mongodb的用户认证

ewe22

mongodb默认是不认证的，默认没有账号，只要能连接上服务就可以对数据库进行各种操作，mongodb认为安全最好的方法就是在一个可信的环境中运行它，保证之后可信的机器才能访问它，可能这些对一些要求高的环境，安全还不够
mongodb提供用户认证，需要在启动时加上--auth开启认证
认证前需要添加账号
添加管理员账号：
默认情况下系统中没有用户
> use admin       --切换到admin库
switched to db admin
> db.system.users.find();
>  db.addUser("super","super") --添加超级用户
WARNING: The 'addUser' shell helper is DEPRECATED. Please use 'createUser' inste
ad
Successfully added user: { "user" : "super", "roles" : [ "root" ] }
> db.system.users.find(); --查询添加的用户
{ "_id" : "admin.super", "user" : "super", "db" : "admin", "credentials" : { "MO
NGODB-CR" : "9c93023a901c2adf9c7377076b8c963a" }, "roles" : [ { "role" : "root",
"db" : "admin" } ] }
>
添加普通账号：
> use test    --切换到test库添加普通用户
switched to db test
> db.addUser("test","test")
WARNING: The 'addUser' shell helper is DEPRECATED. Please use 'createUser' inste
ad
Successfully added user: { "user" : "test", "roles" : [ "dbOwner" ] }
添加只读账号：
> db.addUser("readonly","readonly",true)  --添加只读用户
WARNING: The 'addUser' shell helper is DEPRECATED. Please use 'createUser' inste
ad
Successfully added user: { "user" : "readonly", "roles" : [ "read" ] }
>
查询刚刚添加的所有用户：
> use admin
switched to db admin
> db.system.users.find();
{ "_id" : "admin.admin", "user" : "admin", "db" : "admin", "credentials" : { "MO
NGODB-CR" : "7c67ef13bbd4cae106d959320af3f704" }, "roles" : [ { "role" : "root",
"db" : "admin" } ] }
{ "_id" : "test.db1", "user" : "db1", "db" : "test", "credentials" : { "MONGODB-
CR" : "08a3bfa3cdef4464c4738a7180465adf" }, "roles" : [ { "role" : "dbOwner", "d
b" : "test" } ] }
{ "_id" : "admin.super", "user" : "super", "db" : "admin", "credentials" : { "MO
NGODB-CR" : "9c93023a901c2adf9c7377076b8c963a" }, "roles" : [ { "role" : "root",
"db" : "admin" } ] }
{ "_id" : "test.test", "user" : "test", "db" : "test", "credentials" : { "MONGOD
B-CR" : "a6de521abefc2fed4f5876855a3484f5" }, "roles" : [ { "role" : "dbOwner",
"db" : "test" } ] }
{ "_id" : "test.readonly", "user" : "readonly", "db" : "test", "credentials" : {
"MONGODB-CR" : "68eda9b099ddb587da03a33273a9f4da" }, "roles" : [ { "role" : "re
ad", "db" : "test" } ] }
>
以--auth启动mongodb开启认证
E:\mongodb\bin>mongod -f e:/mongodb/mongodb.conf
2014-09-14T11:12:07.609+0800
2014-09-14T11:12:07.609+0800 warning: 32-bit servers don't have journaling enabl
ed by default. Please use --journal if you want durability.
2014-09-14T11:12:07.609+0800
mongodb.conf文件内容如下，添加了auth=true
dbpath=E:\mongodb\data
logpath=E:\mongodb\log\mongodb.log
logappend=true
bind_ip=127.0.0.1
port=27019
#fork=true
master=true
auth=true
验证安全认证：
> use admin
switched to db admin
> show dbs   --没有认证查看数据库报错
2014-09-14T13:28:45.953+0800 listDatabases failed:{
        "ok" : 0,
        "errmsg" : "not authorized on admin to execute command { listDatabases:
1.0 }",
        "code" : 13
} at src/mongo/shell/mongo.js:47
>
> db.auth("super","super")  ---认证后再次查看ok
1
> show dbs
admin    0.078GB
local    0.078GB
test     0.078GB
wangwei  0.078GB
>
普通用户认证
> show dbs   --没有认证查看数据
2014-09-14T13:31:19.265+0800 listDatabases failed:{
        "ok" : 0,
        "errmsg" : "not authorized on admin to execute command { listDatabases:
1.0 }",
        "code" : 13
} at src/mongo/shell/mongo.js:47
> db.auth("test","test")
1
> show dbs  --认证后查看数据库还报错，原因这个用户属于test不属于admin
2014-09-14T13:33:30.062+0800 listDatabases failed:{
        "ok" : 0,
        "errmsg" : "not authorized on admin to execute command { listDatabases:
1.0 }",
        "code" : 13
} at src/mongo/shell/mongo.js:47
>
E:\mongodb\bin>mongo 127.0.0.1:27019
MongoDB shell version: 2.6.4
connecting to: 127.0.0.1:27019/test
> db.mycol.insert({"id":222})  --没有认证情况插入文档失败
WriteResult({
        "writeError" : {
                "code" : 13,
                "errmsg" : "not authorized on test to execute command { insert:
\"mycol\", documents: [ { _id: ObjectId('5415292f131751676caa7881'), id: 222.0 }
], ordered: true }"
        }
})
> db.auth("test","test")   --认证后插入文档成功
1
> db.mycol.insert({"id":222})
WriteResult({ "nInserted" : 1 })
>
只读用户认证
E:\mongodb\bin>mongo 127.0.0.1:27019
MongoDB shell version: 2.6.4
connecting to: 127.0.0.1:27019/test
> db.mycol.find()  --没有认证查询失败
error: { "$err" : "not authorized for query on test.mycol", "code" : 13 }
> db.auth("readonly"."readonly")
2014-09-14T13:38:16.265+0800 SyntaxError: Unexpected string
> db.auth("readonly","readonly")
1
> db.mycol.find()  --认证后查询成功
{ "_id" : ObjectId("5415294b131751676caa7882"), "id" : 222 }
>
> db.mycol.insert({"id":5555})  --只读认证后，插入文档失败，原因用户是只读的
WriteResult({
        "writeError" : {
                "code" : 13,
                "errmsg" : "not authorized on test to execute command { insert:
\"mycol\", documents: [ { _id: ObjectId('541529ead090e8f5c50762b9'), id: 5555.0
} ], ordered: true }"
        }
})
>