MongoDB Opens shard Operation Minimum Privilege User Authorization
(2018-01-25 15:52:29)
Reprint_Label: mongodbshardMinimum permissionshardcollectionprivileges |
Classification: data base |
background
Operational requirements provide a minimum privilege for program users to meet the following operational requirements:
- Allow full operation of specified database
- Allow shard to be opened for collection in a specified database
With such restrictions, only the designated database will be affected at most.
Avoid affecting the whole cluster due to program problems or other external factors that cause data processing logic problems.
Plan
Take myDb.myCollection as an example. To open shard for collection, the following operations are needed:
-
If the database does not open the fragmentation function, you need to open it first:
sh.enableSharding("myDb") -
If there is already data in the collection, you need to create the corresponding shardkey index first:
use myDb db.myCollection.createIndex( {"shard_key_field": "hashed"} ) -
Open shard for the specified collection:
sh.shardCollection("myDb.myCollection", {"shard_key_field": "hashed"})
Therefore, the corresponding privileges are needed to run the above three operation commands.
Referring to the description of official documents, users need to be provided with two permissions:
-
https://docs.mongodb.com/manual/reference/privilege-actions/#enableSharding
enableSharding
User can enable sharding on a database using theenableShardingcommand and can shard a collection using theshardCollectioncommand. Apply this action to database or collection resources. -
https://docs.mongodb.com/manual/reference/privilege-actions/#createIndex
createIndex
Provides access to thedb.collection.createIndex()method and thecreateIndexescommand. Apply this action to database or collection resources.
operation
Because the original project user's role in business database is dbOwner.
Therefore, to create a role with shard-related operation privileges, granting project database users can achieve minimum privilege control.
First, create a new role to provide the above two operation permissions.
This is called opShardRole and can be changed according to actual requirements:
use myDb; db.createRole({ role: "opShardRole", privileges:[ { resource:{db:"myDb", collection:""}, actions:["enableSharding, "createIndex"] } ], roles:[] } )
Then the opShardRole role grant is given to the project user, assuming that the user name is project_user:
db.grantRolesToUser("project_user",[{role:"opShardRole", db:"myDb"}])
At this point, the operation is completed, and the project user can test whether there is any problem in opening the shard related operation.
Check relevant user privileges
Switch to Business db and check the relevant users and roles:
-
View role-related permissions:
mongos> db.getRole("opShardRole",{showPrivileges: true}) { "role" : "opShardRole", "db" : "myDb", "isBuiltin" : false, "roles" : [ ], "inheritedRoles" : [ ], "privileges" : [ { "resource" : { "db" : "myDb", "collection" : "" }, "actions" : [ "createIndex", "enableSharding", "shardCollection" ] } ], ... } -
View user-related roles:
mongos> show users; { "_id" : "myDb.project_user", "user" : "project_user", "db" : "myDb", "roles" : [ { "role" : "opShardRole", "db" : "myDb" }, { "role" : "dbOwner", "db" : "myDb" } ] }
As you can see, the role of opShardRole does already have the required shard operation rights for the business database myDb.
At the same time, the project_user user user already has opShardRole role authorization.
Share: