我们似乎找不到任何结论性文件来说明mongodump
在特定数据库上运行需要哪些权限(用户角色)。
说我有一个名为数据库x
和用户y
有以下角色就可以了roles: [ "readWrite", "dbAdmin" ]
,还有2个用户a
,并b
在admin
收集与roles: [ "userAdminAnyDatabase" ]
和roles: [ "dbAdminAnyDatabase" ]
,似乎他们都没有运行正确的权限mongodump
:
mongodump --db x --username y --password --authenticationDatabase x
Tue Dec 10 17:04:23.901 x.system.users to dump/x/system.users.bson
assertion: 11010 count fails:{ ok: 0.0, errmsg: "unauthorized" }
mongodump --db x --username a --password --authenticationDatabase admin
Tue Dec 10 17:06:19.674 DATABASE: x to dump/x
assertion: 13106 nextSafe(): { $err: "not authorized for query on x.system.indexes", code: 16550 }
mongodump --db x --username b --password --authenticationDatabase admin
Tue Dec 10 17:08:20.678 DATABASE: x to dump/x
assertion: 13106 nextSafe(): { $err: "not authorized for query on x.system.namespaces", code: 16550 }
我们必须缺少明显的东西,但是在转储数据库时mongodump会寻找什么,它需要什么权限?
PS:作为奖励,我们想弄清楚转储特定集合以及所有数据库需要哪些用户角色。
TL; DR:对于mongodb 2.4,您至少需要一个具有read
角色以及userAdmin
db角色的用户。否则,system.users.bson
在此类数据库上转储时,您将遇到我们在问题中遇到的错误。
因此,我们忽略了一个重要参考: man mongodump
但是,您需要具有mongodump
2.4.x才能查看相关部分,所以这里是通过mongodb github docs的参考:
Required User Privileges
------------------------
.. note:: User privileges changed in MongoDB 2.4.
The user must have appropriate privileges to read data from database
holding collections in order to use :program:`mongodump`. Consider the
following :doc:`required privileges </reference/system-defined-roles>` for
the following :program:`mongodump` operations:
.. list-table::
:header-rows: 1
* - Task
- Required Privileges
* - All collections in a database except ``system.users``.
- :authrole:`read`. [#read-or-read-write]_
* - All collections in a database, including ``system.users``.
- :authrole:`read` [#read-or-read-write]_ and :authrole:`userAdmin`.
* - All databases. [#profiling-exception]_
- :authrole:`readAnyDatabase`, :authrole:`userAdminAnyDatabase`,
and :authrole:`clusterAdmin`. [#cluster-admin]_
See :doc:`/reference/system-defined-roles` and
:doc:`/reference/privilege-documents` for more information on user
roles.
.. [#read-or-read-write] You may provision :authrole:`readWrite`
instead of :authrole:`read`.
.. [#cluster-admin] :authrole:`clusterAdmin` provides the ability to
run the :dbcommand:`listDatabases` command, to list all existing
databases.
.. [#profiling-exception] If any database runs with profiling enabled,
:program:`mongodump` may need the
:authrole:`dbAdminAnyDatabase` privilege to dump the
``system.profile`` collection.
PS:当前无法跳过某些集合,因此,如果您仅对数据库具有read或readWrite角色,则需要分别转储每个集合。
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句