Docs 菜单
Docs 主页
/
MongoDB Manual
/
自管理部署
/
安全性
/
基于角色的访问控制

管理自管理部署中的用户和角色

在此页面上

This tutorial provides examples for user and role management under MongoDB's authorization model for self-managed deployments. To create a new user, see 在自管理部署上创建用户.

先决条件

If you have enabled access control for your deployment, you must authenticate as a user with the required privileges specified in each section. To perform the operations listed in this tutorial, user administrators require the userAdminAnyDatabase role, or userAdmin role in the specific databases. For details on adding a user administrator as the first user, see 在自管理部署上启用访问控制

Create a User-Defined Role

注意

To create user-defined roles in MongoDB Atlas, see Add Custom Roles in the MongoDB Atlas documentation.

Roles grant users access to MongoDB resources. MongoDB provides a number of built-in roles that administrators can use to control access to a MongoDB system. However, if these roles cannot describe the desired set of privileges, you can create new roles in a particular database.

除在 admin 数据库中创建的角色之外,角色只能包含会应用于其数据库的特权,且只能从其数据库中的其他角色来继承。

admin 数据库中创建的角色可包含会应用于 admin 数据库、其他数据库或集群资源的特权,且可从其他数据库和 admin 数据库中的角色来继承。

To create a new role, use the db.createRole() method, specifying the privileges in the privileges array and the inherited roles in the roles array.

MongoDB uses the combination of the database name and the role name to uniquely define a role. Each role is scoped to the database in which you create the role, but MongoDB stores all role information in the admin.system.roles collection in the admin database.

先决条件

要在数据库中创建角色,必须:

通过内置角色 userAdminuserAdminAnyDatabase,可在各自的资源上执行 createRolegrantRole 操作。

要在指定 authenticationRestrictions 时创建角色,必须针对创建该角色的数据库资源执行 setAuthenticationRestriction 操作

To add custom user-defined roles with mongosh, see the following examples:

创建用于管理当前操作的角色

The following example creates a role named manageOpRole which provides only the privileges to run both db.currentOp() and db.killOp(). [1]

注意

Users do not need any specific privileges to view or kill their own operations on mongod instances. See db.currentOp() and db.killOp() for details.

1

Connect to MongoDB with the appropriate privileges.

Connect to mongod or mongos with the privileges specified in the 先决条件 section.

The following procedure uses the myUserAdmin created in 在自管理部署上启用访问控制.

mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'

The myUserAdmin has privileges to create roles in the admin as well as other databases.

2

Create a new role to manage current operations.

manageOpRole has privileges that act on multiple databases as well as the cluster resource. As such, you must create the role in the admin database.

use admin
db.createRole(
   {
     role: "manageOpRole", 
     privileges: [
       { resource: { cluster: true }, actions: [ "killop", "inprog" ] },
       { resource: { db: "", collection: "" }, actions: [ "killCursors" ] }
     ],
     roles: []
   }
)

The new role grants permissions to kill any operations.

警告

Terminate running operations with extreme caution. Only use the db.killOp() method or killOp command to terminate operations initiated by clients and do not terminate internal database operations.

[1] The built-in role clusterMonitor also provides the privilege to run db.currentOp() along with other privileges, and the built-in role hostManager provides the privilege to run db.killOp() along with other privileges.

Create a Role to Run mongostat

The following example creates a role named mongostatRole that provides only the privileges to run mongostat. [2]

1

Connect to MongoDB with the appropriate privileges.

Connect to mongod or mongos with the privileges specified in the 先决条件 section.

The following procedure uses the myUserAdmin created in 在自管理部署上启用访问控制.

mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'

The myUserAdmin has privileges to create roles in the admin as well as other databases.

2

Create a new role to manage current operations.

mongostatRole has privileges that act on the cluster resource. As such, you must create the role in the admin database.

use admin
db.createRole(
   {
     role: "mongostatRole", 
     privileges: [
       { resource: { cluster: true }, actions: [ "serverStatus" ] }
     ],
     roles: []
   }
)
[2] The built-in role clusterMonitor also provides the privilege to run mongostat along with other privileges.

Create a Role to Drop system.views Collection across Databases

The following example creates a role named dropSystemViewsAnyDatabase that provides the privileges to drop the system.views collection in any database.

1

Connect to MongoDB with the appropriate privileges.

Connect to mongod or mongos with the privileges specified in the 先决条件 section.

The following procedure uses the myUserAdmin created in 在自管理部署上启用访问控制.

mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'

The myUserAdmin has privileges to create roles in the admin as well as other databases.

2

Create a new role to drop the system.views collection in any database.

For the role, specify a 特权 that consists of:

use admin
db.createRole(
   {
     role: "dropSystemViewsAnyDatabase", 
     privileges: [
       {
         actions: [ "dropCollection" ],
         resource: { db: "", collection: "system.views" }
       }
     ],
     roles: []
   }
)

修改现有用户的访问权限

注意

To modify an existing database user's roles in MongoDB Atlas, see Modify Database Users in the MongoDB Atlas documentation.

先决条件

  • 必须对数据库执行 grantRole 操作才能在该数据库上授予角色。

  • 必须对数据库执行 revokeRole 动作才能撤消该数据库上的角色。

  • 要查看角色的信息,您必须已被显式授予该角色,或必须有权对该角色的数据库执行 viewRole 操作

步骤

1

Connect to MongoDB with the appropriate privileges.

