Manage Users and Roles管理用户和角色
On this page本页内容
Overview概述
This tutorial provides examples for user and role management under the MongoDB's authorization model. 本教程提供了MongoDB授权模型下的用户和角色管理示例。Create a User describes how to add a new user to MongoDB.创建用户描述了如何向MongoDB添加新用户。
Prerequisites先决条件
If you have enabled access control for your deployment, you must authenticate as a user with the required privileges specified in each section. 如果已为部署启用访问控制,则必须以用户身份进行身份验证,并具有每个部分中指定的所需权限。A user administrator with the 在特定数据库中具有userAdminAnyDatabase role, or userAdmin role in the specific databases, provides the required privileges to perform the operations listed in this tutorial. userAdminAnyDatabase角色或userAdmin角色的用户管理员提供执行本教程中列出的操作所需的权限。See Enable Access Control for details on adding user administrator as the first user.有关将用户管理员添加为第一个用户的详细信息,请参阅启用访问控制。
Create a User-Defined Role创建用户定义的角色
Roles grant users access to MongoDB resources. MongoDB provides a number of built-in roles that administrators can use to control access to a MongoDB system. However, if these roles cannot describe the desired set of privileges, you can create new roles in a particular database.角色授予用户访问MongoDB资源的权限。MongoDB提供了许多内置角色,管理员可以使用这些角色来控制对MongoDB系统的访问。但是,如果这些角色无法描述所需的权限集,则可以在特定数据库中创建新角色。
Except for roles created in the 除了在管理数据库中创建的角色外,角色只能包括应用于其数据库的权限,并且只能从其数据库中的其他角色继承。admin database, a role can only include privileges that apply to its database and can only inherit from other roles in its database.
A role created in the 在admin database can include privileges that apply to the admin database, other databases or to the cluster resource, and can inherit from roles in other databases as well as the admin database.admin数据库中创建的角色可以包括应用于admin数据库、其他数据库或集群资源的权限,并且可以继承其他数据库以及管理数据库中的角色。
To create a new role, use the 要创建新角色,请使用db.createRole() method, specifying the privileges in the privileges array and the inherited roles in the roles array.db.createRole()方法,指定privileges数组中的权限和roles数组中继承的角色。
MongoDB uses the combination of the database name and the role name to uniquely define a role. MongoDB使用数据库名称和角色名称的组合来唯一定义角色。Each role is scoped to the database in which you create the role, but MongoDB stores all role information in the 每个角色的作用域都是您在其中创建角色的数据库,但MongoDB将所有角色信息存储在admin.system.roles collection in the admin database.admin数据库的admin.system.roles集合中。
Prerequisites先决条件
To create a role in a database, you must have:若要在数据库中创建角色,您必须具有:
the该数据库资源上的createRoleaction on that database resource.createRole操作。the该数据库上的grantRoleaction on that database to specify privileges for the new role as well as to specify roles to inherit from.grantRole操作,用于指定新角色的权限以及指定要继承的角色。
Built-in roles 内置角色userAdmin and userAdminAnyDatabase provide createRole and grantRole actions on their respective resources.userAdmin和userAdminAnyDatabase在各自的资源上提供createRole和grantRole操作。
To create a role with 若要创建指定了authenticationRestrictions specified, you must have the setAuthenticationRestriction action on the database resource which the role is created.authenticationRestrictions的角色,必须对创建该角色的数据库资源执行setAuthenticationRestriction操作。
Create a Role to Manage Current Operations创建角色以管理当前操作
The following example creates a role named 以下示例创建了一个名为manageOpRole which provides only the privileges to run both db.currentOp() and db.killOp(). manageOpRole的角色,该角色只提供运行db.currentOp()和db.killOp()的权限。[1]
Starting in MongoDB 3.2.9, users do not need any specific privileges to view or kill their own operations on 从MongoDB 3.2.9开始,用户不需要任何特定的权限就可以查看或终止自己在mongod instances. See db.currentOp() and db.killOp() for details.mongod实例上的操作。有关详细信息,请参阅db.currentOp()和db.killOp()。
Connect to MongoDB with the appropriate privileges.使用适当的权限连接到MongoDB。
