在Mongo数据库实例中为特定数据库创建只读用户

Question

我在mongo01test数据库中创建了一个用户"mongo01testro".

use mongo01test 
db.addUser( "mongo01testro", "pwd01", true );
db.system.users.find();
{ "_id" : ObjectId("53xyz"), "user" : "mongo01testro", "readOnly" : true, "pwd" : "b9eel61" }

当我作为这个新创建的用户从另一个会话登录时,我能够在集合中插入奇怪的文档.

我希望做到以下几点:

1. 创建2个单独的用户,一个用于只读,一个用于每个数据库的读写.
2. 创建管理员用户,该用户具有sysadmin/dba访问Mongodb实例中用于备份/恢复或管理目的的所有数据库.

请帮忙.

此致,Parag

Answer 1

你忘记了 - 启用了

创建用户

// ensure that we have new db, no roles, no users
use products
db.dropDatabase()

// create admin user
use products
db.createUser({
    "user": "prod-admin",
    "pwd": "prod-admin",
    "roles": [
        {"role": "clusterAdmin", "db": "admin" },
        {"role": "readAnyDatabase", "db": "admin" },
    "readWrite"
    ]},
    { "w": "majority" , "wtimeout": 5000 }
)

// login via admin acont in order to create readonly user
// mongo --username=prod-admin --password=prod-admin products
db.createUser({
    "user": "prod-r",
    "pwd": "prod-r",
    "roles": ["read"]
})

启用身份验证:

sudo vim /etc/mongod.conf # edit file
    # Turn on/off security.  Off is currently the default
    #noauth = true
    auth = true
sudo service mongod restart # reload configuiration

检查写入限制:

# check if write operation for readonly user
$ mongo --username=prod-r --password=prod-r products
MongoDB shell version: 2.6.4
connecting to: products
> db.laptop.insert({"name": "HP"})
WriteResult({
    "writeError" : {
        "code" : 13,
        "errmsg" : "not authorized on products to execute command { insert: \"laptop\", documents: [ { _id: ObjectId('53ecb7115f0bfc61d8b1113e'), name: \"HP\" } ], ordered: true }"
    }
})

# check write operation for admin user
$ mongo --username=prod-admin --password=prod-admin products
MongoDB shell version: 2.6.4
connecting to: products
> db.laptop.insert({"name": "HP"})
WriteResult({ "nInserted" : 1 })

# check read operation for readonly user    
$ mongo --username=prod-r --password=prod-r products
MongoDB shell version: 2.6.4
connecting to: products
> db.laptop.findOne()
{ "_id" : ObjectId("53ecb54798da304f99625d05"), "name" : "HP" }

Answer 2

这是我的场景；

// Create admin user
use admin
db.addUser('root', 'strong_password');

// Read only user
use dbforuser1
db.addUser('user1', 'user1_pass', true);

// Read / Write access
use dbforuser2
db.addUser('user2', 'user2_pass');

如果你想登录 dbforuser1

use dbforuser1
db.auth('user1', 'user1_pass')