mongodb报错not authorized on testdb to execute command
用户反馈说没有权限,报错如下:
not authorized on testdb to execute command { find: "Schedule", filter: {}, skip: 0, limit: 20, maxTimeMS: 60000, lsid: { id: UUID("41a5218c-071f-41c4-9b06-a28fb60f8015") }, $db: "testdb" }
查看用户的权限
> db.getUser('test_user')
{
"_id" : "admin.test_user",
"userId" : UUID("c041ed33-2dba-477c-8bb3-091955937f66"),
"user" : "test_user",
"db" : "admin",
"roles" : [
{
"role" : "dbAdminAnyDatabase",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
>
角色dbAdminAnyDatabase与dbAdmin含有相同的权限,除了local和config库。从5.0开始,还包含了applyOps的权限。
查看一下该角色都有哪些特权:
> db.getRole("dbAdminAnyDatabase", { showPrivileges: true })
{
"db" : "admin",
"role" : "dbAdminAnyDatabase",
"roles" : [ ],
"privileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"listDatabases",
"applyOps"
]
},
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"bypassDocumentValidation",
"collMod",
"collStats",
"compact",
"convertToCapped",
"createCollection",
"createIndex",
"dbStats",
"dropCollection",
"dropDatabase",
"dropIndex",
"enableProfiler",
"listCollections",
"listIndexes",
"planCacheIndexFilter",
"planCacheRead",
"planCacheWrite",
"reIndex",
"renameCollectionSameDB",
"storageDetails",
"validate"
]
},
{
"resource" : {
"db" : "",
"collection" : "system.profile"
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"dbHash",
"dbStats",
"dropCollection",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"system_buckets" : ""
},
"actions" : [
"bypassDocumentValidation",
"collMod",
"collStats",
"compact",
"convertToCapped",
"createCollection",
"createIndex",
"dbStats",
"dropCollection",
"dropDatabase",
"dropIndex",
"enableProfiler",
"listCollections",
"listIndexes",
"planCacheIndexFilter",
"planCacheRead",
"planCacheWrite",
"reIndex",
"renameCollectionSameDB",
"storageDetails",
"validate"
]
}
],
"inheritedRoles" : [ ],
"inheritedPrivileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"listDatabases",
"applyOps"
]
},
{
"resource" : {
"db" : "",
"collection" : ""
},
"actions" : [
"bypassDocumentValidation",
"collMod",
"collStats",
"compact",
"convertToCapped",
"createCollection",
"createIndex",
"dbStats",
"dropCollection",
"dropDatabase",
"dropIndex",
"enableProfiler",
"listCollections",
"listIndexes",
"planCacheIndexFilter",
"planCacheRead",
"planCacheWrite",
"reIndex",
"renameCollectionSameDB",
"storageDetails",
"validate"
]
},
{
"resource" : {
"db" : "",
"collection" : "system.profile"
},
"actions" : [
"changeStream",
"collStats",
"convertToCapped",
"createCollection",
"dbHash",
"dbStats",
"dropCollection",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"system_buckets" : ""
},
"actions" : [
"bypassDocumentValidation",
"collMod",
"collStats",
"compact",
"convertToCapped",
"createCollection",
"createIndex",
"dbStats",
"dropCollection",
"dropDatabase",
"dropIndex",
"enableProfiler",
"listCollections",
"listIndexes",
"planCacheIndexFilter",
"planCacheRead",
"planCacheWrite",
"reIndex",
"renameCollectionSameDB",
"storageDetails",
"validate"
]
}
],
"isBuiltin" : true
}
授权
db.grantRolesToUser("test_user", [ { role: "readWriteAnyDatabase", db: "admin" } ])
再次查看用户的权限
> db.getUser('test_user')
{
"_id" : "admin.test_user",
"userId" : UUID("c041ed33-2dba-477c-8bb3-091955937f66"),
"user" : "test_user",
"db" : "admin",
"roles" : [
{
"role" : "dbAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "readWriteAnyDatabase",
"db" : "admin"
}
],
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
]
}
>
现在就可以插入和查看数据了。
