On this page本页内容
MongoDB grants access to data and commands through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system. MongoDB通过基于角色的授权授予对数据和命令的访问权限,并提供内置角色,以提供数据库系统中通常需要的不同级别的访问。You can additionally create user-defined roles.还可以创建用户定义的角色。
A role grants privileges to perform sets of actions on defined resources. 角色授予在定义的资源上执行一组操作的权限。A given role applies to the database on which it is defined and can grant access down to a collection level of granularity.在给定的访问粒度级别上,可以将其应用于数据库。
Each of MongoDB's built-in roles defines access at the database level for all non-system collections in the role's database and at the collection level for all system collections.MongoDB的每个内置角色都定义了在数据库级对角色数据库中所有非系统集合的访问,以及在集合级对所有系统集合的访问。
MongoDB provides the built-in database user and database administration roles on every database. MongoDB为每个数据库提供内置的数据库用户和数据库管理角色。MongoDB provides all other built-in roles only on the MongoDB仅在管理数据库上提供所有其他内置角色。admin database.
This section describes the privileges for each built-in role. 本节介绍每个内置角色的权限。You can also view the privileges for a built-in role at any time by issuing the 您还可以随时查看内置角色的权限,方法是在rolesInfo command with the showPrivileges and showBuiltinRoles fields both set to true.showPrivileges和showBuiltinRoles字段均设置为true的情况下发出rolesInfo命令。
Every database includes the following client roles:每个数据库都包括以下客户端角色:
read
Provides the ability to read data on all non-system collections and the 提供读取所有非系统集合和system.js collection.system.js集合上的数据的能力。
Starting in MongoDB 4.2, the role no longer provides privileges to access the 从MongoDB 4.2开始,该角色不再提供直接访问system.namespaces collection directly. system.namespaces集合的权限。Direct access to the collection has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,已不推荐直接访问该集合。
In earlier versions, the role provided the aforementioned privilege actions on the 在早期版本中,角色对system.namespaces collection, thereby allowing direct access.system.namespaces集合提供了上述权限操作,从而允许直接访问。
The role provides read access by granting the following actions:该角色通过授予以下操作来提供读取权限:
listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run with authorizedDatabases option unspecified or set to true.listDatabases权限操作,则如果在未指定authorizedDatabases选项或将其设置为true的情况下运行该命令,则用户可以运行listDatabases命令以返回用户有权限的数据库列表(包括用户对特定集合有权限的数据库)。listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has the find action privilege if the command is run with authorizedDatabases option unspecified or set to true.listDatabases权限操作,则如果在未指定authorizedDatabases选项或将其设置为true的情况下运行该命令,则用户可以运行listDatabases命令以返回用户具有find操作权限的数据库列表。listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has the find action privilege.listDatabases权限操作,则用户可以运行listDatabases命令返回用户具有find操作权限的数据库列表。Every database includes the following database administration roles:每个数据库都包括以下数据库管理角色:
dbAdmin
Provides the ability to perform administrative tasks such as schema-related tasks, indexing, and gathering statistics. 提供执行管理任务的能力,例如与架构相关的任务、索引和集合统计信息。This role does not grant privileges for user and role management.此角色不授予用户和角色管理权限。
Specifically, the role provides the following privileges:具体而言,该角色提供以下权限:
system.profile |
| ||
|
dbOwner
The database owner can perform any administrative action on the database. 数据库所有者可以对数据库执行任何管理操作。This role combines the privileges granted by the 此角色结合了readWrite, dbAdmin and userAdmin roles.readWrite、dbAdmin和userAdmin角色授予的权限。
userAdmin
Provides the ability to create and modify roles and users on the current database. 提供在当前数据库上创建和修改角色和用户的功能。Since the 由于userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster.userAdmin角色允许用户向任何用户(包括他们自己)授予任何权限,因此该角色还间接提供超级用户对数据库或集群(如果范围是admin数据库)的访问。
The userAdmin role explicitly provides the following actions:userAdmin角色显式提供以下操作:
