On this page本页内容
This tutorial provides examples for user and role management under the MongoDB’s authorization model.本教程提供了MongoDB授权模型下的用户和角色管理示例。Add Users describes how to add a new user to MongoDB.添加用户描述如何向MongoDB添加新用户。
Important
If you have enabled access control for your deployment, you must authenticate as a user with the required privileges specified in each section.如果已为部署启用访问控制,则必须以具有每个节中指定的所需权限的用户身份进行身份验证。A user administrator with the 具有userAdminAnyDatabase role, or userAdmin role in the specific databases, provides the required privileges to perform the operations listed in this tutorial.userAdminAnyDatabase角色或特定数据库中的userAdmin角色的用户管理员提供执行本教程中列出的操作所需的权限。See Enable Access Control for details on adding user administrator as the first user.有关将用户管理员添加为第一个用户的详细信息,请参阅启用访问控制。
Roles grant users access to MongoDB resources.角色授予用户访问MongoDB资源的权限。MongoDB provides a number of built-in roles that administrators can use to control access to a MongoDB system.MongoDB提供了许多内置角色,管理员可以使用这些角色来控制对MongoDB系统的访问。However, if these roles cannot describe the desired set of privileges, you can create new roles in a particular database.但是,如果这些角色无法描述所需的权限集,则可以在特定数据库中创建新角色。
Except for roles created in the 除了在admin database, a role can only include privileges that apply to its database and can only inherit from other roles in its database.admin数据库中创建的角色外,角色只能包含应用于其数据库的权限,并且只能从其数据库中的其他角色继承。
A role created in the 在admin database can include privileges that apply to the admin database, other databases or to the cluster resource, and can inherit from roles in other databases as well as the admin database.admin数据库中创建的角色可以包括应用于admin数据库、其他数据库或群集资源的权限,并且可以从其他数据库以及管理数据库中的角色继承。
To create a new role, use the 要创建新角色,请使用db.createRole() method, specifying the privileges in the privileges array and the inherited roles in the roles array.db.createRole()方法,指定privileges数组中的权限和roles数组中继承的角色。
MongoDB uses the combination of the database name and the role name to uniquely define a role.MongoDB使用数据库名称和角色名称的组合来唯一地定义角色。Each role is scoped to the database in which you create the role, but MongoDB stores all role information in the 每个角色的作用域都是您在其中创建角色的数据库,但是MongoDB将所有角色信息存储在admin.system.roles collection in the admin database.admin数据库中的admin.system.roles集合中。
To create a role in a database, you must have:要在数据库中创建角色,必须具有:
createRole action on that database resource.createRole操作。grantRole action on that database to specify privileges for the new role as well as to specify roles to inherit from.grantRole操作,以指定新角色的权限以及要从中继承的角色。Built-in roles 内置角色userAdmin and userAdminAnyDatabase provide createRole and grantRole actions on their respective resources.userAdmin和userAdminAnyDatabase在各自的资源上提供createRole和grantRole操作。
To create a role with 若要创建指定了authenticationRestrictions specified, you must have the setAuthenticationRestriction action on the database resource which the role is created.authenticationRestrictions的角色,必须对创建该角色的数据库资源执行SetAuthenticationRestrictions操作。
The following example creates a role named 下面的示例创建了一个名为manageOpRole which provides only the privileges to run both db.currentOp() and db.killOp().manageOpRole的角色,该角色只提供运行db.currentOp()和db.killOp()这两个角色的权限。[1]
Note
Changed in version 3.2.9:在版本3.2.9中更改:On 在mongod instances, users do not need any specific privileges to view or kill their own operations.mongod实例上,用户不需要任何特定的权限来查看或终止自己的操作。See 有关详细内容,请参阅db.currentOp() and db.killOp() for details.db.currentOp()和db.killOp()。
Connect to 使用先决条件部分中指定的权限连接到mongod or mongos with the privileges specified in the Prerequisites section.mongod或mongos。
The following procedure uses the 下面的过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
The myUserAdmin has privileges to create roles in the admin as well as other databases.myUserAdmin拥有在admin数据库和其他数据库中创建角色的权限。
