MongoDB4.0建立自定義許可權(只有查詢,插入和更新的許可權)的角色步驟

chenfeng發表於2022-05-18

建立自定義許可權(只有查詢,插入和更新的許可權)的角色:

PRIMARY>use admin   


PRIMARY> db.createRole({role:"custom_role",privileges: [ {resource: { db: "test", collection: "test" }, actions: ["insert","update","find" ] }],roles:[ {role:"read", db:"test"} ]})

{

        "role" : "custom_role",

        "privileges" : [

                {

                        "resource" : {

                                "db" : "test",

                                "collection" : "test"

                        },

                        "actions" : [

                                "insert",

                                "update",

                                "find"

                        ]

                }

        ],

        "roles" : [

                {

                        "role" : "read",

                        "db" : "test"

                }

        ]

}


PRIMARY>use test


PRIMARY>  db.createRole({role:"custom_role",privileges: [ {resource: { db: "test", collection: "test" }, actions: ["insert","update","find" ] }],roles:[ {role:"read", db:"test"} ]})

{

        "role" : "custom_role",

        "privileges" : [

                {

                        "resource" : {

                                "db" : "test",

                                "collection" : "test"

                        },

                        "actions" : [

                                "insert",

                                "update",

                                "find"

                        ]

                }

        ],

        "roles" : [

                {

                        "role" : "read",

                        "db" : "test"

                }

        ]

}


建立test_rw普通使用者,roles指定自定義的那個許可權:

PRIMARY> use test

PRIMARY> db.createUser(

   {

         user: "test_rw",

         pwd: "test",

         roles: [ { role: "custom_role", db: "test" }]

   }

 );

Successfully added user: {

        "user" : "test_rw",

        "roles" : [

                {

                        "role" : "custom_role",

                        "db" : "test"

                }

        ]

}


PRIMARY> use admin


PRIMARY> db.createUser(

  {

        user: "test_rw",

        pwd: "test",

        roles: [ { role: "custom_role", db: "test" }]

  }

);



把custom_role角色授權給test_rw使用者:

PRIMARY> db.grantRolesToUser("test_rw",[{role:"custom_role",db:"test"}])


收回test_rw使用者對test庫的讀寫許可權:

PRIMARY>  db.revokeRolesFromUser("test_rw",[{"role" : "readWrite","db" : "test"}])


檢視建立的使用者:

PRIMARY> use test

switched to db test

PRIMARY> show users

{

        "_id" : "test.test_rw",

        "userId" : UUID("ce94e5b9-cf81-4dec-a246-5670e4d0437b"),

        "user" : "test_rw",

        "db" : "test",

        "roles" : [

                {

                        "role" : "custom_role",

                        "db" : "test"

                }

        ],

        "mechanisms" : [

                "SCRAM-SHA-1",

                "SCRAM-SHA-256"

        ]

}


測試:

可以insert:

PRIMARY> db.test.save({id:"1","name" : "dsf"})

WriteResult({ "nInserted" : 1 })

PRIMARY> db.test.save({id:"2","name" : "huyih"})

WriteResult({ "nInserted" : 1 })

PRIMARY> db.test.save({id:"3","name" : "chenfeng"})

WriteResult({ "nInserted" : 1 })

PRIMARY> db.test.save({id:"4","name" : "zhangsan"})

WriteResult({ "nInserted" : 1 })

PRIMARY> db.test.save({id:"5","name" : "lisi"})

WriteResult({ "nInserted" : 1 })

PRIMARY> db.test.save({id:"6","name" : "lishishi"})

WriteResult({ "nInserted" : 1 })


可以update:

PRIMARY> db.test.update({id:"1","name" : "dsf"},{$set:{id:"1","name" : "sunxim"}})

WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })


可以find:

PRIMARY> db.test.find()

{ "_id" : ObjectId("6283495ca66296017ea02258"), "id" : "1", "name" : "sunxim" }

{ "_id" : ObjectId("6283495ca66296017ea02259"), "id" : "2", "name" : "huyih" }

{ "_id" : ObjectId("6283495ca66296017ea0225a"), "id" : "3", "name" : "chenfeng" }

{ "_id" : ObjectId("6283495ca66296017ea0225b"), "id" : "4", "name" : "zhangsan" }

{ "_id" : ObjectId("6283495ca66296017ea0225c"), "id" : "5", "name" : "lisi" }



但不能drop庫:

PRIMARY> db.dropDatabase();

{

        "ok" : 0,

        "errmsg" : "not authorized on test to execute command { dropDatabase: 1.0, writeConcern: { w: \"majority\", wtimeout: 600000.0 }, lsid: { id: UUID(\"2b07b1d1-0c30-42a7-b8f6-48345895a138\") }, $db: \"test\" }",

        "code" : 13,

        "codeName" : "Unauthorized"

}


不能刪表:

PRIMARY> db.test.drop()

2022-05-16T22:45:43.294-0700 E QUERY    [js] Error: drop failed: {

        "operationTime" : Timestamp(1652766343, 3),

        "ok" : 0,

        "errmsg" : "not authorized on test to execute command { drop: \"test\", lsid: { id: UUID(\"233df021-0e9d-4ad1-b01e-96d41b50b3c6\") }, $clusterTime: { clusterTime: Timestamp(1652766335, 1), signature: { hash: BinData(0, 387A28B3A42EAE488DBBCE581D8967C40D20248F), keyId: 7052381551807430657 } }, $db: \"test\" }",

        "code" : 13,

        "codeName" : "Unauthorized",

        "$clusterTime" : {

                "clusterTime" : Timestamp(1652766343, 3),

                "signature" : {

                        "hash" : BinData(0,"q43aWx3zYYxuD6dLrFc/z2Hf5qo="),

                        "keyId" : NumberLong("7052381551807430657")

                }

        }

} :

_getErrorWithCode@src/mongo/shell/utils.js:25:13

DBCollection.prototype.drop@src/mongo/shell/collection.js:719:1

@(shell):1:1



不能刪記錄:

PRIMARY> db.test.remove({id:"5","name" : "lisi"})

WriteCommandError({

        "ok" : 0,

        "errmsg" : "not authorized on test to execute command { delete: \"test\", ordered: true, lsid: { id: UUID(\"2b07b1d1-0c30-42a7-b8f6-48345895a138\") }, $db: \"test\" }",

        "code" : 13,

        "codeName" : "Unauthorized"

})


來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/15498/viewspace-2895022/,如需轉載,請註明出處,否則將追究法律責任。

相關文章