changeCustomDatachangePasswordcreateRolecreateUserdropRoledropUsergrantRolerevokeRolesetAuthenticationRestrictionviewRoleviewUserIt is important to understand the security implications of granting the 理解授予userAdmin role: a user with this role for a database can assign themselves any privilege on that database. userAdmin角色的安全含义很重要:对于数据库具有此角色的用户可以为自己分配该数据库上的任何权限。Granting the 授予userAdmin role on the admin database has further security implications as this indirectly provides superuser access to a cluster. admin数据库上的userAdmin角色会带来进一步的安全影响,因为这会间接提供超级用户对集群的访问。With 使用admin scope a user with the userAdmin role can grant cluster-wide roles or privileges including userAdminAnyDatabase.admin作用域,具有userAdmin角色的用户可以授予集群范围内的角色或权限,包括userAdminAnyDatabase。
The admin database includes the following roles for administering the whole system rather than just a single database. admin数据库包括以下角色,用于管理整个系统,而不仅仅是单个数据库。These roles include but are not limited to replica set and sharded cluster administrative functions.这些角色包括但不限于副本集和分片集群管理功能。
clusterAdmin
Provides the greatest cluster-management access. 提供最大的群集管理访问权限。This role combines the privileges granted by the 此角色结合了clusterManager, clusterMonitor, and hostManager roles. clusterManager、clusterMonitor和hostManager角色授予的权限。Additionally, the role provides the 此外,该角色还提供dropDatabase action.dropDatabase操作。
clusterManager
Changed in version 3.4.在版本3.4中更改。
Provides management and monitoring actions on the cluster. 提供群集上的管理和监视操作。A user with this role can access the 具有此角色的用户可以访问config and local databases, which are used in sharding and replication, respectively.config数据库和local数据库,这两个数据库分别用于分片和复制。
| cluster |
| ||
| All databases |
|
On the 在config database, permits the following actions:config数据库上,允许执行以下操作:
config databaseconfig数据库中的所有非系统集合 | |||
system.js |
|
On the 在local database, permits the following actions:local数据库上,允许执行以下操作:
local databaselocal数据库中的所有非系统集合 | |||
system.replset |
clusterMonitor
Changed in version 3.4.在版本3.4中更改。
Provides read-only access to monitoring tools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent.提供对监控工具(如MongoDB Cloud Manager和Ops Manager监控代理)的只读访问。
Permits the following actions on the cluster as a whole:允许对整个集群执行以下操作:
|
|
Permits the following actions on all databases in the cluster:允许对群集中的所有数据库执行以下操作:
collStatsdbStatsgetShardVersionindexStatsuseUUID (New in version 3.6)Permits the 允许对群集中的所有find action on all system.profile collections in the cluster.system.profile集合执行find操作。
On the 在config database, permits the following actions:config数据库上,允许执行以下操作:
config databaseconfig数据库中的所有非系统集合 | collStatsdbHashdbStatsfindgetShardVersionindexStatskillCursorslistCollectionslistIndexesplanCacheRead
|
system.js | collStatsdbHashdbStatsfindkillCursorslistCollectionslistIndexesplanCacheRead
|
On the 在local database, permits the following actions:local数据库上,允许执行以下操作:
local databaselocal数据库中的所有集合 | collStatsdbHashdbStatsfindgetShardVersionindexStatskillCursorslistCollectionslistIndexesplanCacheRead
|
system.js collection
| collStatsdbHashdbStatsfindkillCursorslistCollectionslistIndexesplanCacheRead
|
system.replset,system.profile,
| find |
hostManager
Provides the ability to monitor and manage servers.提供监视和管理服务器的能力。
On the cluster as a whole, provides the following actions:在整个集群上,提供以下操作:
|
|
Changed in version 4.4.在版本4.4中更改。
hostManager no longer provides the cpuProfiler privilege action on the cluster.hostManager不再在集群上提供cpuProfiler权限操作。
On all databases in the cluster, provides the following actions:在群集中的所有数据库上,提供以下操作:
The admin database includes the following roles for backing up and restoring data:admin数据库包括以下用于备份和恢复数据的角色:
backup
Provides minimal privileges needed for backing up data. 提供备份数据所需的最低权限。This role provides sufficient privileges to use the MongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use 此角色提供足够的权限来使用MongoDB Cloud Manager备份代理、Ops Manager备份代理,或使用mongodump to back up an entire mongod instance.mongodump 备份整个mongod实例。
Provides the insert and update actions on the mms.backup collection in the admin database and on the settings collection in the config database.
