Contents
MongoDB安装
mongodb高可用模式
参考: https://cloud.tencent.com/developer/article/1026185
类似于redis, mongodb也有,但实例,主从,replicaset(类似于redis哨兵模式),cluster模式。
目前使用单实例模式。
k8s安装mongo
mongo-pvc.yaml
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: mongo-nas-csi-pvc
namespace: jtest
spec:
accessModes:
- ReadWriteMany
storageClassName: nfs-storage-retain
resources:
requests:
storage: 20Gimongo.yaml
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mongo
namespace: jtest
labels:
name: mongo
spec:
serviceName: mongo
replicas: 1
revisionHistoryLimit: 3
updateStrategy:
type: RollingUpdate
template:
metadata:
name: mongo
labels:
name: mongo
spec:
#affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: node_env
# operator: In
# values:
# - jtest
terminationGracePeriodSeconds: 10
containers:
- name: mongo
#image: registry-vpc.cn-shenzhen.aliyuncs.com/wy_spc/mongo:latest
image: mongo:latest
imagePullPolicy: Always
# command:
# - mongod
# - "--replSet"
# - rs0
# - "--bind_ip"
# - 0.0.0.0
# - "--noprealloc"
env:
- name: TZ
value: Asia/Shanghai
- name: MONGO_INITDB_ROOT_USERNAME
value: "wldTestUser"
- name: MONGO_INITDB_ROOT_PASSWORD
value: "wldTestUser2019"
- name: MONGO_INITDB_DATABASE
value: "runsTest"
# - name: MONGO_USERDB_ADMIN_USERNAME
# value: "wldTestUser"
# - name: MONGO_USERDB_ADMIN_PASSWORD
# value: "wldTestUser2019"
# - name: MONGO_USERDB_ADMIN_DATABASE
# value: "runsTest"
ports:
- containerPort: 27017
name: mongo-port
##资源限制和请求限制
resources:
##请求限制容器启动的初始可用CPU/内存
requests:
memory: "1024Mi"
cpu: "500m"
##资源请求限制
limits:
memory: "1024Mi"
cpu: "500m"
volumeMounts:
- name: mongo-data
mountPath: /data/db
readinessProbe:
tcpSocket:
port: 27017
initialDelaySeconds: 60
periodSeconds: 60
livenessProbe:
tcpSocket:
port: 27017
initialDelaySeconds: 120
periodSeconds: 120
#容器上下文权限
# securityContext:
# fsGroup: 1000
volumes:
- name: mongo-data
persistentVolumeClaim:
claimName: mongo-nas-csi-pvc
selector:
matchLabels:
name: mongo
---
apiVersion: v1
kind: Service
metadata:
name: mongo
namespace: jtest
spec:
clusterIP: None
selector:
name: mongo
ports:
- name: mongo
port: 27017
targetPort: 27017
protocol: TCP
#---
#apiVersion: v1
#kind: Service
#metadata:
# name: mongo-external
#spec:
# ports:
# - port: 27017
# nodePort: 32017
# name: mongo-port
# selector:
# name: mongo
# type: NodePort这里会创建一个root角色的账号 wldTestUser
部署
kubectl apply -f ./mongo-pvc.yaml
kubectl apply -f ./mongo.yaml基本使用:mongo数据库管理
创建数据库与用户
参考: https://cloud.tencent.com/developer/article/1545011
建库
- 添加数据库
use runsTest;此时数据库有了,但是默认不会显示,需要插入一条数据
db.tmpTable.insert({'test': 'test'})然后执行show dbs就能看到此数据库了。
- 添加一个可读写操作的用户
db.createUser(
{
user: "用户名",
pwd: "密码",
roles: [ "readWrite" ]
}
);这样,在当前数据库下就会添加一个具有readWrite操作权限的用户了。
这里要强调的是,需要在哪个库里添加用户,需要先执行
use 数据库名进入当前数据库下,再执行db.createUser创建用户。
当然也可以直接使用root角色的账号(前面的yaml文件中 wldTestUser / wldTestUser2019 )
角色说明
mongo是基于角色做的权限控制。
内置角色
参考: https://www.jianshu.com/p/62736bff7e2e
参考: https://docs.mongodb.com/manual/tutorial/enable-authentication/
参考: http://www.runoob.com/mongodb/mongodb-window-install.html
参考: https://www.cnblogs.com/zxtceq/p/7690977.html
参考: https://www.mongodb.com/docs/manual/reference/built-in-roles/
数据库用户角色
- read: 只读数据权限
- readWrite:读写数据权限
数据库管理角色
