Mac-Osx
MongoDB 集合級別訪問控制不起作用
我必須將少數 MongoDB 使用者限制為具有某些特定操作權限的特定集合(僅更新集合)。根據文件,這是可能的。
localhost:tmp username$ mongo MongoDB shell version v3.4.1 connecting to: mongodb://127.0.0.1:27017 MongoDB server version: 3.4.1 Server has startup warnings: 2018-05-06T15:30:51.739+0530 I CONTROL [initandlisten] 2018-05-06T15:30:51.772+0530 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database. 2018-05-06T15:30:51.772+0530 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted. 2018-05-06T15:30:51.772+0530 I CONTROL [initandlisten] > > > > use foo switched to db foo > db.inventory.insertOne( { item: "canvas", qty: 100, tags: ["cotton"], size: { h: 28, w: 35.5, uom: "cm" } } ) { "acknowledged" : true, "insertedId" : ObjectId("5af6c7e058d94deb0777e883") } > > > > db.inventory.find( { item: "canvas" } ) { "_id" : ObjectId("5af6c7e058d94deb0777e883"), "item" : "canvas", "qty" : 100, "tags" : [ "cotton" ], "size" : { "h" : 28, "w" : 35.5, "uom" : "cm" } } > > > > show collections inventory > db.createRole({ role: "fooRole", privileges: [ { resource: { db: "foo", collection: "inventory" }, actions: [ "find", "update" ] } ], roles: [] }) { "role" : "fooRole", "privileges" : [ { "resource" : { "db" : "foo", "collection" : "inventory" }, "actions" : [ "find", "update" ] } ], "roles" : [ ] } > > > > > db.createUser({ user: "foouser", pwd: "foopass", roles: [ { role: "fooRole", db: "foo" } ] }) Successfully added user: { "user" : "foouser", "roles" : [ { "role" : "fooRole", "db" : "foo" } ] } > > > bye以 foouser 身份登錄,
localhost:tmp username$ mongo -u "foouser" -p "foopass" --authenticationDatabase "foo" MongoDB shell version v3.4.1 connecting to: mongodb://127.0.0.1:27017 MongoDB server version: 3.4.1 Server has startup warnings: 2018-05-06T15:30:51.739+0530 I CONTROL [initandlisten] 2018-05-06T15:30:51.772+0530 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database. 2018-05-06T15:30:51.772+0530 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted. 2018-05-06T15:30:51.772+0530 I CONTROL [initandlisten] > > > use foo switched to db foo > show collections inventory > db.inventory.drop() true > show collections > db.dropDatabase() { "dropped" : "foo", "ok" : 1 } > bye如果我應該簡單地說一下我在上面做了什麼,
- 使用集合 ‘inventory’ 創建了 ‘foo’ 數據庫
- 用 ‘find’ & ‘update’ 創建了一個角色 ‘fooRole’ -
db.createRole({ role: "fooRole", privileges: [ { resource: { db: "foo", collection: "inventory" }, actions: [ "find", "update" ] } ], roles: [] })
- 使用角色 ‘fooRole’ 創建了使用者 ‘foouser’ -
db.createUser({ user: "foouser", pwd: "foopass", roles: [ { role: "fooRole", db: "foo" } ] })為什麼它不起作用?為什麼
foouser可以drop collection和database?我做錯了什麼嗎?請提出一些解決方案!
儘管您已經創建了使用者,但腳本中的啟動警告表明您尚未啟用訪問控制:
** WARNING: Access control is not enabled for the database. ** Read and write access to data and configuration is unrestricted.在 MongoDB 3.6 中,必須使用
security.authorization配置設置或--auth命令行選項顯式啟用訪問控制。有關完整步驟,請參閱 MongoDB 手冊中的Enable Auth 教程。