On anyResource, provides the
listDatabases actionlistCollections actionlistIndexes actionOn the cluster as a whole, provides the
appendOplogNotegetParameterlistDatabasesserverStatus (Starting in MongoDB 4.2)Provides the find action on the following:
config and local databasesconfig数据库和local数据库中的集合The following system collections in the cluster:群集中的以下系统集合:
system.js, and 和system.profile
admin.system.users and admin.system.roles collectionsconfig.settings collectionsystem.users collections from versions of MongoDB prior to 2.6Provides the insert and update actions on the config.settings collection.
Changed in version 3.2.1.在版本3.2.1中更改。
backup role provides additional privileges to back up the system.profile collection that exists when running with database profiling. Previously, users required read access on this collection.
restore
Changed in version 3.6.在版本3.6中更改。
convertToCapped on non-system collections.
Provides the necessary privileges to restore data from backups if the data does not include system.profile collection data and you run mongorestore without the --oplogReplay option.
If the backup data includes system.profile collection data or you run with --oplogReplay, you need additional privileges:
system.profile | If the backup data includes Both the built-in roles |
--oplogReplay | To run with Grant only to users who must run |
Provides the following action on the cluster as a whole:在整个群集上提供以下操作:
Provides the following actions on all non-system collections:对所有非系统集合提供以下操作:
bypassDocumentValidationchangeCustomDatachangePasswordcollModconvertToCappedcreateCollectioncreateIndexcreateRolecreateUserdropCollectiondropRoledropUsergrantRoleinsertrevokeRoleviewRoleviewUserProvides the following actions on 在system.js collection:system.js集合上提供以下操作:
Provides the following action on anyResource:anyResource提供以下操作:
Provides the following actions on all non-system collections on the 对config and the local databases:config和local数据库上的所有非系统集合提供以下操作:
Provides the following actions on 在admin.system.versionadmin.system.version上提供以下操作
Provides the following action on 在admin.system.rolesadmin.system.roles上提供以下操作
Provides the following actions on 对admin.system.users and legacy system.users collections:admin.system.users和旧版system.users集合提供以下操作:
bypassDocumentValidationcollModcreateCollectioncreateIndexdropCollectionfindinsertremoveupdateAlthough, 尽管restore includes the ability to modify the documents in the admin.system.users collection using normal modification operations, only modify these data using the user management methods.restore功能包括使用常规修改操作修改admin.system.users集合中的文档,但只能使用用户管理方法修改这些数据。
Starting in version 4.2, MongoDB removes the 从4.2版开始,MongoDB删除system.namespaces collection. system.namespaces集合。As such, the 因此,restore role no longer provides privileges to access these collections. restore角色不再提供访问这些集合的权限。Direct access to these collections has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,对这些集合的直接访问已被弃用。
In earlier versions, the 在早期版本中,restore role provides the aforementioned privilege actions on the system.namespaces collection, thereby allowing direct access to the collection.restore角色对system.namespaces集合提供上述权限操作,从而允许直接访问集合。
Changed in version 3.4.在版本3.4中更改。
The following roles are available on the admin database and provide privileges which apply to all databases except local and config:admin数据库上有以下角色,并提供适用于除local和config之外的所有数据库的权限:
readAnyDatabase
Provides the same read-only privileges as read on all databases except local and config. The role also provides the listDatabases action on the cluster as a whole.
Changed in version 3.4.在版本3.4中更改。
readAnyDatabase includes local and config databases. To provide read privileges on the local database, create a user in the admin database with read role in the local database.
