|
開啟MongoDB服務(wù)時(shí)不添加任何參數(shù)時(shí),默認(rèn)是沒有權(quán)限驗(yàn)證的,登錄的用戶可以對數(shù)據(jù)庫任意操作而且可以遠(yuǎn)程訪問數(shù)據(jù)庫! 在剛安裝完畢的時(shí)候MongoDB都默認(rèn)有一個(gè)admin數(shù)據(jù)庫,此時(shí)admin數(shù)據(jù)庫是空的,沒有記錄權(quán)限相關(guān)的信息,!當(dāng)admin.system.users一個(gè)用戶都沒有時(shí),即使mongod啟動(dòng)時(shí)添加了--auth參數(shù),如果沒有在admin數(shù)據(jù)庫中添加用戶,此時(shí)不進(jìn)行任何認(rèn)證還是可以做任何操作(不管是否是以--auth 參數(shù)啟動(dòng)),直到在admin.system.users中添加了一個(gè)用戶,。 需要注意的是:admin.system.users中將會(huì)保存比在其它數(shù)據(jù)庫中設(shè)置的用戶權(quán)限更大的用戶信息,擁有超級權(quán)限,,也就是說在admin中創(chuàng)建的用戶可以對mongodb中的其他數(shù)據(jù)庫數(shù)據(jù)進(jìn)行操作。 1 mongodb系統(tǒng)中,數(shù)據(jù)庫是由超級用戶來創(chuàng)建的,一個(gè)數(shù)據(jù)庫可以包含多個(gè)用戶,一個(gè)用戶只能在一個(gè)數(shù)據(jù)庫下,不同數(shù)據(jù)庫中的用戶可以同名,! 2 當(dāng)admin.system.users一個(gè)用戶都沒有時(shí),,即使mongod啟動(dòng)時(shí)添加了--auth參數(shù),如果沒有在admin數(shù)據(jù)庫中添加用戶,此時(shí)不進(jìn)行任何認(rèn)證還是可以做任何操作(不管是否是以--auth 參數(shù)啟動(dòng)),直到在admin.system.users中添加了一個(gè)用戶。 3 特定數(shù)據(jù)庫比如DB1下的用戶User1,不能夠訪問其他數(shù)據(jù)庫DB2,但是可以訪問本數(shù)據(jù)庫下其他用戶創(chuàng)建的數(shù)據(jù),! 4 不同數(shù)據(jù)庫中同名的用戶不能夠登錄其他數(shù)據(jù)庫,!比如DB1,DB2都有user1,以user1登錄DB1后,不能夠登錄到DB2進(jìn)行數(shù)據(jù)庫操作,! 5 在admin數(shù)據(jù)庫創(chuàng)建的用戶具有超級權(quán)限,,可以對mongodb系統(tǒng)內(nèi)的任何數(shù)據(jù)庫的數(shù)據(jù)對象進(jìn)行操作! 下面通過實(shí)驗(yàn)的方式進(jìn)程驗(yàn)證(可能不全面,,歡迎大家指正): 1 第一次安裝monogdb時(shí),,admin數(shù)據(jù)庫中沒有任何用戶,此時(shí)不管是否以--auth方式啟動(dòng)數(shù)據(jù)庫,其他數(shù)據(jù)庫(比如test數(shù)據(jù)庫)中的用戶都可以對另外的數(shù)據(jù)庫(比如db1數(shù)據(jù)庫)中的數(shù)據(jù)進(jìn)行操作~,! a)以默認(rèn)的方式啟動(dòng)mongodb [mongodb@rac3 bin]$ ./mongod --dbpath=/opt/mongodata/data --port=27000 在另一個(gè)窗口進(jìn)入mongodb shell,默認(rèn)是直接進(jìn)入test 數(shù)據(jù)庫的,,并且此時(shí)用戶擁有超級權(quán)限,可以操作任何數(shù)據(jù)庫對象! [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000 MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/test > show dbs local (empty) #查看admin 數(shù)據(jù)庫中的用戶信息,,因?yàn)槭莿偨⒌臄?shù)據(jù)庫所以user 為空~,! > use admin switched to db admin > db.system.users.find() ; #創(chuàng)建test數(shù)據(jù)庫,并創(chuàng)建對象yql,,插入數(shù)據(jù),! > use test switched to db test > > db.yql.insert({id:2,val:"yangql is learing monogdb master slave!"}); #創(chuàng)建db1數(shù)據(jù)庫,并創(chuàng)建對象db1_test,,插入數(shù)據(jù),! > use db1 switched to db db1 > > db.db1_test.insert({id:1,val:"this data is in db1 !"}); > db.db1_test.insert({id:2,val:"this data is in db1 !"}); > db.db1_test.insert({id:3,val:"this data is in db1 !"}); #創(chuàng)建db2數(shù)據(jù)庫,并創(chuàng)建對象db2_test,,插入數(shù)據(jù),! > use db2 switched to db db2 > > db.db2_test.insert({id:1,val:"this data is in db2!"}); > db.db2_test.insert({id:2,val:"this data is in db2!"}); > db.db2_test.insert({id:3,val:"this data is in db2!"}); > db.db2_test.find(); { "_id" : ObjectId("4f2bbcdf2a801e73e6493f31"), "id" : 1, "val" : "this data is in db2!" } { "_id" : ObjectId("4f2bbce52a801e73e6493f32"), "id" : 2, "val" : "this data is in db2!" } { "_id" : ObjectId("4f2bbce92a801e73e6493f33"), "id" : 3, "val" : "this data is in db2!" } > > show dbs admin (empty) db1 0.203125GB db2 0.203125GB local (empty) test 0.203125GB #在test 數(shù)據(jù)庫中創(chuàng)建用戶yql,密碼為yql > use test switched to db test > > db.addUser("yql","yql") { "n" : 0, "connectionId" : 1, "err" : null, "ok" : 1 } { "user" : "yql", "readOnly" : false, "pwd" : "868ed7035435f33b60ebeba2f363ad91", "_id" : ObjectId("4f2bbed556f179b1ccc295d1") } > db.auth("yql","yql") #驗(yàn)證函數(shù),,驗(yàn)證數(shù)據(jù)庫中是否存在對應(yīng)的用戶 1 > > db.system.users.find(); { "_id" : ObjectId("4f2bbed556f179b1ccc295d1"), "user" : "yql", "readOnly" : false, "pwd" : "868ed7035435f33b60ebeba2f363ad91" } > > exit bye b)關(guān)閉mongod 服務(wù),并以認(rèn)證方式啟動(dòng)數(shù)據(jù)庫 [mongodb@rac3 bin]$ ./mongod --dbpath=/opt/mongodata/data --port=27000 --auth 再次登錄,,雖然在test中創(chuàng)建了用戶,但是沒有在admin 數(shù)據(jù)庫中創(chuàng)建用戶,所以以默認(rèn)方式登錄的用戶依然具有超級權(quán)限 [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000 MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/test > > use test switched to db test > > db.system.users.find(); { "_id" : ObjectId("4f2bbed556f179b1ccc295d1"), "user" : "yql", "readOnly" : false, "pwd" : "868ed7035435f33b60ebeba2f363ad91" } > > > use db1 switched to db db1 > > db.db1_test.find(); { "_id" : ObjectId("4f2bb3a42a801e73e6493f2b"), "id" : 1, "val" : "this data is in db1 !" } { "_id" : ObjectId("4f2bb3ae2a801e73e6493f2c"), "id" : 2, "val" : "this data is in db1 !" } { "_id" : ObjectId("4f2bb3b32a801e73e6493f2d"), "id" : 3, "val" : "this data is in db1 !" } > > exit bye 使用特定用戶登錄數(shù)據(jù)庫,也可以訪問其他的數(shù)據(jù)庫,。下面的例子說明,,test的用戶可以訪問db1的數(shù)據(jù) [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000 -uyql -pyql MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/test > > use db1 switched to db db1 > db.db1_test.find(); { "_id" : ObjectId("4f2bb3a42a801e73e6493f2b"), "id" : 1, "val" : "this data is in db1 !" } { "_id" : ObjectId("4f2bb3ae2a801e73e6493f2c"), "id" : 2, "val" : "this data is in db1 !" } { "_id" : ObjectId("4f2bb3b32a801e73e6493f2d"), "id" : 3, "val" : "this data is in db1 !" } > bye 2 在admin.system.users中添加用戶之后,mongodb的認(rèn)證,授權(quán)服務(wù)生效,! #在admin 數(shù)據(jù)庫中創(chuàng)建用戶,!supper 密碼為sup [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000 MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/test > use admin switched to db admin > > db.addUser("supper", "sup") { "n" : 0, "connectionId" : 4, "err" : null, "ok" : 1 } { "user" : "supper", "readOnly" : false, "pwd" : "51a481f72b8b8218df9fee50b3737c44", "_id" : ObjectId("4f2bc0d357a309043c6947a4") } > > db.auth("supper","sup") 1 > > exit bye [mongodb@rac3 bin]$ 默認(rèn)方式登錄,即以無認(rèn)證用戶登錄,查詢的時(shí)候會(huì)顯示無權(quán)限,! [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000 MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/test > > db.system.users.find(); error: { "$err" : "unauthorized db:test lock type:-1 client:127.0.0.1", "code" : 10057 } > > show dbs Fri Feb 3 19:12:30 uncaught exception: listDatabases failed:{ "errmsg" : "need to login", "ok" : 0 } > > > exit bye 在admin數(shù)據(jù)庫創(chuàng)建用戶后,使用認(rèn)證方式登錄,可進(jìn)行對應(yīng)數(shù)據(jù)庫的查詢操作且僅僅能夠查詢對應(yīng)的數(shù)據(jù)庫中的信息!