MongoDB authentication -- command line mode

Keywords: Database MongoDB shell MySQL

Abstract
MongoDB3.x is quite different from previous versions. Here's a brief introduction to user authentication.

1. Understand the 3.x version of the add user function
Function:

db.createUser(user,writeConcern);

Parameters:
User This document is about user identity authentication and access related information;
Write Concern This document description MongoDB Provide information about write operations.

Format provided by user document:
{ user: "", 
pwd: "", 
customData: { }, 
roles: [ 
{ role: "", db: "" } | "", 
… 
]

user Document Field Introduction:
user: Username
pwd: Password
roles: specify the role of the user, and use an empty array to set the empty role for the new user;
In the roles field, you can specify built-in roles and user-defined roles.

The roles in roles are optional:

Built-In Roles (built-in roles):
1. data base User roles: read, read Write;
2. Role of database management: dbAdmin, dbOwner, userAdmin;
3. Cluster management roles: Cluster Admin, Cluster Manager, Cluster Monitor, Host Manager;
4. Backup and recovery roles: backup, restore;
5. All database roles: readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase, dbAdminAnyDatabase
6. Super user role: root
// There are also several roles that indirectly or directly provide system superuser access (dbOwner, userAdmin, userAdmin AnyDatabase)
7. Internal roles: _system

Role Interpretation:

Read: Allows users to read the specified database
readWrite: Allows users to read and write to specified databases
dbAdmin: Allows users to perform administrative functions in a specified database, such as index creation, deletion, viewing statistics or accessing system.profile
userAdmin: Allows users to write to the system.users collection, where users can be created, deleted, and managed in a specified database.
Cluster Admin: Available only in admin database, granting users administrative rights to all fragmentation and replication set-related functions.  
readAnyDatabase: Only available in admin database, giving users access to all databases.
readWriteAnyDatabase: Available only in admin database, giving users read and write access to all databases.
userAdminAnyDatabase: Available only in admin database, granting userAdmin privileges to all database users
dbAdminAnyDatabase: Only available in admin database, giving users dbAdmin privileges for all databases.  
root: Only available in admin database. Super Account, Super Authority

2. Adding users

After the installation of MongoDB is completed, start the MongoDB service without security check enabled, enter the view database, there is only one local library, admin library does not exist.
Now create an account with authorized rights, su. Here's what library the user created under must auth under that library.
MongoDB shell version: 3.2.3
connecting to: test
> use admin
switched to db admin
> db.createUser({user:"su",pwd:"su", roles: [{ role: "userAdminAnyDatabase", db: "admin" }]});
Successfully added user: {
        "user" : "su",
        "roles" : [
                {
                        "role" : "userAdminAnyDatabase",
                        "db" : "admin"
                }
        ]
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14

The user AdminAnyDatabase role created above is used to manage the user, through which the user can be created and deleted. The MongoDB service needs to be restarted for validation with the auth parameter.

>mongod --auth                                                                ## Restart MongoDB Service
  • 1
  • 1

Re-login:

MongoDB shell version: 3.2.3
connecting to: test
> show dbs;                                                                   ## Here access fails because there is no validation
2016-04-27T14:34:44.573+0800 E QUERY    [thread1] Error: listDatabases failed:{
        "ok" : 0,
        "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
        "code" : 13
} :
_getErrorWithCode@src/mongo/shell/utils.js:23:13
Mongo.prototype.getDBs@src/mongo/shell/mongo.js:53:1
shellHelper.show@src/mongo/shell/utils.js:700:19
shellHelper@src/mongo/shell/utils.js:594:15
@(shellhelp2):1:1

>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15

Because the user created by admin failed to validate under test

MongoDB shell version: 3.2.3
connecting to: test
> db.auth("su","su");                                                          ## Users not created in test
Error: Authentication failed.
0
> use admin                                                                    ## Switch to admin
switched to db admin
> db.auth("su","su");
1                                                                              ## Verify success
>
>
> use test                                                                     ## Create users under test
switched to db test
> db.createUser({user:"mengximengxi",pwd:"mengximengxi", roles: ["read"]});    ## read-only
Successfully added user: { "user" : "mengximengxi", "roles" : [ "read" ] }     ## Default to the current database
> db.createUser({user:"mxmx",pwd:"mxmx", roles: ["readWrite"]});               ## Read and write
Successfully added user: { "user" : "mxmx", "roles" : [ "readWrite" ] }
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17

3. validation

> use admin
switched to db admin
> db.auth("su","su");
1
> db.test.find();                                                    ## View failed, user AdminAnyDatabase is only for user's administrative rights, not for data operation rights
Error: error: {
        "ok" : 0,
        "errmsg" : "not authorized on admin to execute command { find: \"test\", filter: {} }",
        "code" : 13
}
> db.auth("mengximengxi","mengximengxi");
1
> db.test.insert({name:"zhaoxiaoliu"});                                  ## Read-only, cannot write
WriteResult({
        "writeError" : {
                "code" : 13,
                "errmsg" : "not authorized on test to execute command { insert: \"test\", documents: [ { _id: ObjectId('5720636a26c1f39ce9a7a9bd'), name: \"zhao
xiaoliu\" } ], ordered: true }"
        }
})

> db.auth("mxmx","mxmx");                                                ## Writable
1
> db.test.insert({name:"zhaoxiaoliu"});
WriteResult({ "nInserted" : 1 })
>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26

Only if you have root privileges can you have both authorization privileges and collective operation privileges.

> db.createUser({user:"root",pwd:"root", roles: [{role:"root",db:"admin"}]});      ## Create users with super privileges
Successfully added user: {
        "user" : "root",
        "roles" : [
                {
                        "role" : "root",
                        "db" : "admin"
                }
        ]
}
> db.test.insert({name:"tianxiaoqi"});                                             ## write
WriteResult({ "nInserted" : 1 })> db.createUser({user:"test_user",pwd:"mxmx", roles: ["readWrite"]}); 
Successfully added user: { "user" : "test_user", "roles" : [ "readWrite" ] }       ## Add user
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13

4. pay attention to

1. User accounts of other databases can be created in the current database, but the account can only be verified in the current database, and then the corresponding database can be operated.

2. If the security check is not turned on, it is also possible to create corresponding users in other databases.



Posted by Coruba67 on Fri, 22 Mar 2019 00:39:53 -0700