- dbAdmin: 在当前db中执行管理操作的权限
- dbOwner: 在当前db中执行任意操作
- userAdmin: 在当前db中管理user的权限
备份和还原角色
- backup
- restore
夸库角色
- readAnyDatabase: 在所有数据库上都有读取数据的权限
- readWriteAnyDatabase: 在所有数据库上都有读写数据的权限
- userAdminAnyDatabase: 在所有数据库上都有管理user的权限
- dbAdminAnyDatabase: 管理所有数据库的权限
集群管理
- clusterAdmin: 管理机器的最高权限
- clusterManager: 管理和监控集群的权限
- clusterMonitor: 监控集群的权限
- hostManager: 管理Server
超级权限
- root: 超级用户角色(只能登录admin库)
自定义角色
内置角色只能控制User在DB级别上执行的操作,管理员可以创建自定义角色,控制用户在集合级别(Collection-Level)上执行的操作,即,控制User在当前DB的特定集合上执行特定的操作
MongoDB 用户添加,修改,删除,权限追加
转载来源: https://www.luoruiyuan.cn/pages/id-84_uid-2_btid-20.html
现在需要创建一个帐号,该账号需要有grant权限,即:账号管理的授权权限。注意一点,帐号是跟着库走的,所以在指定库里授权,必须也在指定库里验证(auth)。
> use admin
switched to db admin
> db.createUser( { user: "dba",pwd: "dba",roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]})
Successfully added user: {
"user" : "dba",
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
}
]
}
上面的执行的命令讲解:
user:用户名
pwd:密码
roles:指定用户的角色,可以用一个空数组给新用户设定空角色;在roles字段,可以指定内置角色和用户定义的角色。role里的角色可以选:
Built-In Roles(内置角色):
1. 数据库用户角色:read、readWrite;
2. 数据库管理角色:dbAdmin、dbOwner、userAdmin;
3. 集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager;
4. 备份恢复角色:backup、restore;
5. 所有数据库角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase
6. 超级用户角色:root
// 这里还有几个角色间接或直接提供了系统超级用户的访问(dbOwner 、userAdmin、userAdminAnyDatabase)
7. 内部角色:__system具体角色:
Read:允许用户读取指定数据库
readWrite:允许用户读写指定数据库
dbAdmin:允许用户在指定数据库中执行管理函数,如索引创建、删除,查看统计或访问system.profile
userAdmin:允许用户向system.users集合写入,可以找指定数据库里创建、删除和管理用户
clusterAdmin:只在admin数据库中可用,赋予用户所有分片和复制集相关函数的管理权限。
readAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读权限
readWriteAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的读写权限
userAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的userAdmin权限
dbAdminAnyDatabase:只在admin数据库中可用,赋予用户所有数据库的dbAdmin权限。
root:只在admin数据库中可用。超级账号,超级权限一、添加用户
1.如果没有test数据库我来创建一个
> show dbs;
admin 0.000GB
local 0.000GB
> use test
switched to db test
> db.test.insert({a:1,b:2,c:3})
WriteResult({ "nInserted" : 1 })
> show dbs
admin 0.000GB
local 0.000GB
test 0.000GB
>
2.给test创建一个只读用户—-db.createUser({user:“testRead”,pwd:“123456”,roles:[{role:“read”,db:“test”}]})
> use test
switched to db test
> db.createUser({user:"testRead",pwd:"123456",roles:[{role:"read",db:"test"}]})
Successfully added user: {
"user" : "testRead",
"roles" : [
{
"role" : "read",
"db" : "test"
}
]
}
3.我们切换到testRead用户进行测试
> use test
switched to db test
> show tables
test
> db.test.insert({d:3333});
WriteResult({
"writeError" : {
"code" : 13,
"errmsg" : "not authorized on test to execute command { insert:
\"test\", documents: [ { _id: ObjectId('59b74fe6542a7d19a60fe821'), d: 3333.0 }
], ordered: true }"
}
})
> db.test.find()
{ "_id" : ObjectId("59b743e82dd2de6390db71bc"), "a" : 1, "b" : 2, "c" : 3 }
{ "_id" : ObjectId("59b7493181afcaab7c1faeff"), "a" : 22 }
注意:如果添加了权限发现还是可以添加数或者可以显示admin数据库的话,应该是服务端启动的时候没有添加验证,下面为添加验证的启动
mongod --dbpath "D:\\MongoDB\db" --logpath "D:\\MongoDB\\log\\mongodb.log" --logappend --auth二、查看用户–db.system.users.find()
> use admin
switched to db admin
> db.system.users.find()
{ "_id" : "admin.root", "user" : "root", "db" : "admin", "credentials" : { "SCRA
M-SHA-1" : { "iterationCount" : 10000, "salt" : "Fvxditujnok3+9JG9Kb33w==", "sto
