Enable Access Control启用访问控制

On this page本页内容

Overview概述

Enabling access control on a MongoDB deployment enforces authentication, requiring users to identify themselves.对MongoDB部署启用访问控制将强制进行身份验证,要求用户标识自己。When accessing a MongoDB deployment that has access control enabled, users can only perform actions as determined by their roles.访问启用了访问控制的MongoDB部署时,用户只能执行由其角色确定的操作。

The following tutorial enables access control on a standalone mongod instance and uses the default authentication mechanism.下面的教程在独立的mongod实例上启用访问控制,并使用默认的身份验证机制。For all supported authentication mechanisms, see Authentication Mechanisms.有关所有支持的身份验证机制,请参阅身份验证机制

User Administrator用户管理员

With access control enabled, ensure you have a user with userAdmin or userAdminAnyDatabase role in the admin database.启用访问控制后,请确保管理数据库中有一个具有userAdminuserAdminAnyDatabase角色的用户。This user can administrate user and roles such as: create users, grant or revoke roles from users, and create or modify customs roles.此用户可以管理用户和角色,例如:创建用户、从用户授予或撤消角色,以及创建或修改自定义角色。

Procedure程序

The following procedure first adds a user administrator to a MongoDB instance running without access control and then enables access control.下面的过程首先向运行时没有访问控制的MongoDB实例添加用户管理员,然后启用访问控制。

Note

The example MongoDB instance uses port 27017 and the data directory /var/lib/mongodb directory .示例MongoDB实例使用端口27017和数据目录/var/lib/mongodbThe example assumes the existence of the data directory /var/lib/mongodb.该示例假设存在数据目录/var/lib/mongodbSpecify a different data directory as appropriate.根据需要指定其他数据目录。

1

Start MongoDB without access control.在没有访问控制的情况下启动MongoDB。

Start a standalone mongod instance without access control.启动没有访问控制的独立mongod实例。

For example, open a terminal and issue the following:例如,打开终端并发出以下命令:

mongod --port 27017 --dbpath /var/lib/mongodb
2

Connect to the instance.连接到实例。

For example, open a new terminal and connect a mongo shell to the instance:例如,打开一个新的终端,将mongo shell连接到实例:

mongo --port 27017

Specify additional command line options as appropriate to connect the mongo shell to your deployment, such as --host.根据需要指定其他命令行选项以将mongo shell连接到部署,例如--host

3

Create the user administrator.创建用户管理员。

From the mongo shell, add a user with the userAdminAnyDatabase role in the admin database.mongo shell中,在admin数据库中添加一个具有userAdminAnyDatabase角色的用户。Include additional roles as needed for this user.包括此用户所需的其他角色。For example, the following creates the user myUserAdmin in the admin database with the userAdminAnyDatabase role and the readWriteAnyDatabase role.例如,下面在admin数据库中创建用户myUserAdmin,角色为userAdminAnyDatabasereadWriteAnyDatabase

Tip

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call.mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the mongo shell.但是,您仍然可以像使用早期版本的mongoshell一样直接指定密码。

use admin
db.createUser(
  {
    user: "myUserAdmin",
    pwd: passwordPrompt(), // or cleartext password
    roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
  }
)

Note

The database where you create the user (in this example, admin) is the user’s authentication database.创建用户的数据库(在本例中为admin)是用户的身份验证数据库Although the user would authenticate to this database, the user can have roles in other databases; i.e. the user’s authentication database does not limit the user’s privileges.尽管用户将对此数据库进行身份验证,但用户可以在其他数据库中拥有角色;即,用户的身份验证数据库不限制用户的权限。

4

Re-start the MongoDB instance with access control.使用访问控制重新启动MongoDB实例。

  1. Shut down the mongod instance.关闭mongod实例。For example, from the mongo shell, issue the following command:例如,从mongo shell发出以下命令:

    db.adminCommand( { shutdown: 1 } )
  2. Exit the mongo shell.退出mongo shell。
  3. Start the mongod with access control enabled.在启用访问控制的情况下启动mongod

Clients that connect to this instance must now authenticate themselves as a MongoDB user.连接到此实例的客户端现在必须将自己验证为MongoDB用户。Clients can only perform actions as determined by their assigned roles.客户端只能执行由其分配的角色确定的操作。

5

Connect and authenticate as the user administrator.以用户管理员身份进行连接和身份验证。

Using the mongo shell, you can:使用mongo shell,您可以:

  • Connect with authentication by passing in user credentials, or通过传入用户凭据连接身份验证,或
  • Connect first without authentication, and then issue the db.auth() method to authenticate.先连接而不进行身份验证,然后发出db.auth()验证方法。

Start a mongo shell with the -u <username>, -p, and the --authenticationDatabase <database> command line options:使用-u<username>-p--authenticationDatabase<database>命令行选项启动mongo shell:

mongo --port 27017  --authenticationDatabase "admin" -u "myUserAdmin" -p

Enter your password when prompted.出现提示时输入密码。

Connect the mongo shell to the mongod:mongo shell连接到mongod:

mongo --port 27017

In the mongo shell, switch to the authentication database (in this case, admin), and use db.auth(<username>, <pwd>) method to authenticate:mongoshell中,切换到身份验证数据库(在本例中为admin),并使用db.auth(<username>, <pwd>)方法验证:

