revokePrivilegesFromRole

On this page本页内容

Definition定义

revokePrivilegesFromRole

Removes the specified privileges from the user-defined role on the database where the command is run. 从运行命令的数据库上的用户定义角色中删除指定的权限。The revokePrivilegesFromRole command has the following syntax:revokePrivilegesFromRole命令具有以下语法:

{
  revokePrivilegesFromRole: "<role>",
  privileges:
      [
        { resource: { <resource> }, actions: [ "<action>", ... ] },
        ...
      ],
  writeConcern: <write concern document>,
  comment: <any>
}

The revokePrivilegesFromRole command has the following fields:revokePrivilegesFromRole命令具有以下字段:

Field字段Type类型Description描述
revokePrivilegesFromRolestringThe user-defined role to revoke privileges from.要从中撤消权限的用户定义角色。
privilegesarrayAn array of privileges to remove from the role. 要从角色中删除的权限数组。See privileges for more information on the format of the privileges.有关权限格式的详细信息,请参阅privileges
writeConcerndocument

Optional. 可选。The level of write concern for the operation. 操作的写入关注级别。See Write Concern Specification.请参阅写入关注规范

commentany

Optional. 可选。A user-provided comment to attach to this command. 用户提供了附加到此命令的注释。Once set, this comment appears alongside records of this command in the following locations:设置后,此注释将与此命令的记录一起显示在以下位置:

A comment can be any valid BSON type(string, integer, object, array, etc).注释可以是任何有效的BSON类型(字符串、整数、对象、数组等)。

New in version 4.4.在版本4.4中新增

Behavior行为

To revoke a privilege, the resource document pattern must match exactly the resource field of that privilege. 要撤销权限,资源文档模式必须与该权限的资源字段完全匹配。The actions field can be a subset or match exactly.actions字段可以是子集或完全匹配。

For example, consider the role accountRole in the products database with the following privilege that specifies the products database as the resource:例如,考虑products数据库中具有以下权限的角色accountRole,该权限将产品数据库指定为资源:

{
  "resource" : {
      "db" : "products",
      "collection" : ""
  },
  "actions" : [
      "find",
      "update"
  ]
}

You cannot revoke find and/or update from just one collection in the products database. 您不能仅从products数据库中的一个集合撤消find和/或updateThe following operations result in no change to the role:以下操作不会更改角色:

use products
db.runCommand(
    {
      revokePrivilegesFromRole: "accountRole",
      privileges:
        [
          {
            resource : {
                db : "products",
                collection : "gadgets"
            },
            actions : [
                "find",
                "update"
            ]
          }
        ]
    }
)
db.runCommand(
    {
      revokePrivilegesFromRole: "accountRole",
      privileges:
        [
          {
            resource : {
                db : "products",
                collection : "gadgets"
            },
            actions : [
                "find"
            ]
          }
        ]
    }
)

To revoke the "find" and/or the "update" action from the role accountRole, you must match the resource document exactly. 要撤消角色accountRole"find"和/或"update"操作,必须与资源文档完全匹配。For example, the following operation revokes just the "find" action from the existing privilege.例如,以下操作仅从现有权限中撤销"find"操作。

use products
db.runCommand(
    {
      revokePrivilegesFromRole: "accountRole",
      privileges:
        [
          {
            resource : {
                db : "products",
                collection : ""
            },
            actions : [
                "find"
            ]
          }
        ]
    }
)

Required Access所需访问权限

You must have the revokeRole action on the database a privilege targets in order to revoke that privilege. 您必须对数据库具有权限目标的revokeRole操作,才能撤消该权限。If the privilege targets multiple databases or the cluster resource, you must have the revokeRole action on the admin database.如果权限针对多个数据库或cluster资源,则必须对admin数据库执行revokeRole操作。

Example示例

The following operation removes multiple privileges from the associates role in the products database:以下操作将从products数据库中的associates角色中删除多个权限:

use products
db.runCommand(
   {
     revokePrivilegesFromRole: "associate",
     privileges:
      [
        {
          resource: { db: "products", collection: "" },
          actions: [ "createCollection", "createIndex", "find" ]
        },
        {
          resource: { db: "products", collection: "orders" },
          actions: [ "insert" ]
        }
      ],
     writeConcern: { w: "majority" }
   }
)
←  invalidateUserCacherevokeRolesFromRole →