db.revokePrivilegesFromRole()

On this page本页内容

Definition定义

db.revokePrivilegesFromRole(rolename, privileges, writeConcern)

Removes the specified privileges from the user-defined role on the database where the method runs. 从运行该方法的数据库上的用户定义角色中删除指定的权限。The revokePrivilegesFromRole method has the following syntax:revokePrivilegesFromRole方法语法如下所示:

db.revokePrivilegesFromRole(
    "<rolename>",
    [
        { resource: { <resource> }, actions: [ "<action>", ... ] },
        ...
    ],
    { <writeConcern> }
)

The revokePrivilegesFromRole method takes the following arguments:revokePrivilegesFromRole方法采用以下参数:

Parameter参数Type类型Description描述
rolename string The name of the user-defined role from which to revoke privileges.要从中撤消权限的用户定义角色的名称。
privileges array An array of privileges to remove from the role. 要从角色中删除的权限数组。See privileges for more information on the format of the privileges.有关权限格式的更多信息,请参阅privileges
writeConcern document Optional.可选。The level of write concern for the modification. 修改的写入关注级别。The writeConcern document takes the same fields as the getLastError command.writeConcern文档采用与getLastError命令相同的字段。

The db.revokePrivilegesFromRole() method wraps the revokePrivilegesFromRole command.db.revokePrivilegesFromRole()方法包装revokePrivilegesFromRole命令。

Behavior行为

Replica set复制集

If run on a replica set, db.revokePrivilegesFromRole() is executed using majority write concern by default.如果在副本集上运行,默认情况下,db.revokePrivilegesFromRole()将使用majority写入关注点执行。

Scope作用域

To revoke a privilege, the resource document pattern must match exactly the resource field of that privilege. 要撤销权限,资源文档模式必须与该权限的resource字段完全匹配。The actions field can be a subset or match exactly.actions字段可以是子集,也可以完全匹配。

For example, given the role accountRole in the products database with the following privilege that specifies the products database as the resource:例如,给定products数据库中的角色accountRole,该角色具有将products数据库指定为资源的以下权限:

{
  "resource" : {
      "db" : "products",
      "collection" : ""
  },
  "actions" : [
      "find",
      "update"
  ]
}

You cannot revoke find and/or update from just one collection in the products database. 不能仅从products数据库中的一个集合中撤消“查找”和/或“更新”。The following operations result in no change to the role:以下操作不会导致角色发生变化:

use products
db.revokePrivilegesFromRole(
   "accountRole",
   [
     {
       resource : {
          db : "products",
          collection : "gadgets"
       },
       actions : [
          "find",
          "update"
       ]
     }
   ]
)

db.revokePrivilegesFromRole(
   "accountRole",
   [
     {
       resource : {
          db : "products",
          collection : "gadgets"
       },
       actions : [
          "find"
       ]
     }
   ]
)

To revoke the "find" and/or the "update" action from the role accountRole, you must match the resource document exactly. 要从角色accountRole中撤销"find"和/或"update"操作,必须完全匹配资源文档。For example, the following operation revokes just the "find" action from the existing privilege.例如,以下操作仅从现有权限中撤销"find"操作。

use products
db.revokePrivilegesFromRole(
   "accountRole",
   [
     {
       resource : {
          db : "products",
          collection : ""
       },
       actions : [
          "find"
       ]
     }
   ]
)

Required Access所需访问权限

You must have the revokeRole action on the database a privilege targets in order to revoke that privilege. 您必须对数据库a权限目标执行revokeRole操作,才能撤销该权限。If the privilege targets multiple databases or the cluster resource, you must have the revokeRole action on the admin database.如果权限针对多个数据库或cluster资源,则必须对admin数据库执行revokeRole操作。

Example示例

The following operation removes multiple privileges from the associates role:以下操作将从associates角色中删除多个权限:

db.revokePrivilegesFromRole(
   "associate",
   [
     {
       resource: { db: "products", collection: "" },
       actions: [ "createCollection", "createIndex", "find" ]
     },
     {
       resource: { db: "products", collection: "orders" },
       actions: [ "insert" ]
     }
   ],
   { w: "majority" }
)