将用户添加到新的/另一个 mongo 数据库需要什么 MongoDB 用户权限? [英] What MongoDB user privileges do I need to add a user to a new/another mongo database?

问题描述

在添加一个具有以下权限的管理员用户后，我在 MongoDB 配置文件中启用了身份验证:userAdmin 和 userAdminAnyDatabase.

I have enabled authentication in the MongoDB config file after adding one admin user with the following privileges: userAdmin and userAdminAnyDatabase.

现在我将此用户连接到定义此管理员用户的数据库(否​​则我会收到异常:登录失败).

Now I connect with this user to the db where this admin user is defined (otherwise I get exception: login failed).

成功连接后，我想将新用户添加到新数据库.为此，我正在尝试:

After I have successfully connected I want to add the a new user to a new database. For that I am trying:

use another
db.addUser(...)

但我收到一个错误:

Wed Dec 11 17:45:18.277 couldn't add user: not authorized for insert on app.system.users at src/mongo/shell/db.js:128

如何创建新数据库并向其中添加第一个用户?

How can I create a new database and add a first user to it?

详细(本例中所有用户的密码都是1234)

Detailed (all users have 1234 as password in this example)

$ mongo mono -u admin_all -p 1234
MongoDB shell version: 2.4.6
connecting to: mono
> db.system.users.find()
{ "_id" : ObjectId("52a9831de41eb640bb0f5f64"), "user" : "admin_all", "pwd" : "a6316ed4886c10663cce46bc216ea375", "roles" : [  "userAdmin",  "userAdminAnyDatabase" ] }
{ "_id" : ObjectId("52a98404ef1f9bc934b62e11"), "user" : "admin_one", "pwd" : "884f516cf308a4c6a75bbc5a0a00807b", "roles" : [  "userAdmin" ] }
{ "_id" : ObjectId("52a98415ef1f9bc934b62e12"), "user" : "admin_any", "pwd" : "1616611df9b47c58b607054d384cab99", "roles" : [  "userAdminAnyDatabase" ] }
> use another
switched to db another
> db.addUser({ user: "user", pwd: "1234", roles: ["read"] })
{
    "user" : "user",
    "pwd" : "461d4f349d8d4ec3d22a4c945010c330",
    "roles" : [
        "read"
    ],
    "_id" : ObjectId("52a985372fcdbfd033003a7e")
}
Thu Dec 12 10:43:19.091 couldn't add user: not authorized for insert on another.system.users at src/mongo/shell/db.js:128

推荐答案

犯的错误是我在 中使用了 NOT 的 userAdminAnyDatabase 用户admin 数据库(请参阅本说明).因此，您的服务器上必须有一个名为 admin 的数据库！正如文档所说的AnyDatabase"权限:

The mistake made was that I was using an userAdminAnyDatabase user that was NOT in the admin database (see this note). So there MUST be a database called admin on your server! As the documentation says for the "AnyDatabase" privileges:

如果您将这些角色中的任何一个添加到 admin 数据库之外的用户权限文档中，则该权限将无效.

If you add any of these roles to a user privilege document outside of the admin database, the privilege will have no effect.

所以你必须:

• 将 userAdminAnyDatabase 添加到 admin db

• add a userAdminAnyDatabase to the admin db

$ mongo admin
> db.createUser({ user: "myadmin", pwd: "1234", roles: ["userAdminAnyDatabase"] })

开启身份验证

turn on authentication

auth = true
setParameter = enableLocalhostAuthBypass=0

使用新的 myadmin 用户连接到您想要的任何数据库并添加更多用户:

connect using the new myadmin user to any database you want and add further users:

$ mongo another -u myadmin -p 1234
> db.createUser({ user: "user", pwd: "1234", roles: ["readWrite"] })

或

> use another
> db.createUser({ user: "user", pwd: "1234", roles: ["readWrite"] })

这篇关于将用户添加到新的/另一个 mongo 数据库需要什么 MongoDB 用户权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！