db.revokePrivilegesFromRole()

On this page本页内容

Definition定义

db.revokePrivilegesFromRole(rolename, privileges, writeConcern)

Removes the specified privileges from the user-defined role on the database where the method runs. 从运行方法的数据库上的用户定义角色中删除指定的权限。The db.revokePrivilegesFromRole() method has the following syntax:db.revokePrivilegesFromRole()方法具有以下语法:

db.revokePrivilegesFromRole(
    "<rolename>",
    [
        { resource: { <resource> }, actions: [ "<action>", ... ] },
        ...
    ],
    { <writeConcern> }
)

The db.revokePrivilegesFromRole() method takes the following arguments:db.revokePrivilegesFromRole()方法采用以下参数:

Parameter参数Type类型Description描述
rolenamestringThe name of the user-defined role from which to revoke privileges.要从中撤消权限的用户定义角色的名称。
privilegesarrayAn array of privileges to remove from the role. 要从角色中删除的权限数组。See privileges for more information on the format of the privileges.有关权限格式的更多信息,请参阅privileges
writeConcerndocument

Optional. 可选。The level of write concern for the operation. 操作的写入关注级别See Write Concern Specification.请参阅写入关注规范

The db.revokePrivilegesFromRole() method wraps the revokePrivilegesFromRole command.db.revokePrivilegesFromRole()方法包装了revokePrivilegesFromRole命令。

Behavior行为

Replica set副本集

If run on a replica set, db.revokePrivilegesFromRole() is executed using "majority" write concern by default.如果在副本集上运行,默认情况下,db.revokePrivilegesFromRole()将使用"majority"写入关注点执行。

Scope作用域

To revoke a privilege, the resource document pattern must match exactly the resource field of that privilege. 要撤销权限,资源文档模式必须与该权限的resource字段完全匹配。The actions field can be a subset or match exactly.actions字段可以是子集或完全匹配。

For example, given the role accountRole in the products database with the following privilege that specifies the products database as the resource:例如,给定产品数据库中具有以下权限的角色accountRole,该权限将products数据库指定为资源:

{
  "resource" : {
      "db" : "products",
      "collection" : ""
  },
  "actions" : [
      "find",
      "update"
  ]
}

You cannot revoke find and/or update from just onecollection in the products database. 不能仅从products数据库中的一个集合撤消查找和/或更新。The following operations result in no change to the role:以下操作不会导致角色更改:

use products
db.revokePrivilegesFromRole(
   "accountRole",
   [
     {
       resource : {
          db : "products",
          collection : "gadgets"
       },
       actions : [
          "find",
          "update"
       ]
     }
   ]
)
db.revokePrivilegesFromRole(
   "accountRole",
   [
     {
       resource : {
          db : "products",
          collection : "gadgets"
       },
       actions : [
          "find"
       ]
     }
   ]
)

To revoke the "find" and/or the "update" action from the role accountRole, you must match the resource document exactly. 要从角色accountRole撤消"find"和/或"update"操作,必须与资源文档完全匹配。For example, the following operation revokes just the "find" action from the existing privilege.例如,以下操作仅从现有权限中撤消"find"操作。

use products
db.revokePrivilegesFromRole(
   "accountRole",
   [
     {
       resource : {
          db : "products",
          collection : ""
       },
       actions : [
          "find"
       ]
     }
   ]
)

Required Access所需访问权限

You must have the revokeRole action on the database a privilege targets in order to revoke that privilege. 您必须对权限目标数据库执行revokeRole操作才能撤销该权限。If the privilege targets multiple databases or the cluster resource, you must have the revokeRole action on the admin database.如果权限针对多个数据库或cluster资源,则必须对admin数据库执行revokeRole操作。

Example示例

The following operation removes multiple privileges from the associates role:以下操作将从associates角色中删除多个权限:

db.revokePrivilegesFromRole(
   "associate",
   [
     {
       resource: { db: "products", collection: "" },
       actions: [ "createCollection", "createIndex", "find" ]
     },
     {
       resource: { db: "products", collection: "orders" },
       actions: [ "insert" ]
     }
   ],
   { w: "majority" }
)
←  db.grantPrivilegesToRole()db.grantRolesToRole() →