manageOpRole has privileges that act on multiple databases as well as the cluster resource.manageOpRole具有作用于多个数据库和群集资源的权限。As such, you must create the role in the 因此,必须在admin database.admin数据库中创建角色。
The new role grants permissions to kill any operations.新角色授予终止任何操作的权限。
Warning
Terminate running operations with extreme caution.终止运行操作时要格外小心。Only use the 只使用db.killOp() method or killOp command to terminate operations initiated by clients and do not terminate internal database operations.db.killOp()方法或killOp命令终止客户端启动的操作,但不终止内部数据库操作。
| [1] | clusterMonitor also provides the privilege to run db.currentOp() along with other privileges, and the built-in role hostManager provides the privilege to run db.killOp() along with other privileges.clusterMonitor还提供运行db.currentOp()的权限以及其他权限,并且内置角色hostManager提供运行db.killOp()的权限以及其他权限。 |
mongostat¶The following example creates a role named 下面的示例创建了一个名为mongostatRole that provides only the privileges to run mongostat.mongostatRole的角色,该角色只提供运行mongostat的权限。[2]
Connect to 使用先决条件部分中指定的权限连接到mongod or mongos with the privileges specified in the Prerequisites section.mongod或mongos。
The following procedure uses the 下面的过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
The myUserAdmin has privileges to create roles in the admin as well as other databases.myUserAdmin拥有在admin数据库和其他数据库中创建角色的权限。
mongostatRole has privileges that act on the cluster resource.mongostatRole具有作用于群集资源的权限。As such, you must create the role in the 因此,必须在admin database.admin数据库中创建角色。
| [2] | clusterMonitor also provides the privilege to run mongostat along with other privileges.clusterMonitor还提供运行mongostat的权限和其他权限。 |
system.views Collection across Databasessystem.views集合¶The following example creates a role named 下面的示例创建一个名为dropSystemViewsAnyDatabase that provides the privileges to drop the system.views collection in any database.dropSystemViewsAnyDatabase的角色,该角色提供删除任何数据库中的system.views集合。
Connect to 使用先决条件部分中指定的权限连接到mongod or mongos with the privileges specified in the Prerequisites section.mongod或mongos。
The following procedure uses the 下面的过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
The myUserAdmin has privileges to create roles in the admin as well as other databases.myUserAdmin拥有在admin数据库和其他数据库中创建角色的权限。
system.views collection in any database.system.views集合¶For the role, specify a privilege that consists of:对于角色,请指定一个特权,该特权包括:
actions array that contains the dropCollection action, anddropCollection操作的actions数组,以及"") for the database and the string "system.views" for the collection.""),为集合指定了字符串"system.views"。grantRole action on a database to grant a role on that database.grantRole操作才能授予该数据库上的角色。revokeRole action on a database to revoke a role on that database.revokeRole操作才能吊销该数据库上的角色。viewRole action on the role’s database.viewRole操作。Connect to 以用户身份连接到mongod or mongos as a user with the privileges specified in the prerequisite section.mongod或mongos,并具有先决条件部分中指定的权限。
The following procedure uses the 下面的过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
To display the roles and privileges of the user to be modified, use the 要显示要修改的用户的角色和权限,请使用db.getUser() and db.getRole() methods.db.getUser()方法和db.gerRole()方法。
For example, to view roles for 例如,要查看在示例中创建的reportsUser created in Examples, issue:reportsUser的角色,请发出:
To display the privileges granted to the user by the 要在readWrite role on the "accounts" database, issue:accounts数据库上显示readWrite角色授予用户的权限,请发出:
If the user requires additional privileges, grant to the user the role, or roles, with the required set of privileges.如果用户需要其他权限,请向用户授予一个或多个具有所需权限集的角色。If such a role does not exist, create a new role with the appropriate set of privileges.如果这样的角色不存在,请创建一个具有适当权限集的新角色。
