MongoDB 启用访问控制

Posted MongoDB


篇首语:本文由小常识网(小编为大家整理,主要介绍了MongoDB 启用访问控制相关的知识,希望对你有一定的参考价值。

Enable Access Control


On this page

  • Overview

  • User Administrator

  • Procedure

  • Additional Considerations


  • 概述

  • 用户管理员

  • 使用过程

  • 其他注意事项



Enabling access control on a MongoDB deployment enforces authentication, requiring users to identify themselves. When accessing a MongoDB deployment that has access control enabled, users can only perform actions as determined by their roles.


The following tutorial enables access control on a standalone mongod instance and uses the default authentication mechanism. For all supported authentication mechanisms, see Authentication Mechanisms.


User Administrator


With access control enabled, ensure you have a user with userAdmin or userAdminAnyDatabase role in the admin database. This user can administrate user and roles such as: create users, grant or revoke roles from users, and create or modify customs roles.




The following procedure first adds a user administrator to a MongoDB instance running without access control and then enables access control.



The example MongoDB instance uses port 27017 and the data directory /var/lib/mongodb directory . The example assumes the existence of the data directory /var/lib/mongodb. Specify a different data directory as appropriate.



1 Start MongoDB without access control.

1 没开启访问控制时启动MongoDB

Start a standalone mongod instance without access control.


For example, open a terminal and issue the following:


mongod --port 27017 --dbpath /var/lib/mongodb

2 Connect to the instance.

2 连接这个实例

For example, open a new terminal and connect a mongo shell to the instance:

例如,打开一个新的终端并且使用mongo shell连接到mongod实例:

mongo --port

Specify additional command line options as appropriate to connect the mongo shell to your deployment, such as --host.

适当地指定其他的命令行选项,将mongo shell 连接到你部署的mongod 实例,诸如 --host。

3 Create the user administrator.

3 创建一个用户管理员

From the mongo shell, add a user with the userAdminAnyDatabase role in the admin database. Include additional roles as needed for this user. For example, the following creates the user myUserAdmin in the admin database with the userAdminAnyDatabase role and the readWriteAnyDatabase role.

通过mongo shell 在admin数据库中增加一个有userAdminAnyDatabase 角色的用户。包括此用户需要的其他角色。例如,下面在admin数据库中创建用户myUserAdmin,此用户有userAdminAnyDatabase和readWriteAnyDatabase角色。


Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo shell.


mongo shell 从4.2版本开始,你可以结合使用passwordPrompt()方法和各种用户身份认证/管理方法/命令来提示输入密码,而不是直接在方法/命令调用中指定密码。然而,你仍然可以像早期版本的mongo shell一样直接指定密码。

use admin
user: "myUserAdmin",
pwd: passwordPrompt, // 或者输入明文密码
roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]


The database where you create the user (in this example, admin) is the user’s authentication database. Although the user would authenticate to this database, the user can have roles in other databases; i.e. the user’s authentication database does not limit the user’s privileges.


你在其中创建用户的数据库(在这个示例中是 admin)就是这个用户的身份认证数据库。尽管用户将向此数据库进行身份认证,但用户可以在其他数据库中具有角色;即用户的身份认证数据库不会限制用户的权限。

4 Re-start the MongoDB instance with access control.

4 开启访问控制后重启MongoDB实例

a. Shut down the mongod instance. For example, from the mongo shell, issue the following command:

a. 关闭mongod 实例。例如,通过mongo shell 输入下面的命令:

db.adminCommand({shutdown: 1})

b. Exit the mongo shell.

b.退出mongo shell。

c.Start the mongod with access control enabled.


  • If you start the mongod from the command line, add the --auth command line option:

  • 如果你从命令行启动mongod,则在命令行选项中增加 --auth:

mongod --auth --port 27017 --dbpath /var/lib/mongodb
  • If you start the mongod using a configuration file, add the security.authorization configuration file setting:

  • 如果你使用配置文件启动mongod,则在配置文件中增加security.authorization设置:

authorization: enabled

Clients that connect to this instance must now authenticate themselves as a MongoDB user. Clients can only perform actions as determined by their assigned roles.

连接到此实例的客户端现在必须使用MongoDB的用户来认证自己。客户端只能执行其使用的MongoDB 用户所具有的角色指定的操作。

5 Connect and authenticate as the user administrator.

5 连接并作为用户管理员进行身份认证

Using the mongo shell, you can:

  • Connect with authentication by passing in user credentials, or

  • Connect first withouth authentication, and then issue the db.auth() method to authenticate.