不能夠查詢其他mongodb系統(tǒng)的其他數(shù)據(jù)庫信息,! [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000 -uyql -pyql MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/test > > db.system.users.find(); { "_id" : ObjectId("4f2bbed556f179b1ccc295d1"), "user" : "yql", "readOnly" : false, "pwd" : "868ed7035435f33b60ebeba2f363ad91" } > > db.yql.find(); { "_id" : ObjectId("4f2bb3662a801e73e6493f2a"), "id" : 2, "val" : "yangql is learing monogdb master slave!" } >查詢系統(tǒng)數(shù)據(jù)庫信息時(shí),報(bào)如下錯(cuò)誤,! > show dbs; Fri Feb 3 19:15:56 uncaught exception: listDatabases failed:{ "errmsg" : "need to login", "ok" : 0 } #登錄db1 > use db1 switched to db db1 #查詢的時(shí)候,會(huì)報(bào)錯(cuò),,非授權(quán)用戶,! > db.db1_test.find(); error: { "$err" : "unauthorized db:db1 lock type:-1 client:127.0.0.1", "code" : 10057 } > use db2 switched to db db2 > > db.db2_test.find() error: { "$err" : "unauthorized db:db2 lock type:-1 client:127.0.0.1", "code" : 10057 } > > exit bye 使用db1的用戶可以查詢db1的數(shù)據(jù),但是不能查看其他的數(shù)據(jù)庫的數(shù)據(jù),! [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000/db1 -udb1 -pdb1 MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/db1 > > db.db1_test.find() { "_id" : ObjectId("4f2bb3a42a801e73e6493f2b"), "id" : 1, "val" : "this data is in db1 !" } { "_id" : ObjectId("4f2bb3ae2a801e73e6493f2c"), "id" : 2, "val" : "this data is in db1 !" } { "_id" : ObjectId("4f2bb3b32a801e73e6493f2d"), "id" : 3, "val" : "this data is in db1 !" } > > db.system.users.find(); { "_id" : ObjectId("4f2bc2d7b85653a70aa4fc50"), "user" : "db1", "readOnly" : false, "pwd" : "08a3bfa3cdef4464c4738a7180465adf" } > > db.auth("db1","db1") 1 > > show dbs Fri Feb 3 19:21:08 uncaught exception: listDatabases failed:{ "errmsg" : "need to login", "ok" : 0 } > > use db2 switched to db db2 > > show collections Fri Feb 3 19:21:24 uncaught exception: error: { "$err" : "unauthorized db:db2 lock type:-1 client:127.0.0.1", "code" : 10057 } > use db1 switched to db db1 > show collections db1_test system.indexes system.users > 特定數(shù)據(jù)庫比如DB1下的用戶User1,是可以訪問本數(shù)據(jù)庫下其他用戶創(chuàng)建的數(shù)據(jù) [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000/db2 -udb1 -pdb1 MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/db2 > > db.user_db1.insert({id:1,val:"this data is created by db1 in db2!"}); > db.user_db1.insert({id:2,val:"this data is created by db1 in db2!"}); > exit bye [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000/db2 -udb2 -pdb2 MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/db2 > > db.user_db1.find(); { "_id" : ObjectId("4f2bd237c19753688c950aaf"), "id" : 1, "val" : "this data is created by db1 in db2!" } { "_id" : ObjectId("4f2bd23bc19753688c950ab0"), "id" : 2, "val" : "this data is created by db1 in db2!" } > > [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000 -usupper -psup MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/test Fri Feb 3 19:16:55 uncaught exception: login failed exception: login failed 3 使用supper 用戶登錄,!可以對mongodb系統(tǒng)內(nèi)的所有數(shù)據(jù)庫進(jìn)行查詢,DML操作! [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000/admin -usupper -psup MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/admin > > show dbs admin 0.203125GB db1 0.203125GB db2 0.203125GB local (empty) test 0.203125GB > > use db1 switched to db db1 > db.db1_test.find() { "_id" : ObjectId("4f2bb3a42a801e73e6493f2b"), "id" : 1, "val" : "this data is in db1 !" } { "_id" : ObjectId("4f2bb3ae2a801e73e6493f2c"), "id" : 2, "val" : "this data is in db1 !" } { "_id" : ObjectId("4f2bb3b32a801e73e6493f2d"), "id" : 3, "val" : "this data is in db1 !" } > use db2 switched to db db2 > db.db2_test.find() { "_id" : ObjectId("4f2bbcdf2a801e73e6493f31"), "id" : 1, "val" : "this data is in db2!" } { "_id" : ObjectId("4f2bbce52a801e73e6493f32"), "id" : 2, "val" : "this data is in db2!" } { "_id" : ObjectId("4f2bbce92a801e73e6493f33"), "id" : 3, "val" : "this data is in db2!" } > > use test switched to db test > > db.system.users.find(); { "_id" : ObjectId("4f2bbed556f179b1ccc295d1"), "user" : "yql", "readOnly" : false, "pwd" : "868ed7035435f33b60ebeba2f363ad91" } > > db.yql.find(); { "_id" : ObjectId("4f2bb3662a801e73e6493f2a"), "id" : 2, "val" : "yangql is learing monogdb master slave!" } > > db.yql.remove();###刪除數(shù)據(jù)### > > db.yql.find(); > > use db1 switched to db db1 > > db.addUser("db1", "db1") { "n" : 0, "connectionId" : 9, "err" : null, "ok" : 1 } { "user" : "db1", "readOnly" : false, "pwd" : "08a3bfa3cdef4464c4738a7180465adf", "_id" : ObjectId("4f2bc2d7b85653a70aa4fc50") } > exit bye 4 不同數(shù)據(jù)庫中的用戶可以同名,不同數(shù)據(jù)庫中同名的用戶依然不登錄其他數(shù)據(jù)庫,!比如DB1,DB2都有user1,,以user1登錄DB1后,不能夠登錄到DB2進(jìn)行數(shù)據(jù)庫操作! 在不同數(shù)據(jù)庫中創(chuàng)建相同的用戶,進(jìn)行測試,! 測試場景:在test,,db2數(shù)據(jù)庫中創(chuàng)建用戶db1,密碼db1 [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000/admin -usupper -ppwd2 MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/admin > > use db2 switched to db db2 > > db.addUser("db1", "db1") { "n" : 0, "connectionId" : 17, "err" : null, "ok" : 1 } { "user" : "db1", "readOnly" : false, "pwd" : "08a3bfa3cdef4464c4738a7180465adf", "_id" : ObjectId("4f2bccb3e39cb674302ce2dd") } > > exit bye [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000 -uyql -ppwd1 MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/test > > db.addUser("db1", "db1") { "n" : 0, "connectionId" : 19, "err" : null, "ok" : 1 } { "user" : "db1", "readOnly" : false, "pwd" : "08a3bfa3cdef4464c4738a7180465adf", "_id" : ObjectId("4f2bcce9b5accbdac9e71a93") } > exit bye [mongodb@rac3 bin]$ 使用用戶db1登錄db2數(shù)據(jù)庫,然后嘗試登錄db1,,并進(jìn)行查詢測試,,報(bào)錯(cuò)顯示未授權(quán)! [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000/db2 -udb1 -pdb1 MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/db2 > > use db1 switched to db db1 > > db.db1_test.find(); error: { "$err" : "unauthorized db:db1 lock type:-1 client:127.0.0.1", "code" : 10057 } > 某個(gè)數(shù)據(jù)庫中對應(yīng)的用戶只能對本數(shù)據(jù)庫進(jìn)行操作,,而不能操作其他數(shù)據(jù)庫,,包括查詢和創(chuàng)建其他數(shù)據(jù)庫! [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000/db1 -udb1 -pdb1 MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/db1 > > > use db3 switched to db db3 > > db.db3_test.insert({id:1,val:"this data is in db3!"}); unauthorized > db.db3_test.insert({id:2,val:"this data is in db3!"}); unauthorized > db.db3_test.find(); error: { "$err" : "unauthorized db:db3 lock type:-1 client:127.0.0.1", "code" : 10057 } > exit bye 使用db.auth()可以對數(shù)據(jù)庫中的用戶進(jìn)行驗(yàn)證,,如果驗(yàn)證成功則返回1,,否則返回0! db.auth() 只能針對登錄用戶所屬的數(shù)據(jù)庫的用戶信息進(jìn)行驗(yàn)證,,不能驗(yàn)證其他數(shù)據(jù)庫的用戶信息,,因?yàn)樵L問不了其他數(shù)據(jù)庫(有點(diǎn)小白的解釋) [mongodb@rac3 bin]$ ./mongo 127.0.0.1:27000/db1 -udb1 -pdb1 MongoDB shell version: 2.0.1 connecting to: 127.0.0.1:27000/db1 > > db.auth("yql","pwd") 0 > db.auth("db1","db1") 1 > > exit bye |
|
|
