Mongo以管理员身份为任何数据库创建用户都会引发错误

17

我正在尝试创建一个具有访问所有数据库的权限的简单用户,并且可以执行任何操作。当我尝试执行createUser命令时,出现以下错误:

db.createUser({ user: "mongoadmin" , pwd: "mongoadmin", roles: ["userAdminAnyDatabase", "dbAdminAnyDatabase", "readWriteAnyDatabase"]})
2015-08-20T17:09:42.300+0000 E QUERY    Error: couldn't add user: No role named userAdminAnyDatabase@new_vehicles_catalog

仅当我启用身份验证配置并且需要它时,才会发生上述问题。

因此,如何为任何数据库创建具有管理员权限的用户。我想要它,因为我将mongo服务配置为使用身份验证连接。如果要执行数据转储,则必须使用此身份验证参数。

请任何帮助?

使用mongo版本3.0.5

该服务位于Amazon Linux AMI 2015.03(HVM),SSD卷类型上-ami-1ecae776

mongodb  authentication  amazon-ec2  linux 
罗伯特
source

Answers:

22

应将“ ... AnyDatabase”角色添加到用户的管理数据库中:

use admin
db.createUser({ user: "mongoadmin" , pwd: "mongoadmin", roles: ["userAdminAnyDatabase", "dbAdminAnyDatabase", "readWriteAnyDatabase"]})

任何数据库:

  • 数据库用户角色
  • 数据库管理角色

管理员数据库:

  • 集群管理角色
  • 备份和还原角色
  • 所有数据库角色

附加:要在不同的数据库和管理员上赋予不同的角色:

db.createUser({user:"replSetManager",pwd:"password",roles:[{role:"clusterManager",db:"admin"},{role:"dbOwner", db:"adminsblog"},{role:"readWrite", db:"departmentblog"},{role:"read", db:"otherblog"}]})
aldwinaldwin
source
1
我在admin数据库上创建mongoadmin用户,但是当我尝试在其他数据库中执行任何操作时,出现授权错误。
罗伯特
您尝试了什么动作?看看:docs.mongodb.org/manual/reference/built-in-roles
aldwinaldwin
0

按照MongoDB BOL 启用访问控制的启用身份验证,确保您在admin数据库中拥有一个具有userAdminuserAdminAnyDatabase角色的用户。该用户可以管理用户和角色,例如:创建用户,向用户授予或撤消角色以及创建或修改海关角色。

您可以在启用访问控制之前或之后创建用户。如果在创建任何用户之前启用访问控制,则MongoDB将提供localhost异常,该异常允许您在admin数据库中创建用户管理员。创建后,您必须通过用户管理员身份验证才能根据需要创建其他用户。