To revoke a subset of privileges provided by an existing role: revoke the original role and grant a role that contains only the required privileges.要撤消现有角色提供的权限子集:撤消原始角色并授予仅包含所需权限的角色。You may need to create a new role if a role does not exist.如果角色不存在,则可能需要创建新角色。
Revoke a role with the 利用db.revokeRolesFromUser() method.db.revokeRolesFromUser()方法撤销角色。The following example operation removes the 以下示例操作从readWrite role on the accounts database from the reportsUser:reportsUser中删除accounts数据库上的readWrite角色:
Grant a role using the 利用db.grantRolesToUser() method.db.grantRolesToUser()方法授予角色。For example, the following operation grants the 例如,以下操作授予reportsUser user the read role on the accounts database:reportsUser用户accounts数据库上的read角色:
For sharded clusters, the changes to the user are instant on the 对于分片集群,对用户的更改在运行命令的mongos on which the command runs.mongos上是即时的。However, for other 但是,对于集群中的其他 mongos实例,用户缓存可能要等待10分钟才能刷新。mongos instances in the cluster, the user cache may wait up to 10 minutes to refresh.See 请参阅userCacheInvalidationIntervalSecs.userCacheInvalidationIntervalSecs。
To modify the password of another user on a database, you must have the 要修改数据库中其他用户的密码,必须对该数据库执行changeAnyPassword action on that database.changeAnyPassword操作。
Connect to the 使用先决条件部分中指定的权限连接到mongod or mongos with the privileges specified in the Prerequisites section.mongod或mongos。
The following procedure uses the 下面的过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
Pass the user’s username and the new password to the 将用户的用户名和新密码传递给db.changeUserPassword() method.db.changeUserPassword()方法。
The following operation changes the 以下操作将reporting user’s password to SOh3TbYhxuLiW8ypJPxmt1oOfL:reporting用户的密码更改为SOh3TbYhxuLiW8ypJPxmt1oOfL:
See also另请参阅
To view another user’s information, you must have the 要查看其他用户的信息,必须对其他用户的数据库执行viewUser action on the other user’s database.viewUser操作。
Users can view their own information.用户可以查看自己的信息。
Connect to 以用户身份连接到mongod or mongos as a user with the privileges specified in the prerequisite section.mongod或mongos,并具有先决条件部分中指定的权限。
The following procedure uses the 下面的过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
Use the 使用usersInfo command or db.getUser() method to display user information.usersInfo命令或db.getUser()方法来显示用户信息。
For example, to view roles for 例如,要查看在示例中创建的reportsUser created in Examples, issue:reportsUser的角色,请发出:
In the returned document, the 在返回的文档中,roles field displays all roles for reportsUser:roles字段显示reportsUser的所有角色:
To view a role’s information, you must be either explicitly granted the role or must have the 要查看角色的信息,必须显式授予该角色,或者必须对该角色的数据库执行viewRole action on the role’s database.viewRole操作。
Connect to 以用户身份连接到mongod or mongos as a user with the privileges specified in the prerequisite section.mongod或mongos,并具有先决条件部分中指定的权限。
The following procedure uses the 下面的过程使用在启用访问控制中创建的myUserAdmin created in Enable Access Control.myUserAdmin。
For a given role, use the 对于给定的角色,请使用db.getRole() method, or the rolesInfo command, with the showPrivileges option:db.getRole()方法或rolesInfo命令,具有showPrivileges选项:
For example, to view the privileges granted by 例如,要查看read role on the products database, use the following operation, issue:read角色在products数据库上授予的权限,请使用以下操作,发出:
In the returned document, the 在返回的文档中,privileges and inheritedPrivileges arrays.privileges数组和inheritedPrivileges数组。The privileges lists the privileges directly specified by the role and excludes those privileges inherited from other roles.privileges列出由角色直接指定的特权,并排除从其他角色继承的特权。The inheritedPrivileges lists all privileges granted by this role, both directly specified and inherited.inheritedPrivileges列出此角色授予的所有特权,包括直接指定的和继承的。If the role does not inherit from other roles, the two fields are the same.如果角色没有从其他角色继承,则这两个字段是相同的。