的权限。
mongostatRole has privileges that act on the cluster resource. 具有对群集资源起作用的权限。As such, you must create the role in the 因此,您必须在admin database.admin数据库中创建角色。
use admin
db.createRole(
{
role: "mongostatRole",
privileges: [
{ resource: { cluster: true }, actions: [ "serverStatus" ] }
],
roles: []
}
)
| [2] | clusterMonitor also provides the privilege to run mongostat along with other privileges.clusterMonitor还提供运行mongostat的权限以及其他权限。 |
system.views Collection across Databasessystem.views集合The following example creates a role named 以下示例创建了一个名为dropSystemViewsAnyDatabase that provides the privileges to drop the system.views collection in any database.dropSystemViewsAnyDatabase的角色,该角色提供在任何数据库中删除system.views集合的权限。
Connect to 使用先决条件mongod or mongos with the privileges specified in the Prerequisites section.部分中指定的权限连接到mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
The myUserAdmin has privileges to create roles in the admin as well as other databases.myUserAdmin具有在admin和其他数据库中创建角色的权限。
system.views collection in any database.system.views集合。For the role, specify a privilege that consists of:对于角色,指定一个权限,该权限由以下内容组成:
actions array that contains the dropCollection action, anddropCollection操作的actions数组,以及"") for the database and the string "system.views" for the collection. ""),为集合指定字符串"system.views"。use admin
db.createRole(
{
role: "dropSystemViewsAnyDatabase",
privileges: [
{
actions: [ "dropCollection" ],
resource: { db: "", collection: "system.views" }
}
],
roles: []
}
)
grantRole action on a database to grant a role on that database.grantRole操作才能授予该数据库上的角色。revokeRole action on a database to revoke a role on that database.revokeRole操作才能撤消该数据库上的角色。viewRole action on the role's database.viewRole操作。Connect to 使用先决条件部分中指定的权限以用户身份连接到mongod or mongos as a user with the privileges specified in the prerequisite section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
To display the roles and privileges of the user to be modified, use the 要显示要修改的用户的角色和权限,请使用db.getUser() and db.getRole() methods.db.getUser()和db.getRole()方法。
For example, to view roles for 例如,要查看在其他示例中创建的reportsUser created in Additional Examples, issue:reportsUser的角色,请发出:
use reporting
db.getUser("reportsUser")
To display the privileges granted to the user by the 要在readWrite role on the "accounts" database, issue:"accounts"数据库上显示readWrite角色授予用户的权限,请发出:
use accounts db.getRole( "readWrite", { showPrivileges: true } )
If the user requires additional privileges, grant to the user the role, or roles, with the required set of privileges. 如果用户需要其他权限,请向用户授予具有所需权限集的一个或多个角色。If such a role does not exist, create a new role with the appropriate set of privileges.如果不存在这样的角色,请创建具有适当权限集的新角色。
To revoke a subset of privileges provided by an existing role: revoke the original role and grant a role that contains only the required privileges. 要撤消现有角色提供的权限子集,请撤消原始角色并授予仅包含所需权限的角色。You may need to create a new role if a role does not exist.如果角色不存在,您可能需要创建新角色。
Revoke a role with the 使用db.revokeRolesFromUser() method. db.revokeRolesFromUser()方法撤销角色。The following example operation removes the 以下示例操作从readWrite role on the accounts database from the reportsUser:reportsUser中删除accounts数据库上的readWrite角色:
use reporting
db.revokeRolesFromUser(
"reportsUser",
[
{ role: "readWrite", db: "accounts" }
]
)
Grant a role using the 使用db.grantRolesToUser() method. db.grantRolesToUser()方法授予角色。For example, the following operation grants the 例如,以下操作授予reportsUser user the read role on the accounts database:reportsUser用户在accounts数据库上的read角色:
use reporting
db.grantRolesToUser(
"reportsUser",
[
{ role: "read", db: "accounts" }
]
)
