内置角色只能控制User在DB级别上执行的操作,管理员可以创建自定义角色,控制用户在集合级别(Collection-Level)上执行的操作,即,控制User在当前DB的特定集合上执行特定的操作。
在创建角色时,必须明确Role的四个特性:
Scope:角色作用的范围,创建在Admin中的角色,能够在其他DB中使用;在其他DB中创建的角色,只能在当前DB中使用;
Resource:角色控制的资源,表示授予在该资源上执行特定操作的权限;
Privilege Actions:定义了User能够在资源上执行的操作,系统定义Action是:;
Inherit:角色能够继承其他角色权限
2.1 角色作用的范围(Scope)
在admin 数据库中创建的角色,Scope是全局的,能够在admin,其他DB和集群中使用,并且能够继承其他DB的Role;而在非admin中创建的角色,Scope是当前数据库,只能在当前DB中使用,只能继承当前数据库的角色。
A role created in the admin database can include privileges that apply to the admin database, other databases or to the cluster resource, and can inherit from roles in other databases as well as the admin database. Except for roles created in the admin database, a role can only include privileges that apply to its database and can only inherit from other roles in its database.
2.2 权限的操作(Privilege actions)
MongoDB的权限包由:资源(Resource)和操作(Action)两部分组成,Privilege Actions 定义User能够在资源上执行的操作,例如:MongoDB在文档级别(Document-Level)上执行的读写操作(Query and Write Actions)列表是:
find
insert
remove
update
3,创建角色
使用db.CreateRole()在当前DB中创建角色,创建的语法示例如下:
use admin db.createRole( { role: "new_role", privileges: [ { resource: { cluster: true }, actions: [ "addShard" ] }, { resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert", "remove" ] }, { resource: { db: "users", collection: "usersCollection" }, actions: [ "update", "insert", "remove" ] }, { resource: { db: "", collection: "" }, actions: [ "find" ] } ], roles: [ { role: "read", db: "admin" } ] }, { w: "majority" , wtimeout: 5000 } )
在roles数组中,指定被继承的role,即,新建的new_role从roles数组中继承权限:
如果被继承的role在当前DB中,定义的格式是:roles:["role"];
如果被继承的role不在当前DB中,需要使用doc,指定该role所在的DB,定义的格式是:roles:[{role:"role_name", db:"db_name"}];
4,自定义角色管理函数
db.createRole() :Creates a role and specifies its privileges.
db.updateRole() :Updates a user-defined role.
db.dropRole() :Deletes a user-defined role.
db.dropAllRoles() :Deletes all user-defined roles associated with a database.
db.grantPrivilegesToRole() :Assigns privileges to a user-defined role.
db.revokePrivilegesFromRole() :Removes the specified privileges from a user-defined role.
db.grantRolesToRole() :Specifies roles from which a user-defined role inherits privileges.
db.revokeRolesFromRole() :Removes inherited roles from a role.
db.getRole() :Returns information for the specified role.
db.getRoles() :Returns information for all the user-defined roles in a database.
三,管理用户和权限
1,创建用户
use db_name
db.createUser(
{
user: "user_name",
pwd: "user_pwd",
roles: [ { role: "clusterAdmin", db: "admin" },
{ role: "readAnyDatabase", db: "admin" },
"readWrite"
]
}
)
为新建的User,授予一个或多个角色,通过roles数组来实现:
如果role存在于当前DB中,roles的格式:roles:["role"];
如果role不存在于当前DB中,roles的格式:roles:[Role:"role_name", db:"db_name"];
2,权限认证(Authenticate)
mongo连接到mongod,有两种权限认证的方式:
在连接时认证用户访问的权限,mongo 使用参数 --authenticationDatabase <dbname> 指定认证数据库;