使用mongodump的最低权限(转储特定数据库) [英] Minimum permission for using mongodump (to dump a specific db)
问题描述
对于在特定数据库上运行mongodump所需的权限(用户角色),我们似乎找不到任何结论性文件.
We can't seem to find any conclusive document on what permissions (user roles) are required to run mongodump on a specific db.
说我有一个名为x的数据库,并在其上具有以下角色roles: [ "readWrite", "dbAdmin" ]的用户y,以及admin集合上具有roles: [ "userAdminAnyDatabase" ]和<的2个用户a和b c8>,似乎它们都不具有运行mongodump的正确权限:
Say I have a db named x and a user y on it with following roles roles: [ "readWrite", "dbAdmin" ], as well as 2 users a and b on admin collection with roles: [ "userAdminAnyDatabase" ] and roles: [ "dbAdminAnyDatabase" ], it seems none of them has the right permission to run mongodump:
mongodump --db x --username y --password --authenticationDatabase x
Tue Dec 10 17:04:23.901 x.system.users to dump/x/system.users.bson
assertion: 11010 count fails:{ ok: 0.0, errmsg: "unauthorized" }
mongodump --db x --username a --password --authenticationDatabase admin
Tue Dec 10 17:06:19.674 DATABASE: x to dump/x
assertion: 13106 nextSafe(): { $err: "not authorized for query on x.system.indexes", code: 16550 }
mongodump --db x --username b --password --authenticationDatabase admin
Tue Dec 10 17:08:20.678 DATABASE: x to dump/x
assertion: 13106 nextSafe(): { $err: "not authorized for query on x.system.namespaces", code: 16550 }
我们肯定缺少明显的东西,但是在转储数据库时mongodump会寻找什么,它需要什么权限?
We must be missing something obvious, but what does mongodump look for when dumping a database and what permission does it need?
PS:作为奖励,我们想找出转储特定集合以及所有数据库所需的用户角色.
PS: as a bonus, we would like to figure out what user roles are needed to dump a specific collection, as well as all db(s).
推荐答案
TL; DR :对于mongodb 2.4,您至少需要具有read角色以及userAdmin角色的用户数据库.否则在将system.users.bson转储到此类数据库时,您将遇到我们在问题中遇到的错误.
TL;DR: For mongodb 2.4, you need at least a user with read role as well as userAdmin on the db. Or else you will run into the error we faced in the question when dumping system.users.bson on such db.
因此,我们忽略了一个重要的参考文献:man mongodump
So we overlooked an important reference: man mongodump
但是,您需要具有mongodump 2.4.x才能查看相关部分,因此这里是通过mongodb
However, you need to have mongodump 2.4.x to see the relevant section, so here is a reference via mongodb github docs:
Required User Privileges
------------------------
.. note:: User privileges changed in MongoDB 2.4.
The user must have appropriate privileges to read data from database
holding collections in order to use :program:`mongodump`. Consider the
following :doc:`required privileges </reference/system-defined-roles>` for
the following :program:`mongodump` operations:
.. list-table::
:header-rows: 1
* - Task
- Required Privileges
* - All collections in a database except ``system.users``.
- :authrole:`read`. [#read-or-read-write]_
* - All collections in a database, including ``system.users``.
- :authrole:`read` [#read-or-read-write]_ and :authrole:`userAdmin`.
* - All databases. [#profiling-exception]_
- :authrole:`readAnyDatabase`, :authrole:`userAdminAnyDatabase`,
and :authrole:`clusterAdmin`. [#cluster-admin]_
See :doc:`/reference/system-defined-roles` and
:doc:`/reference/privilege-documents` for more information on user
roles.
.. [#read-or-read-write] You may provision :authrole:`readWrite`
instead of :authrole:`read`.
.. [#cluster-admin] :authrole:`clusterAdmin` provides the ability to
run the :dbcommand:`listDatabases` command, to list all existing
databases.
.. [#profiling-exception] If any database runs with profiling enabled,
:program:`mongodump` may need the
:authrole:`dbAdminAnyDatabase` privilege to dump the
``system.profile`` collection.
PS:目前有无法跳过某些集合,因此如果您仅在数据库上具有read或readWrite角色,则需要分别转储每个集合.
PS: there are currently no way to skip certain collection(s), so if you only have read or readWrite role on a db, you need to dump each collection individually.
这篇关于使用mongodump的最低权限(转储特定数据库)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