使用mongo shell,你可以:

  • 连接时直接使用用户凭证来通过身份认证,或者

  • 连接时先不进行身份认证,连接后使用db.auth()方法进行身份认证

Authenticate during Connection


Start a mongo shell with the :option:-u <mongo -u>, -p, and the --authenticationDatabase command line options:

开启mongo shell时,使用选项:-u <mongo -u> 、-p 和 --authenticationDatabase 命令行选项。

mongo --port 27017 -u "myUserAdmin" --authenticationDatabase "admin" -p

Enter your password when prompted. In this example, abc123.


Authenticate after Connection


Connect the mongo shell to the mongod:

连接mongo shell到mongod:

mongo --port 27017

In the mongo shell, switch to the authentication database (in this case, admin), and use db.auth(, ) method to authenticate:

在这个mongo shell 中,切换到认证数据库(在这个例子中是:admin),然后使用 db.auth(, )方法进行身份认证。

use admin

db.auth("myUserAdmin", "abc123")

6 Create additional users as needed for your deployment.

6 根据你的部署需要创建其他用户

Once authenticated as the user administrator, use db.createUser() to create additional users. You can assign any built-in roles or user-defined roles to the users.


The following operation adds a user myTester to the test database who has readWrite role in the test database as well as read role in the reporting database.

下面的操作将用户myTester添加到test数据库,该用户在test数据库具有readWrite角色,在reporting 数据库具有read角色。

use test
user: "myTester",
pwd: "xyz123",
roles: [ { role: "readWrite", db: "test" },
{ role: "read", db: "reporting" } ]


The database where you create the user (in this example, test) is that user’s authentication database. Although the user would authenticate to this database, the user can have roles in other databases; i.e. the user’s authentication database does not limit the user’s privileges.



After creating the additional users, disconnect the mongo shell.

执行完上面操作即创建完其他用户之后,断开和mongo shell 的连接。

7 Connect to the instance and authenticate as myTester.

7 连接到实例并且使用myTester用户进行身份验证。

After disconnecting the mongo shell as myUserAdmin, reconnect as myTester. You can:

  • Connect with authentication by passing in user credentials, or

  • Connect first without authentication, and then issue the db.auth() method to authenticate.

将用户myUserAdmin从mongo shell断开连接后,使用myTester用户重连时,你可以:

  • 连接时直接使用用户凭证来通过身份验证,或者

  • 连接时先不进行身份认证,连接后使用db.auth()方法进行身份认证

Authenticate during Connection


Start a mongo shell with the :option:-u <mongo -u>, -p, and the --authenticationDatabase command line options:

开启mongo shell时,使用选项:-u <mongo -u> 、-p 和 --authenticationDatabase 命令行选项。

mongo --port 27017 -u "myTester" --authenticationDatabase "test" -p

Enter your password when prompted. In this example, xyz123.


Authenticate after Connection


Connect the mongo shell to the mongod:

连接mongo shell到mongod:

mongo --port 27017

In the mongo shell, switch to the authentication database (in this case, admin), and use db.auth(, ) method to authenticate:

在这个mongo shell 中,切换到认证数据库(在这个例子中是:admin),然后使用 db.auth(, )方法进行身份认证。

use test

db.auth("myTester", "xyz123")

8 Insert a document as myTester.

8 使用用户myTester插入一个文档

As myTester, you have privileges to perform read and write operations in the test database (as well as perform read operations in the reporting database). Once authenticated as myTester, insert a document into a collection in test database. For example, you can peform the following insert operation in the test database:

作为用户myTester,你有在test数据库读写的权限和在reporting数据库读的权限。一旦使用myTester用户进行身份认证通过后,就可以在test数据库中插入一个文档到集合里面。例如,你可以在test数据库中做如下的插入操作: { x: 1, y: 1 } )

SEE ALSO:Manage Users and Roles.


Additional Considerations


Replica Sets and Sharded clusters


Replica sets and sharded clusters require internal authentication between members when access control is enabled. For more details, please see Internal Authentication.

副本集和分片集群开启访问控制后,要求成员之间进行内部身份认证。更多详情,请参阅 内部身份认证。

Localhost Exception


You can create users either before or after enabling access control. If you enable access control before creating any user, MongoDB provides a localhost exception which allows you to create a user administrator in the admin database. Once created, you must authenticate as the user administrator to create additional users as needed.

你可以在启动访问控制之前或之后创建用户。如果你在创建用户之前开启了访问控制,MongoDB提供了一个localhost 异常,它允许你在admin数据库创建一个用户管理员。创建之后,你必须使用这个用户管理员进行身份认证后,才能根据需要创建其他用户。

以上是关于MongoDB 启用访问控制的主要内容,如果未能解决你的问题,请参考以下文章


Mac 安装mongodb,运行Yapi


MongoDB Security

mongodb 用户权限控制

如何将代码片段存储在 mongodb 中?