Connect to 使用先决条件部分中指定的权限连接到mongod or mongos with the privileges specified in the Prerequisites section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
The myUserAdmin has privileges to create roles in the admin as well as other databases.myUserAdmin具有在admin以及其他数据库中创建角色的权限。
Create a new role to manage current operations.创建一个新角色来管理当前操作。
manageOpRole has privileges that act on multiple databases as well as the cluster resource. manageOpRole具有对多个数据库以及集群资源执行操作的权限。As such, you must create the role in the 因此,您必须在admin database.admin数据库中创建角色。
use admin
db.createRole(
{
role: "manageOpRole",
privileges: [
{ resource: { cluster: true }, actions: [ "killop", "inprog" ] },
{ resource: { db: "", collection: "" }, actions: [ "killCursors" ] }
],
roles: []
}
)
The new role grants permissions to kill any operations.新角色授予终止任何操作的权限。
Terminate running operations with extreme caution. Only use the 终止运行操作时要格外小心。仅使用db.killOp() method or killOp command to terminate operations initiated by clients and do not terminate internal database operations.db.killOp()方法或killOp命令终止客户端启动的操作,而不终止内部数据库操作。
| [1] | clusterMonitor also provides the privilege to run db.currentOp() along with other privileges, and the built-in role hostManager provides the privilege to run db.killOp() along with other privileges.clusterMonitor还提供了运行db.currentOp()的权限以及其他权限,内置的角色hostManager提供了运行db.killOp()的权限以及其他权限。 |
Create a Role to Run mongostat创建一个角色来运行mongostat
mongostatThe following example creates a role named 以下示例创建一个名为mongostatRole that provides only the privileges to run mongostat. mongostatRole的角色,该角色仅提供运行mongostat的权限。[2]
Connect to MongoDB with the appropriate privileges.使用适当的权限连接到MongoDB。
Connect to 使用先决条件部分中指定的权限连接到mongod or mongos with the privileges specified in the Prerequisites section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
The myUserAdmin has privileges to create roles in the admin as well as other databases.myUserAdmin具有在admin以及其他数据库中创建角色的权限。
Create a new role to manage current operations.创建一个新角色来管理当前操作。
mongostatRole has privileges that act on the cluster resource. mongostatRole具有对集群资源执行操作的权限。As such, you must create the role in the 因此,您必须在admin database.admin数据库中创建角色。
use admin
db.createRole(
{
role: "mongostatRole",
privileges: [
{ resource: { cluster: true }, actions: [ "serverStatus" ] }
],
roles: []
}
)
| [2] | clusterMonitor also provides the privilege to run mongostat along with other privileges.clusterMonitor还提供了运行mongostat的权限以及其他权限。 |
Create a Role to Drop system.views Collection across Databases创建角色以跨数据库删除system.views集合
system.views Collection across DatabasesThe following example creates a role named 以下示例创建一个名为dropSystemViewsAnyDatabase that provides the privileges to drop the system.views collection in any database.dropSystemViewsAnyDatabase的角色,该角色提供在任何数据库中删除系统视图集合的权限。
Connect to MongoDB with the appropriate privileges.使用适当的权限连接到MongoDB。
Connect to 使用先决条件部分中指定的权限连接到mongod or mongos with the privileges specified in the Prerequisites section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
The myUserAdmin has privileges to create roles in the admin as well as other databases.myUserAdmin具有在admin以及其他数据库中创建角色的权限。
Create a new role to drop the system.views collection in any database.创建一个新角色以在任何数据库中删除system.views集合。
system.views collection in any database.For the role, specify a privilege that consists of:为角色指定一个权限,该权限包括:
an包含actionsarray that contains thedropCollectionaction, anddropCollection操作的actions数组,以及a resource document that specifies an empty string (一个资源文档,为数据库指定一个空字符串("") for the database and the string"system.views"for the collection.""),为集合指定字符串"system.views"。See Specify Collections Across Databases as Resource for more information.有关详细信息,请参阅将跨数据库的集合指定为资源。