Tip

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call.mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the mongo shell.但是,您仍然可以像使用早期版本的mongoshell一样直接指定密码。

use admin
db.auth("myUserAdmin", passwordPrompt()) // or cleartext password

Enter the password when prompted.出现提示时输入密码。

6

Create additional users as needed for your deployment.根据部署需要创建其他用户。

Once authenticated as the user administrator, use db.createUser() to create additional users.身份验证为用户管理员后,使用db.createUser()以创建其他用户。You can assign any built-in roles or user-defined roles to the users.您可以将任何内置角色用户定义的角色分配给用户。

The following operation adds a user myTester to the test database who has readWrite role in the test database as well as read role in the reporting database.以下操作将用户myTester添加到test数据库中,该用户在测试数据库中具有readWrite角色,在reporting数据库中具有read角色。

Tip

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call.mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the mongo shell.但是,您仍然可以像使用早期版本的mongo shell一样直接指定密码。

use test
db.createUser(
  {
    user: "myTester",
    pwd:  passwordPrompt(),   // or cleartext password
    roles: [ { role: "readWrite", db: "test" },
             { role: "read", db: "reporting" } ]
  }
)

Note

The database where you create the user (in this example, test) is that user’s authentication database.创建用户(在本例中为test)的数据库是该用户的身份验证数据库Although the user would authenticate to this database, the user can have roles in other databases; i.e. the user’s authentication database does not limit the user’s privileges.尽管用户将对此数据库进行身份验证,但用户可以在其他数据库中拥有角色;即,用户的身份验证数据库不限制用户的权限。

After creating the additional users, disconnect the mongo shell.创建其他用户后,断开mongo shell的连接。

7

Connect to the instance and authenticate as myTester.连接到实例并作为myTester进行身份验证。

After disconnecting the mongo shell as myUserAdmin, reconnect as myTester.myUserAdmin身份断开mongo shell后,以myTester身份重新连接。You can:你可以:

  • Connect with authentication by passing in user credentials, or通过传入用户凭据连接身份验证,或
  • Connect first withouth authentication, and then issue the db.auth() method to authenticate.先连接而不进行身份验证,然后发出db.auth()方法验证。

Start a mongo shell with the -u <username>, -p, and the --authenticationDatabase <database> command line options:使用-u<username>-p--authenticationDatabase<database>命令行选项启动mongo shell:

mongo --port 27017 -u "myTester" --authenticationDatabase "test" -p

Enter the password for the user when prompted.出现提示时输入用户的密码。

Connect the mongo shell to the mongod:mongo shell连接到mongod

mongo --port 27017

In the mongo shell, switch to the authentication database (in this case, test), and use db.auth(<username>, <pwd>) method to authenticate:mongoshell中,切换到身份验证数据库(在本例中为test),并使用db.auth(<username>, <pwd>)方法验证:

Tip

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call.mongoshell的4.2版开始,您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码,而不是直接在方法/命令调用中指定密码。However, you can still specify the password directly as you would with earlier versions of the mongo shell.但是,您仍然可以像使用早期版本的mongoshell一样直接指定密码。

use test
db.auth("myTester", passwordPrompt())  // or cleartext password

Enter the password for the user when prompted.出现提示时输入用户的密码。

8

Insert a document as myTester.插入一个文档作为myTester

As myTester, you have privileges to perform read and write operations in the test database (as well as perform read operations in the reporting database).作为myTester,您有权在test数据库中执行读写操作(以及在reporting数据库中执行读操作)。Once authenticated as myTester, insert a document into a collection in test database.作为myTester进行身份验证后,将文档插入到测试数据库中的集合中。For example, you can perform the following insert operation in the test database:例如,可以在test数据库中执行以下插入操作:

db.foo.insert( { x: 1, y: 1 } )

See also另请参见

Manage Users and Roles管理用户和角色.

Additional Considerations其他注意事项

Replica Sets and Sharded clusters复制集和分片群集

Replica sets and sharded clusters require internal authentication between members when access control is enabled.启用访问控制时,副本集和分片群集需要成员之间的内部身份验证。For more details, please see Internal/Membership Authentication.有关更多详细信息,请参阅内部/成员身份验证

Localhost Exception本地主机异常

You can create users either before or after enabling access control.您可以在启用访问控制之前或之后创建用户。If you enable access control before creating any user, MongoDB provides a localhost exception which allows you to create a user administrator in the admin database.如果在创建任何用户之前启用访问控制,MongoDB将提供本地主机异常,允许您在admin数据库中创建用户管理员。Once created, you must authenticate as the user administrator to create additional users as needed.创建后,必须以用户管理员身份进行身份验证,才能根据需要创建其他用户。