MongoDB read-only permission settings

WeChat public account: [Front end cook in a pot]
A little technique, a little thinking.
For questions or suggestions, please leave a message on the official account.

Related commands

Check the native mongodb version: mongo -version

Check the mongodb running on this machine: ps aux | grep mongodb

Connect to the local database: mongo localhost:27017

Use account password to connect to the local database: mongo -port 27017 -u 'admin' -p 'admin_root_test'

Display the database list: show dbs

Switch/create database: use mytest

Delete the current database: db.dropDatabase()

Create collection: db.createCollection('book')

Display all current users: show users

Delete user: db.dropUser('myread')

Kill the running mongodb: kill pid

Read-only permission settings

1. Start the mongodb service

mac：mongod --dbpath /usr/local/var/mongodb --logpath /usr/local/var/log/mongodb/mongo.log --fork

linux: systemctl start mongod or service mongod start

2. Entry command

mongo localhost:27017

3. Create an administrator account

use admin
db.createUser({user:'admin', pwd:'admin_root_test',roles:[{ role: 'root', db: 'admin' }]})

4. Close mongodb

db.adminCommand( { shutdown: 1 } )

or

ps -ef | grep mongodb // 查看 momgodb pid
kill pid

5. Reopen with authorization

mongod --auth --dbpath /usr/local/var/mongodb --logpath /usr/local/var/log/mongodb/mongo.log --fork

or

vi /etc/mongod.conf
security:
  authorization: enabled

6. Enter the command again

mongo -port 27017 -u 'admin' -p 'admin_root_test'

7. Create a read-only user

use mytest // 创建数据库
db.createCollection('book') // 创建集合，以方便 show dbs 能显示数据库
db.createUser({ user: 'myread', pwd: 'myread_pwd', roles: [{ role: 'read', db: 'mytest' }] })

Interpretation of role permissions

Built-In Roles:

1. Database user roles: read, readWrite.
2. Database management roles: dbAdmin, dbOwner, userAdmin.
3. Cluster management roles: clusterAdmin, clusterManager, clusterMonitor, hostManager.
4. Backup and restore roles: backup, restore.
5. All database roles: readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase, dbAdminAnyDatabase.
6. Super user role: root has several roles indirectly or directly providing system super user access (dbOwner, userAdmin, userAdminAnyDatabase).
7. Internal role: __system.

Specific role:

• Read: Allow users to read the specified database.
• readWrite: Allow users to read and write the specified database.
• dbAdmin: Allows users to perform management functions in the specified database, such as index creation, deletion, viewing statistics or access.
• userAdmin: Allow users to write to the system.users collection, and create, delete and manage users in the specified database.
• clusterAdmin: It is only available in the admin database. It gives the user the management authority of all shards and replication set related functions.
• readAnyDatabase: Only available in the admin database, grants users read permissions for all databases.
• readWriteAnyDatabase: Only available in the admin database, giving the user read and write permissions for all databases.
• userAdminAnyDatabase: Only available in the admin database, giving the user the userAdmin authority for all databases.
• dbAdminAnyDatabase: It is only available in the admin database and gives the user dbAdmin permissions for all databases.
• root: Only available in admin database. Super account, super authority.