For sharded clusters, the changes to the user are instant on the 对于分片集群,在运行命令的mongos on which the command runs. mongos上,对用户的更改是即时的。However, for other 但是,对于集群中的其他mongos instances in the cluster, the user cache may wait up to 10 minutes to refresh. mongos实例,用户缓存可能会等待10分钟才能刷新。See 请参阅userCacheInvalidationIntervalSecs.userCacheInvalidationIntervalSecs。
To modify the password of another user on a database, you must have the 要修改数据库中其他用户的密码,必须对该数据库执行changePassword action on that database.changePassword操作。
Connect to the 使用先决条件部分中指定的权限连接到mongod or mongos with the privileges specified in the Prerequisites section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
Pass the user's username and the new password to the 将用户的用户名和新密码传递给db.changeUserPassword() method.db.changeUserPassword()方法。
The following operation changes the 以下操作将reporting user's password to SOh3TbYhxuLiW8ypJPxmt1oOfL:reporting用户的密码更改为SOh3TbYhxuLiW8ypJPxmt1oOfL:
db.changeUserPassword("reporting", "SOh3TbYhxuLiW8ypJPxmt1oOfL")
To view another user's information, you must have the 要查看其他用户的信息,必须对其他用户的数据库执行viewUser action on the other user's database.viewUser操作。
Users can view their own information.用户可以查看自己的信息。
Connect to 使用先决条件部分中指定的权限以用户身份连接到mongod or mongos as a user with the privileges specified in the prerequisite section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
Use the 使用usersInfo command or db.getUser() method to display user information.usersInfo命令或db.getUser()方法显示用户信息。
For example, to view roles for 例如,要查看在其他示例中创建的reportsUser created in Additional Examples, issue:reportsUser的角色,请发出:
use reporting
db.getUser("reportsUser")
In the returned document, the 在返回的文档中,roles field displays all roles for reportsUser:roles字段显示reportsUser的所有角色:
... "roles" : [ { "role" : "readWrite", "db" : "accounts" }, { "role" : "read", "db" : "reporting" }, { "role" : "read", "db" : "products" }, { "role" : "read", "db" : "sales" } ]
To view a role's information, you must be either explicitly granted the role or must have the 要查看角色的信息,必须显式授予角色,或者必须在角色的数据库上具有viewRole action on the role's database.viewRole操作。
Connect to 使用先决条件部分中指定的权限以用户身份连接到mongod or mongos as a user with the privileges specified in the prerequisite section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
For a given role, use the 对于给定角色,使用db.getRole() method, or the rolesInfo command, with the showPrivileges option:db.getRole()方法或rolesInfo命令,并使用showPrivileges选项:
For example, to view the privileges granted by 例如,要查看read role on the products database, use the following operation, issue:products数据库上的read角色授予的权限,请使用以下操作:
use products db.getRole( "read", { showPrivileges: true } )
In the returned document, the 在返回的文档中,privileges and inheritedPrivileges arrays. privileges和inheritedPrivileges数组。The privileges lists the privileges directly specified by the role and excludes those privileges inherited from other roles. privileges列出了角色直接指定的权限,不包括从其他角色继承的权限。The inheritedPrivileges lists all privileges granted by this role, both directly specified and inherited. inheritedPrivileges列出了此角色授予的所有权限,包括直接指定的和继承的。If the role does not inherit from other roles, the two fields are the same.如果角色不从其他角色继承,则两个字段相同。
... "privileges" : [ { "resource": { "db" : "products", "collection" : "" }, "actions": [ "collStats","dbHash","dbStats","find","killCursors","planCacheRead" ] }, { "resource" : { "db" : "products", "collection" : "system.js" }, "actions": [ "collStats","dbHash","dbStats","find","killCursors","planCacheRead" ] } ], "inheritedPrivileges" : [ { "resource": { "db" : "products", "collection" : "" }, "actions": [ "collStats","dbHash","dbStats","find","killCursors","planCacheRead" ] }, { "resource" : { "db" : "products", "collection" : "system.js" }, "actions": [ "collStats","dbHash","dbStats","find","killCursors","planCacheRead" ] } ]