Mongodb 3.2 官方 启用认证

本文介绍如何为MongoDB部署启用认证,包括创建用户管理员并分配权限,以及如何使用这些权限来创建其他用户。此外,还提供了详细的步骤说明如何通过命令行进行操作。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

Enable Auth

Overview

Enabling access control on a MongoDB deployment enforcesauthentication, requiring users to identify themselves. When accessinga MongoDB deployment that has access control enabled, users can onlyperform actions as determined by their roles.

For authentication, MongoDB supports variousAuthentication Mechanisms.

The following tutorial enables access control on a standalonemongod instance [1] and uses the default authenticationmechanism.

[1]For replica sets and sharded clusters, you can also enable accesscontrol by enforcing internalauthentication. For details, seeInternal Authentication.

User Administrator

With access control enabled, ensure you have a user withuserAdmin or userAdminAnyDatabase role in theadmin database. This user can administrate user and roles such as:create users, grant or revoke roles from users, and create or modifycustoms roles.

You can create users either before or after enabling access control. Ifyou enable access control before creating any user, MongoDB provides alocalhost exception which allows you tocreate a user administrator in the admin database. Once created,you must authenticate as the user administrator to create additionalusers as needed.

Procedure

The following procedure first adds a user administrator to a MongoDBinstance running without access control and then enables access control.

1

Start MongoDB without access control.

For example, the following starts a standalone mongod instancewithout access control.

mongod --port 27017 --dbpath /data/db1
2

Connect to the instance.

For example, connect a mongo shell to the instance.

mongo --port 27017

Specify additional command line options as appropriate to connect themongo shell to your deployment, such as --host.

3

Create the user administrator.

In the admin database, add a user with theuserAdminAnyDatabase role. For example, the followingcreates the user myUserAdmin in the admin database:

注解

The database where you create the user (in this example,admin) is the user’s authentication database. Although the user wouldauthenticate to this database, the user canhave roles in other databases; i.e. the user’s authenticationdatabase does not limit the user’s privileges.

use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: "abc123",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

Disconnect the mongo shell.

4

Re-start the MongoDB instance with access control.

Re-start the mongod instance with the --auth commandline option or, if using a configuration file, thesecurity.authorization setting.

mongod --auth --port 27017 --dbpath /data/db1

Clients that connect to this instance must now authenticatethemselves as a MongoDB user. Clients can only perform actions asdetermined by their assigned roles.

5

Connect and authenticate as the user administrator.

Using the mongo shell, you can:

  • Connect with authentication by passing in user credentials, or
  • Connect first withouth authentication, and then issue thedb.auth() method to authenticate.
To authenticate during connection

Start a mongo shell with the -u <username>, -p<password>, and the --authenticationDatabase <database>command line options:

mongo --port 27017 -u "myUserAdmin" -p "abc123" --authenticationDatabase "admin"
To authenticate after connecting

Connect the mongoshell to the mongod:

mongo --port 27017

Switch to the authentication database (in this case, admin),and use db.auth(<username>, <pwd>)method to authenticate:

use admin
db.auth("myUserAdmin", "abc123" )
6

Create additional users as needed for your deployment.

Once authenticated as the user administrator, usedb.createUser() to create additional users. You can assignany built-in roles oruser-defined roles to theusers.

The myUserAdmin user only has privileges to manage usersand roles. As myUserAdmin, ifyou attempt to perform any other operations, such as read from afoo collection in the test database, MongoDB returns an error.

The following operation adds a user myTester to the testdatabase who has readWrite role in the testdatabase as well as read role in the reportingdatabase.

注解

The database where you create the user (in this example,test) is that user’s authentication database. Although the user wouldauthenticate to this database, the user can have roles in otherdatabases; i.e. the user’s authentication database does not limitthe user’s privileges.

use test
db.createUser(
  {
    user: "myTester",
    pwd: "xyz123",
    roles: [ { role: "readWrite", db: "test" },
             { role: "read", db: "reporting" } ]
  }
)
7

Connect and authenticate as myTester.

To authenticate during connection

Start a mongo shell with the -u <username>, -p<password>, and the --authenticationDatabase <database>command line options:

mongo --port 27017 -u "myTester" -p "xyz123" --authenticationDatabase "test"
To authenticate after connecting

Connect the mongoshell to the mongod:

mongo --port 27017

Switch to the authentication database (in this case, test),and use db.auth(<username>, <pwd>)method to authenticate:

use test
db.auth("myTester", "xyz123" )
Insert into a collection as myTester.

As myTester, you have privileges to perform read and writeoperations in the test database (as well as perform readoperations in the reporting database). For example, you canpeform the following insert operation in the test database:

db.foo.insert( { x: 1, y: 1 } )
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值