程序

您可以通过以下步骤进行操作Enable Auth。首先,将用户管理员添加到没有访问控制的MongoDB实例中,然后启用访问控制。

mongod --port 27017 --dbpath /data/db1

C:\Program Files\MongoDB\Server\3.6\bin>mongod --auth --port 27017 --dbpath /data/db1
2018-01-02T00:04:21.038-0700 I CONTROL  [initandlisten] MongoDB starting : pid=8048 port=27017 dbpath=/data/db1 64-bit host=ACSD140013
2018-01-02T00:04:21.038-0700 I CONTROL  [initandlisten] targetMinOS: Windows 7/Windows Server 2008 R2
2018-01-02T00:04:21.039-0700 I CONTROL  [initandlisten] db version v3.6.0
2018-01-02T00:04:21.039-0700 I CONTROL  [initandlisten] git version: a57d8e71e6998a2d0afde7edc11bd23e5661c915
2018-01-02T00:04:21.039-0700 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.0.1u-fips  22 Sep 2016
2018-01-02T00:04:21.039-0700 I CONTROL  [initandlisten] allocator: tcmalloc
2018-01-02T00:04:21.039-0700 I CONTROL  [initandlisten] modules: none
2018-01-02T00:04:21.039-0700 I CONTROL  [initandlisten] build environment:
2018-01-02T00:04:21.039-0700 I CONTROL  [initandlisten]     distmod: 2008plus-ssl
2018-01-02T00:04:21.040-0700 I CONTROL  [initandlisten]     distarch: x86_64
2018-01-02T00:04:21.040-0700 I CONTROL  [initandlisten]     target_arch: x86_64
2018-01-02T00:04:21.040-0700 I CONTROL  [initandlisten] options: { net: { port: 27017 }, security: { authorization: "enabled" }, storage: { dbPath: "/data/db1" } }
2018-01-02T00:04:21.044-0700 I -        [initandlisten] Detected data files in /data/db1 created by the 'wiredTiger' storage engine, so setting the active storage engine to 'wiredTiger'.
2018-01-02T00:04:21.044-0700 I STORAGE  [initandlisten] wiredtiger_open config: create,cache_size=1508M,session_max=20000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),statistics_log=(wait=0),verbose=(recovery_progress),
2018-01-02T00:04:21.557-0700 I STORAGE  [initandlisten] WiredTiger message [1514876661:556397][8048:140720576475904], txn-recover: Main recovery loop: starting at 1/35584
2018-01-02T00:04:21.677-0700 I STORAGE  [initandlisten] WiredTiger message [1514876661:676479][8048:140720576475904], txn-recover: Recovering log 1 through 2
2018-01-02T00:04:21.792-0700 I STORAGE  [initandlisten] WiredTiger message [1514876661:792524][8048:140720576475904], txn-recover: Recovering log 2 through 2
2018-01-02T00:04:23.008-0700 I CONTROL  [initandlisten]
2018-01-02T00:04:23.008-0700 I CONTROL  [initandlisten] ** WARNING: This server is bound to localhost.
2018-01-02T00:04:23.009-0700 I CONTROL  [initandlisten] **          Remote systems will be unable to connect to this server.
2018-01-02T00:04:23.010-0700 I CONTROL  [initandlisten] **          Start the server with --bind_ip <address> to specify which IP
2018-01-02T00:04:23.010-0700 I CONTROL  [initandlisten] **          addresses it should serve responses from, or with --bind_ip_all to
2018-01-02T00:04:23.010-0700 I CONTROL  [initandlisten] **          bind to all interfaces. If this behavior is desired, start the
2018-01-02T00:04:23.010-0700 I CONTROL  [initandlisten] **          server with --bind_ip 127.0.0.1 to disable this warning.
2018-01-02T00:04:23.011-0700 I CONTROL  [initandlisten]
2018-01-02T00:04:23.011-0700 I CONTROL  [initandlisten]
2018-01-02T00:04:23.011-0700 I CONTROL  [initandlisten] ** WARNING: The file system cache of this machine is configured to be greater than 40% of the total memory. This can lead to increased memory pressure and poor performance.
2018-01-02T00:04:23.011-0700 I CONTROL  [initandlisten] See http://dochub.mongodb.org/core/wt-windows-system-file-cache
2018-01-02T00:04:23.012-0700 I CONTROL  [initandlisten]
2018-01-02T10:04:23.320+0300 I FTDC     [initandlisten] Initializing full-time diagnostic data capture with directory '/data/db1/diagnostic.data'
2018-01-02T10:04:23.322+0300 I NETWORK  [initandlisten] waiting for connections on port 27017
2018-01-02T10:05:09.214+0300 I NETWORK  [listener] connection accepted from 127.0.0.1:64482 #1 (1 connection now open)

连接到实例

例如,将mongo外壳连接到实例。

mongo --port 27017

根据需要指定其他命令行选项以将mongoShell 连接到您的部署,例如--host

创建用户管理员

例如,在管理数据库中,添加一个具有该userAdminAnyDatabase角色的用户。例如,以下代码myUserAdminadmin数据库中创建用户:

> use admin
switched to db admin
> use admin
switched to db admin
> db.createUser(
...   {
...     user: "mongoadmin",
...     pwd: "mongoadmin",
...     roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
...   }
... )
Successfully added user: {
        "user" : "mongoadmin",
        "roles" : [
                {
                        "role" : "userAdminAnyDatabase",
                        "db" : "admin"
                }
        ]
}

注意:您在其中创建用户的数据库(在本示例中为admin)是用户的身份验证数据库。尽管用户将对此数据库进行身份验证,但是该用户可以在其他数据库中扮演角色;即用户的身份验证数据库不限制用户的权限。

断开mongo外壳。

使用访问控制重新启动MongoDB实例

mongod使用--auth命令行选项或(如果使用配置文件)security.authorization设置重新启动实例。

mongod --auth --port 27017 --dbpath /data/db1

现在,连接到该实例的客户端必须将自己认证为MongoDB用户。客户只能执行由其分配的角色确定的操作。

以用户管理员身份连接并进行身份验证

使用mongo外壳,您可以:

  • 通过传递用户凭据连接到身份验证,或者

  • 首先连接而不进行身份验证,然后发出 db.auth()方法进行身份验证。

在连接期间进行身份验证mongo使用-u <username>, -p <password>, and the --authenticationDatabase <database>命令行选项启动外壳程序:

C:\Program Files\MongoDB\Server\3.6\bin>mongo --port 27017 -u "mongoadmin" -p "mongoadmin" --authenticationDatabase "admin"
MongoDB shell version v3.6.0
connecting to: mongodb://127.0.0.1:27017/
MongoDB server version: 3.6.0
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
        http://docs.mongodb.org/
Questions? Try the support group
        http://groups.google.com/group/mongodb-user
2018-01-02T10:05:09.248+0300 I STORAGE  [main] In File::open(), CreateFileW for 'H:\\.mongorc.js' failed with Access is denied.

连接后进行身份验证

mongo外壳连接到mongod

mongo --port 27017

切换到身份验证数据库(在本例中为admin),然后使用db.auth(,)方法进行身份验证:

> use admin
switched to db admin
> db.auth("mongoadmin","mongoadmin")
1
>
海达尔·阿里·汗(Md Haidar Ali Khan)
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.