对于已知的所有数据库(即使只有声明的用户(,我与pymongo一起使用(pymongo==3.10.1与mongodb 4.2(
db.command({'usersInfo': { 'forAllDBs': True },
'showCredentials': True})
此命令需要在客户端用户上userAdminAnyDatabase
内置角色。 但这个角色提供了很多特权。如果有人破解了用户密码,他可以将角色升级到dbAdminAnyDatabases
。 因此,我未能为上一个命令创建具有授权userinfos
任何数据库角色(在任何数据库上仅具有viewUser
操作的角色(。
有什么可以帮助我定义这个角色吗?
你可以尝试任何资源来获取所有数据库。
谢谢我创建角色:
with pymongo.MongoClient('mongodb://localhost:27017/',
username='SuperAdmin',
password='XXXXXXXXXX',
authSource='admin',
authMechanism='SCRAM-SHA-256') as client:
extendRole="showUsersAnyBase"
crole=client['admin'].command('rolesInfo',extendRole)
if reinit and extendRole in [x['role'] for x in crole['roles']]:
client['admin'].command('dropRole',extendRole)
if reinit or extendRole not in [x['role'] for x in crole['roles']]:
client['admin'].command({'createRole': extendRole,
'privileges': [{'resource': { 'anyResource': True },
'actions': [ "viewUser" ]}],
'roles':[ ]
})
创建连接器用户:
usersInfos=client['admin'].command({'usersInfo': [{'user' : 'connector','db': 'admin'}]})
if reinitConnector and 'connector' in [x['user'] for x in usersInfos['users']]:
client['admin'].command('dropUser',"connector")
if reinitConnector or 'connector' not in [x['user'] for x in usersInfos['users']]:
client['admin'].command("createUser", "connector",
pwd="XXXXXXXXXX",
roles=[extendRole])
将连接器用户与 for userInfos 命令一起使用:
with pymongo.MongoClient('mongodb://localhost:27017/',
username='connector',
password='XXXXXXXXXX',
authSource='admin',
authMechanism='SCRAM-SHA-256') as client2:
usersInfos=client2['admin'].command({
'usersInfo': { 'forAllDBs': True },
'showCredentials': True
})
for user in usersInfos['users']:
print("user:",user['user'],
"db:",user['db'],
"roles:",[x['db']+'->'+x['role'] for x in user['roles']])
工作正常!
和连接器用户无法授予角色:
client2['admin'].command('grantRolesToUser','connector',
roles=['dbAdminAnyDatabase'])
抛出异常:
.....
raise OperationFailure(msg % errmsg, code, response)
pymongo.errors.OperationFailure: not authorized on admin to execute command { grantRolesToUser: "connector", .....