See also the clusterManager and clusterMonitor roles for access to the config and local databases.
readWriteAnyDatabase
Provides the same privileges as readWrite on all databases except local and config. The role also provides the listDatabases action on the cluster as a whole.
Changed in version 3.4.在版本3.4中更改。
readWriteAnyDatabase includes local and config databases. To provide readWrite privileges on the local database, create a user in the admin database with readWrite role in the local database.
See also the clusterManager and clusterMonitor roles for access to the config and local databases.
userAdminAnyDatabase
Provides the same access to user administration operations as 在除userAdmin on all databases except local and config.local和config之外的所有数据库上提供与userAdmin相同的用户管理操作访问权限。
userAdminAnyDatabase also provides the following privilege actions on the cluster:还提供群集上的以下权限操作:
The role also provides the following privilege actions on the system.users and system.roles collections on the admin database, and on legacy system.users collections from versions of MongoDB prior to 2.6:
Changed in version 2.6.4.在版本2.6.4中更改。
userAdminAnyDatabase added the following privilege actions on the admin.system.users and admin.system.roles collections:
The userAdminAnyDatabase role does not restrict the privileges that a user can grant. userAdminAnyDatabase角色不限制用户可以授予的权限。As a result, 因此,userAdminAnyDatabase users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration. userAdminAnyDatabase用户可以授予自己超出其当前权限的权限,甚至可以授予自己所有权限,即使该角色没有明确授权用户管理之外的权限。This role is effectively a MongoDB system superuser.这个角色实际上是MongoDB系统的超级用户。
Changed in version 3.4.在版本3.4中更改。
userAdminAnyDatabase no longer applies to the local and config databases.
See also the 另请参见clusterManager and clusterMonitor roles for access to the config and local databases.clusterManager和clusterMonitor角色,以获取对配置和本地数据库的访问。
dbAdminAnyDatabase
Provides the same privileges as 在除dbAdmin on all databases except local and config. local和config之外的所有数据库上提供与dbAdmin相同的权限。The role also provides the 该角色还提供对整个集群的listDatabases action on the cluster as a whole.listDatabases操作。
Changed in version 3.4.在版本3.4中更改。
dbAdminAnyDatabase includes local and config databases. dbAdminAnyDatabase包括local数据库和config数据库。To provide dbAdmin privileges on the local database, create a user in the admin database with dbAdmin role in the local database.
See also the 另请参见clusterManager and clusterMonitor roles for access to the config and local databases.clusterManager角色和clusterMonitor角色,以获取对config数据库和local数据库的访问。
Starting in MongoDB 5.0, 从MongoDB 5.0开始,dbAdminAnyDatabase includes the applyOps privilege action.dbAdminAnyDatabase包括applyOps权限操作。
Several roles provide either indirect or direct system-wide superuser access.有几个角色提供间接或直接的系统范围超级用户访问。
The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:以下角色可以为任何用户分配任何数据库上的任何权限,这意味着具有这些角色之一的用户可以为自己分配任何数据库上的任何权限:
dbOwner role, when scoped to the admin databaseuserAdmin role, when scoped to the admin databaseuserAdminAnyDatabase roleThe following role provides full privileges on all resources:以下角色提供对所有资源的完全权限:
__system
MongoDB assigns this role to user objects that represent cluster members, such as replica set members and MongoDB将此角色分配给表示集群成员的用户对象,例如副本集成员和mongos instances. mongos实例。The role entitles its holder to take any action against any object in the database.该角色使其持有者有权对数据库中的任何对象采取任何操作。
Do not assign this role to user objects representing applications or human administrators, other than in exceptional circumstances.除非在特殊情况下,否则不要将此角色分配给代表应用程序或人工管理员的用户对象。
If you need access to all actions on all resources, for example to run 如果需要访问所有资源上的所有操作,例如运行applyOps commands, do not assign this role. applyOps命令,请不要分配此角色。Instead, create a user-defined role that grants 相反,创建一个用户定义的角色,授予对anyAction on anyResource and ensure that only the users who need access to these operations have this access.anyResource的anyAction,并确保只有需要访问这些操作的用户才具有此访问权限。