MongoDB 檢視DDL檢視not authorized on xxx to execute command { find: system.views

清風艾艾 發表於 2021-04-21

    最近做Mongodb資料庫遷移,在對shard叢集遷移時,發現檢視和函式無法遷移到目標端,需要手

工查詢源端檢視和函式的DDL定義到目標端重建檢視和函式,但是在查詢檢視時提示許可權不足。

    Mongodb的shard叢集檢視DDL定義查詢,報錯資訊如下:

[[email protected] ~]$ mongo --port 50001 -usys -pzhulei  --authenticationDatabase admin

MongoDB shell version v4.2.3

connecting to: mongodb://127.0.0.1:50001/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb

Implicit session: session { "id" : UUID("d53970e1-edce-4811-b827-4386a0f3f707") }

MongoDB server version: 4.2.3

> use poc_mig_mongo1

switched to db poc_mig_mongo1

> show tables;

ceshi1

ceshi2

ceshi3

ceshi4

ceshi5

system.views

v_ceshi2

v_ceshi3

v_ceshi4

v_ceshi5

> db.system.views.find();

Error: error: {

"ok" : 0,

"errmsg" : " not authorized on poc_mig_mongo1 to execute command { find: \"system.views\", filter: {}, lsid: { id: UUID(\"e2d688de-b6e8-4bc9-9685-8344af3b9132\") }, $db: \"poc_mig_mongo1\" }",

"code" : 13,

"codeName" : "Unauthorized"

}

    經查詢,網上有人提示需要建立新角色對system.views的查詢,因為mongodb內部建立的檢視儲存在相關資料庫中

的system.views表中,普通使用者並沒有對該表的查詢許可權,需要手工建立對system.views的查詢角色並賦予業務使用者或者

其他普通管理使用者,具體說法參考網址:

    本次檢視DDL查詢異常處理過程如下:

第一步:免密方式登陸資料庫建立角色並賦權

---建立檢視查詢角色

>  use admin

switched to db admin

> db.runCommand({ createRole: "readViewCollection",

...   privileges: [

...     { resource: { db: "", collection: "system.views" }, actions: [ "find"] }],

...     roles : []

... })

{ "ok" : 1 }

---檢視資料庫內部使用者

> db.system.users.find();

{ "_id" : "admin.sys", "userId" : UUID("2b81f6a2-ffe9-44f9-8894-d7ded8af414c"), "user" : "sys", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "uoRvRSkMfQVw9uJKJKD2/Q==", "storedKey" : "5yLO4i4yVulN+kg1FwQHcAThLqM=", "serverKey" : "/3PPUXlxv3SZX7P5KgfQKwlXNzM=" }, "SCRAM-SHA-256" : { "iterationCount" : 15000, "salt" : "cg5AAevAY4lXvgi+5zMRrbug4jTor3HKh2helg==", "storedKey" : "qU1INTjrtuvD+3S9PTmOzlnAV8+OEnsT/kjo34MavwI=", "serverKey" : "9XiUPP2X+4TSqFte4a17vJkHlD2eVXv3aorTCQQPdu8=" } }, "roles" : [ { "role" : "read", "db" : "poc_mig_mongo1" }, { "role" : "userAdminAnyDatabase", "db" : "admin" }, { "role" : "dbAdmin", "db" : "poc_mig_mongo1" }, { "role" : "readWrite", "db" : "poc_mig_mongo1" } ] }

---賦予sys使用者檢視檢視角色許可權

> use admin

switched to db admin

> db.grantRolesToUser('sys',['readViewCollection']);

 第二步:驗證方式登陸測試

[[email protected] ~]$ mongo --port 50001 -usys -pzhulei  --authenticationDatabase admin

MongoDB shell version v4.2.3

connecting to: mongodb://127.0.0.1:50001/?authSource=admin&compressors=disabled&gssapiServiceName=mongodb

Implicit session: session { "id" : UUID("d53970e1-edce-4811-b827-4386a0f3f707") }

MongoDB server version: 4.2.3

> show dbs;

admin           0.000GB

config          0.000GB

dns_testdb      0.012GB

local           0.000GB

poc_mig_mongo1  0.000GB

> use poc_mig_mongo1

switched to db poc_mig_mongo1

> show tables;

ceshi1

ceshi2

ceshi3

ceshi4

ceshi5

system.views

v_ceshi2

v_ceshi3

v_ceshi4

v_ceshi5

> db.system.views.find();

{ "_id" : "poc_mig_mongo1.v_ceshi5", "viewOn" : "ceshi5", "pipeline" : [ { "$match" : { "name" : "nanjing" } } ] }

{ "_id" : "poc_mig_mongo1.v_ceshi3", "viewOn" : "ceshi13", "pipeline" : [ { "$match" : { "name" : "hubei" } } ] }

{ "_id" : "poc_mig_mongo1.v_ceshi4", "viewOn" : "ceshi42", "pipeline" : [ { "$match" : { "name" : "hunan" } } ] }

{ "_id" : "poc_mig_mongo1.v_ceshi2", "viewOn" : "ceshi2", "pipeline" : [ { "$match" : { "name" : "nanning" } } ] }

  問題處理完成!

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/29357786/viewspace-2769019/,如需轉載,請註明出處,否則將追究法律責任。