我们似乎无法找到mongodump关于在特定数据库上运行需要哪些权限(用户角色)的任何结论性文档.
说我有一个名为数据库x和用户y有以下角色就可以了roles: [ "readWrite", "dbAdmin" ],还有2个用户a,并b在admin收集与roles: [ "userAdminAnyDatabase" ]和roles: [ "dbAdminAnyDatabase" ],似乎他们都没有运行正确的权限mongodump:
mongodump --db x --username y --password --authenticationDatabase x
Tue Dec 10 17:04:23.901 x.system.users to dump/x/system.users.bson
assertion: 11010 count fails:{ ok: 0.0, errmsg: "unauthorized" }
mongodump --db x --username a --password --authenticationDatabase admin
Tue Dec 10 17:06:19.674 DATABASE: x to dump/x
assertion: 13106 nextSafe(): { $err: "not authorized for query on x.system.indexes", code: 16550 }
mongodump --db x --username b --password --authenticationDatabase admin
Tue Dec 10 17:08:20.678 DATABASE: x to dump/x
assertion: 13106 nextSafe(): { $err: "not authorized for query on x.system.namespaces", code: 16550 }
我们必须遗漏一些明显的东西,但是在转储数据库时mongodump会查找什么以及它需要什么权限?
PS:作为奖励,我们想知道转储特定集合以及所有数据库所需的用户角色.
ilt*_*mpo 43
幸运的是,mongodump 3.0正在接受跳过某些集合的选项.
这解决了我的问题,没有管理员访问数据库来调整权限.请记住,您不会再创建完整备份了.
mongodump --excludeCollection=system.indexes
要么
mongodump --excludeCollectionsWithPrefix=system
bit*_*inn 13
TL; DR:对于mongodb 2.4,您至少需要一个具有read角色的用户以及userAdmindb.否则,当转储system.users.bson到此类数据库时,您将遇到我们在问题中遇到的错误.
所以我们忽略了一个重要的参考: man mongodump
但是,你需要有mongodump2.4.x来查看相关部分,所以这里是通过mongodb github docs的参考:
Required User Privileges
------------------------
.. note:: User privileges changed in MongoDB 2.4.
The user must have appropriate privileges to read data from database
holding collections in order to use :program:`mongodump`. Consider the
following :doc:`required privileges </reference/system-defined-roles>` for
the following :program:`mongodump` operations:
.. list-table::
:header-rows: 1
* - Task
- Required Privileges
* - All collections in a database except ``system.users``.
- :authrole:`read`. [#read-or-read-write]_
* - All collections in a database, including ``system.users``.
- :authrole:`read` [#read-or-read-write]_ and :authrole:`userAdmin`.
* - All databases. [#profiling-exception]_
- :authrole:`readAnyDatabase`, :authrole:`userAdminAnyDatabase`,
and :authrole:`clusterAdmin`. [#cluster-admin]_
See :doc:`/reference/system-defined-roles` and
:doc:`/reference/privilege-documents` for more information on user
roles.
.. [#read-or-read-write] You may provision :authrole:`readWrite`
instead of :authrole:`read`.
.. [#cluster-admin] :authrole:`clusterAdmin` provides the ability to
run the :dbcommand:`listDatabases` command, to list all existing
databases.
.. [#profiling-exception] If any database runs with profiling enabled,
:program:`mongodump` may need the
:authrole:`dbAdminAnyDatabase` privilege to dump the
``system.profile`` collection.
PS:目前无法跳过某些集合,因此如果您只在db上具有read或readWrite角色,则需要单独转储每个集合.
小智 5
我的记忆也很不好。但最后弄清楚了...其实很简单。你只需要添加一个用户与backup角色的mongodump和restore角色的mongorestore。
backup角色:提供备份数据所需的最小特权。该角色提供了足够的特权来使用MongoDB Cloud Manager备份代理,Ops Manager备份代理,或使用mongodump备份整个mongod实例。
restore角色:提供从不包含system.profile集合数据的备份还原数据所需的特权。当使用不带--oplogReplay选项的mongorestore还原数据时,此角色就足够了。
例如,您可以创建一个备份用户,如下所示:
> use admin
> db.createUser({
user: "backupuser",
pwd: "12345",
roles: ["backup"]
})