redKey" : "vX1plM78Iz0Yipd2I+X95vWGRMY=", "serverKey" : "BT2E6639MQE++WIWIS1gLRv
oY90=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
{ "_id" : "admin.dba", "user" : "dba", "db" : "admin", "credentials" : { "SCRAM-
SHA-1" : { "iterationCount" : 10000, "salt" : "lVXxxJUG14VUQnR2dEUK4A==", "store
dKey" : "8B+5V+ZY88PYKlq18nyb+wVlR2w=", "serverKey" : "iWLBzuihOOuMO0xJ0+BuohISV
f4=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
{ "_id" : "admin.testRead", "user" : "testRead", "db" : "admin", "credentials" :
{ "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "LXM1+WLuMrU2TEIo443EgA=
=", "storedKey" : "gEXfO4CCaqmxrejaJ/O+m2zbUnw=", "serverKey" : "AIm4itUF3d/e4bV
Q+abQscK2ZCo=" } }, "roles" : [ { "role" : "read", "db" : "test" } ] }
三、修改用户
db.updateUser("testRead",{pwd:"111111",roles:[{role:"read",db:"test"}]})四、追加权限—-db.grantRolesToUser(“testRead”,[{role:“readWrite”,db:“test”}])
> db.grantRolesToUser("testRead",[{role:"readWrite",db:"test"}])
> db.system.users.find()
{ "_id" : "admin.root", "user" : "root", "db" : "admin", "credentials" : { "SCRA
M-SHA-1" : { "iterationCount" : 10000, "salt" : "Fvxditujnok3+9JG9Kb33w==", "sto
redKey" : "vX1plM78Iz0Yipd2I+X95vWGRMY=", "serverKey" : "BT2E6639MQE++WIWIS1gLRv
oY90=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
{ "_id" : "admin.dba", "user" : "dba", "db" : "admin", "credentials" : { "SCRAM-
SHA-1" : { "iterationCount" : 10000, "salt" : "lVXxxJUG14VUQnR2dEUK4A==", "store
dKey" : "8B+5V+ZY88PYKlq18nyb+wVlR2w=", "serverKey" : "iWLBzuihOOuMO0xJ0+BuohISV
f4=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
{ "_id" : "admin.testRead", "user" : "testRead", "db" : "admin", "credentials" :
{ "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "aHsLKbsMkklKutPqrpH4RA=
=", "storedKey" : "cpvaIklo7JypIU2RstJL1pQHTCE=", "serverKey" : "gPuCEHV2tUnddfG
FoXA9s6Armdk=" } }, "roles" : [ { "role" : "readWrite", "db" : "test" }, { "role
" : "read", "db" : "test" } ] }
五、删除用户—-db.dropUser(“testRead”)
> use admin
switched to db admin
> db.dropUser("testRead")
true
> db.system.users.find();
{ "_id" : "admin.root", "user" : "root", "db" : "admin", "credentials" : { "SCRA
M-SHA-1" : { "iterationCount" : 10000, "salt" : "Fvxditujnok3+9JG9Kb33w==", "sto
redKey" : "vX1plM78Iz0Yipd2I+X95vWGRMY=", "serverKey" : "BT2E6639MQE++WIWIS1gLRv
oY90=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
{ "_id" : "admin.dba", "user" : "dba", "db" : "admin", "credentials" : { "SCRAM-
SHA-1" : { "iterationCount" : 10000, "salt" : "lVXxxJUG14VUQnR2dEUK4A==", "store
dKey" : "8B+5V+ZY88PYKlq18nyb+wVlR2w=", "serverKey" : "iWLBzuihOOuMO0xJ0+BuohISV
f4=" } }, "roles" : [ { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
常用命令
参考: https://www.cnblogs.com/mingerlcm/p/10659174.html
# 显示所有数据库
# 只有插入至少一条数据,数据库才会真正创建
show dbs;
# 建库(或选定数据库)
use xxx;
# 选定test1库(会自动创建)
use test1;
# 添加自定义js函数(在当前db的persons表中,插入数据。重复20次)
function add(){var i = 0;for(;i<20;i++){db.persons.insert({"name":"wang"+i})}}
# 执行自定义函数
add();
# 当前库的persons表的记录数
db.persons.count();
# 查询当前库的persons表的所有记录
db.persons.find();
# 查找第一条匹配
db.persons.findOne({"name": "wang0"});
# 更新第一条匹配
db.persons.updateOne({"name":"wang2"},{$set:{"updated": true}});
发表回复