use admin
db.createRole(
{
role: "dropSystemViewsAnyDatabase",
privileges: [
{
actions: [ "dropCollection" ],
resource: { db: "", collection: "system.views" }
}
],
roles: []
}
)
Modify Access for an Existing User修改现有用户的访问权限
Prerequisites先决条件
You must have the必须对数据库执行grantRoleaction on a database to grant a role on that database.grantRole操作才能在该数据库上授予角色。You must have the必须对数据库执行revokeRoleaction on a database to revoke a role on that database.revokeRole操作才能吊销该数据库中的角色。To view a role's information, you must be either explicitly granted the role or must have the若要查看角色的信息,必须明确授予您该角色,或者必须对角色的数据库执行viewRoleaction on the role's database.viewRole操作。
Procedure过程
Connect to MongoDB with the appropriate privileges.使用适当的权限连接到MongoDB。
Connect to 以具有先决条件部分中指定的权限的用户身份连接到mongod or mongos as a user with the privileges specified in the prerequisite section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
Identify the user's roles and privileges.确定用户的角色和权限。
To display the roles and privileges of the user to be modified, use the 要显示要修改的用户的角色和权限,请使用db.getUser() and db.getRole() methods.db.getUser()和db.getRole()方法。
For example, to view roles for 例如,要查看在其他示例中创建的reportsUser created in Additional Examples, issue:reportsUser的角色,请发布:
use reporting
db.getUser("reportsUser")
To display the privileges granted to the user by the 要显示readWrite role on the "accounts" database, issue:readWrite角色在"accounts"数据库上授予用户的权限,请发出:
use accounts
db.getRole( "readWrite", { showPrivileges: true } )
Identify the privileges to grant or revoke.确定要授予或撤销的权限。
If the user requires additional privileges, grant to the user the role, or roles, with the required set of privileges. 如果用户需要额外的权限,请将具有所需权限集的一个或多个角色授予该用户。If such a role does not exist, create a new role with the appropriate set of privileges.如果不存在这样的角色,请创建一个具有相应权限集的新角色。
To revoke a subset of privileges provided by an existing role: revoke the original role and grant a role that contains only the required privileges. You may need to create a new role if a role does not exist.要撤消现有角色提供的权限子集,请撤消原始角色并授予仅包含所需权限的角色。如果角色不存在,您可能需要创建一个新角色。
Modify the user's access.修改用户的访问权限。
Revoke a Role撤消角色
Revoke a role with the 使用db.revokeRolesFromUser() method. db.revokeRolesFromUser()方法撤消角色。The following example operation removes the 以下示例操作从readWrite role on the accounts database from the reportsUser:reportsUser中删除accounts数据库上的readWrite角色:
use reporting
db.revokeRolesFromUser(
"reportsUser",
[
{ role: "readWrite", db: "accounts" }
]
)
Grant a Role授予角色
Grant a role using the 使用db.grantRolesToUser() method. db.grantRolesToUser()方法授予角色。For example, the following operation grants the 例如,以下操作授予reportsUser user the read role on the accounts database:reportsUser用户在accounts数据库中的read角色:
use reporting
db.grantRolesToUser(
"reportsUser",
[
{ role: "read", db: "accounts" }
]
)
For sharded clusters, the changes to the user are instant on the 对于分片集群,对用户的更改在运行命令的mongos on which the command runs. mongos上是即时的。However, for other 然而,对于集群中的其他mongos instances in the cluster, the user cache may wait up to 10 minutes to refresh. mongos实例,用户缓存可能要等待长达10分钟才能刷新。See 请参阅userCacheInvalidationIntervalSecs.userCacheInvalidationIntervalSecs。
Modify the Password for an Existing User修改现有用户的密码
Prerequisites先决条件
To modify the password of another user on a database, you must have the 若要修改数据库中其他用户的密码,必须对该数据库执行changePassword action on that database.changePassword 操作。
Procedure过程
Connect to MongoDB with the appropriate privileges.使用适当的权限连接到MongoDB。
Connect to the 使用先决条件部分中指定的权限连接到mongod or mongos with the privileges specified in the Prerequisites section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