Connect to mongod or mongos as a user with the privileges specified in the prerequisite section.

The following procedure uses the myUserAdmin created in 在自管理部署上启用访问控制.

mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
2

Identify the user's roles and privileges.

To display the roles and privileges of the user to be modified, use the db.getUser() and db.getRole() methods.

For example, to view roles for reportsUser created in 其他示例, issue:

use reporting
db.getUser("reportsUser")

To display the privileges granted to the user by the readWrite role on the "accounts" database, issue:

use accounts
db.getRole( "readWrite", { showPrivileges: true } )
3

Identify the privileges to grant or revoke.

If the user requires additional privileges, grant to the user the role, or roles, with the required set of privileges. If such a role does not exist, create a new role with the appropriate set of privileges.

To revoke a subset of privileges provided by an existing role: revoke the original role and grant a role that contains only the required privileges. You may need to create a new role if a role does not exist.

4

Modify the user's access.

Revoke a Role

Revoke a role with the db.revokeRolesFromUser() method. The following example operation removes the readWrite role on the accounts database from the reportsUser:

use reporting
db.revokeRolesFromUser(
    "reportsUser",
    [
      { role: "readWrite", db: "accounts" }
    ]
)
Grant a Role

Grant a role using the db.grantRolesToUser() method. For example, the following operation grants the reportsUser user the read role on the accounts database:

use reporting
db.grantRolesToUser(
    "reportsUser",
    [
      { role: "read", db: "accounts" }
    ]
)

For sharded clusters, the changes to the user are instant on the mongos on which the command runs. However, for other mongos instances in the cluster, the user cache may wait up to 10 minutes to refresh. See userCacheInvalidationIntervalSecs.

Modify the Password for an Existing User

注意

To modify an existing MongoDB Atlas user's password, see Modify Database Users in the MongoDB Atlas documentation.

先决条件

要修改数据库其他用户的密码,必须对该数据库执行 changePassword 操作

步骤

1

Connect to MongoDB with the appropriate privileges.

Connect to the mongod or mongos with the privileges specified in the 先决条件 section.

The following procedure uses the myUserAdmin created in 在自管理部署上启用访问控制.

mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
2

Change the password.

Pass the user's username and the new password to the db.changeUserPassword() method.

The following operation changes the reporting user's password to SOh3TbYhxuLiW8ypJPxmt1oOfL:

db.changeUserPassword("reporting", "SOh3TbYhxuLiW8ypJPxmt1oOfL")

另请参阅:

更改您在自管理部署中的密码和自定义数据

View a User's Roles

注意

To view a user's roles in MongoDB Atlas, see View Database Users and Certificates in the MongoDB Atlas documentation.

先决条件

要查看其他用户的信息,必须对其他用户的数据库执行 viewUser 操作

用户可查看自己的信息。

步骤

1

Connect to MongoDB with the appropriate privileges.

Connect to mongod or mongos as a user with the privileges specified in the prerequisite section.

The following procedure uses the myUserAdmin created in 在自管理部署上启用访问控制.

mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
2

Identify the user's roles.

Use the usersInfo command or db.getUser() method to display user information.

For example, to view roles for reportsUser created in 其他示例, issue:

use reporting
db.getUser("reportsUser")

In the returned document, the roles field displays all roles for reportsUser:

...
"roles" : [
   { "role" : "readWrite", "db" : "accounts" },
   { "role" : "read", "db" : "reporting" },
   { "role" : "read", "db" : "products" },
   { "role" : "read", "db" : "sales" }
]

View a Role's Privileges

注意

To view a role's privileges in MongoDB Atlas, see View Custom Roles in the MongoDB Atlas documentation.

先决条件

要查看角色的信息,您必须已被显式授予该角色,或必须有权对该角色的数据库执行 viewRole 操作

步骤

1

Connect to MongoDB with the appropriate privileges.

Connect to mongod or mongos as a user with the privileges specified in the prerequisite section.

The following procedure uses the myUserAdmin created in 在自管理部署上启用访问控制.

mongosh --port 27017 -u myUserAdmin -p 'abc123' --authenticationDatabase 'admin'
2

Identify the privileges granted by a role.

For a given role, use the db.getRole() method, or the rolesInfo command, with the showPrivileges option:

For example, to view the privileges granted by read role on the products database, use the following operation, issue:

use products
db.getRole( "read", { showPrivileges: true } )

In the returned document, the privileges and inheritedPrivileges arrays. The privileges lists the privileges directly specified by the role and excludes those privileges inherited from other roles. The inheritedPrivileges lists all privileges granted by this role, both directly specified and inherited. If the role does not inherit from other roles, the two fields are the same.

...
"privileges" : [
  {
    "resource": { "db" : "products", "collection" : "" },
    "actions": [ "collStats","dbHash","dbStats","find","killCursors","planCacheRead" ]
  },
  {
    "resource" : { "db" : "products", "collection" : "system.js" },
    "actions": [ "collStats","dbHash","dbStats","find","killCursors","planCacheRead" ]
  }
],
"inheritedPrivileges" : [
  {
    "resource": { "db" : "products", "collection" : "" },
    "actions": [ "collStats","dbHash","dbStats","find","killCursors","planCacheRead" ]
  },
  {
    "resource" : { "db" : "products", "collection" : "system.js" },
    "actions": [ "collStats","dbHash","dbStats","find","killCursors","planCacheRead" ]
  }
]

后退

用户定义角色

来年

更改密码和自定义数据