Change the password.更改密码。
Pass the user's username and the new password to the 将用户的用户名和新密码传递给db.changeUserPassword() method.db.changeUserPassword()方法。
The following operation changes the 以下操作将reporting user's password to SOh3TbYhxuLiW8ypJPxmt1oOfL:reporting用户的密码更改为SOh3TbYhxuLiW8ypJPxmt1oOfL:
db.changeUserPassword("reporting", "SOh3TbYhxuLiW8ypJPxmt1oOfL")
See also: 另请参阅:
View a User's Roles查看用户的角色
Prerequisites先决条件
To view another user's information, you must have the 若要查看其他用户的信息,必须对其他用户的数据库执行viewUser action on the other user's database.viewUser操作。
Users can view their own information.用户可以查看自己的信息。
Procedure过程
Connect to MongoDB with the appropriate privileges.使用适当的权限连接到MongoDB。
Connect to 以具有先决条件部分中指定的权限的用户身份连接到mongod or mongos as a user with the privileges specified in the prerequisite section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
Identify the user's roles.确定用户的角色。
Use the 使用usersInfo command or db.getUser() method to display user information.usersInfo命令或db.getUser()方法来显示用户信息。
For example, to view roles for 例如,要查看在其他示例中创建的reportsUser created in Additional Examples, issue:reportsUser的角色,请发布:
use reporting
db.getUser("reportsUser")
In the returned document, the 在返回的文档中,roles field displays all roles for reportsUser:roles字段显示reportsUser的所有角色:
...
"roles" : [
{ "role" : "readWrite", "db" : "accounts" },
{ "role" : "read", "db" : "reporting" },
{ "role" : "read", "db" : "products" },
{ "role" : "read", "db" : "sales" }
]
View a Role's Privileges查看角色的权限
Prerequisites先决条件
To view a role's information, you must be either explicitly granted the role or must have the 若要查看角色的信息,必须明确授予您该角色,或者必须对角色的数据库执行viewRole action on the role's database.viewRole操作。
Procedure过程
Connect to MongoDB with the appropriate privileges.使用适当的权限连接到MongoDB。
Connect to 以具有先决条件部分中指定的权限的用户身份连接到mongod or mongos as a user with the privileges specified in the prerequisite section.mongod或mongos。
The following procedure uses the 以下过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
Identify the privileges granted by a role.确定角色授予的权限。
For a given role, use the 对于给定的角色,使用db.getRole() method, or the rolesInfo command, with the showPrivileges option:db.getRole()方法或rolesInfo命令以及showPrivileges选项:
For example, to view the privileges granted by 例如,要查看read role on the products database, use the following operation, issue:read角色在products数据库上授予的权限,请使用以下操作,发出:
use products
db.getRole( "read", { showPrivileges: true } )
In the returned document, the 在返回的文档中,privileges and inheritedPrivileges arrays. privileges和inheritedPrivileges数组。The privileges lists the privileges directly specified by the role and excludes those privileges inherited from other roles. privileges列出了角色直接指定的权限,并排除了从其他角色继承的权限。The inheritedPrivileges lists all privileges granted by this role, both directly specified and inherited. inheritedPrivileges列出了此角色授予的所有权限,包括直接指定的权限和继承的权限。If the role does not inherit from other roles, the two fields are the same.如果该角色不是从其他角色继承的,则这两个字段是相同的。
...
"privileges" : [
{
"resource": { "db" : "products", "collection" : "" },
"actions": [ "collStats","dbHash","dbStats","find","killCursors","planCacheRead" ]
},
{
"resource" : { "db" : "products", "collection" : "system.js" },
"actions": [ "collStats","dbHash","dbStats","find","killCursors","planCacheRead" ]
}
],
"inheritedPrivileges" : [
{
"resource": { "db" : "products", "collection" : "" },
"actions": [ "collStats","dbHash","dbStats","find","killCursors","planCacheRead" ]
},
{
"resource" : { "db" : "products", "collection" : "system.js" },
"actions": [ "collStats","dbHash","dbStats","find","killCursors","planCacheRead" ]
}
]