On this page本页内容
The resource document specifies the resources upon which a privilege permits 资源文档指定权限允许对其执行actions.actions的资源。
To specify databases and/or collections, use the following syntax:要指定数据库和/或集合,请使用以下语法:
{ db: <database>, collection: <collection> }
If the resource document species both the 如果资源文档将db and collection fields as non-empty strings, the resource is the specified collection in the specified database. db和collection字段都归类为非空字符串,则该资源是指定数据库中的指定集合。For example, the following document specifies a resource of the 例如,以下文档指定了inventory collection in the products database:products数据库中inventory集合的资源:
{ db: "products", collection: "inventory" }
For a user-defined role scoped for a non-对于非admin database, the resource specification for its privileges must specify the same database as the role. admin数据库的用户定义角色,其权限的资源规范必须指定与角色相同的数据库。User-defined roles scoped for the 为admin database can specify other databases.admin数据库限定范围的用户定义角色可以指定其他数据库。
If only the 如果只有collection field is an empty string (""), the resource is the specified database, excluding the system collections. collection字段是空字符串(""),则资源是指定的数据库,不包括系统集合。For example, the following resource document specifies the resource of the 例如,以下资源文档指定了测试数据库的资源,不包括系统集合:test database, excluding the system collections:
{ db: "test", collection: "" }
For a user-defined role scoped for a non-对于非admin database, the resource specification for its privileges must specify the same database as the role. admin数据库的用户定义角色,其权限的资源规范必须指定与角色相同的数据库。User-defined roles scoped for the 为admin database can specify other databases.admin数据库限定范围的用户定义角色可以指定其他数据库。
When you specify a database as the resource, system collections are excluded, unless you name them explicitly, as in the following:将数据库指定为资源时,系统集合将被排除,除非您显式命名它们,如下所示:
{ db: "test", collection: "system.js" }
System collections include but are not limited to the following:系统集合包括但不限于以下内容:
<database>.system.profile<database>.system.jssystem.users Collection in the admin databaseadmin数据库中的system.users集合system.roles Collection in the admin databaseadmin数据库中的system.roles集合If only the 如果只有db field is an empty string (""), the resource is all collections with the specified name across all databases. db字段是空字符串(""),则资源是所有数据库中具有指定名称的所有集合。For example, the following document specifies the resource of all the 例如,以下文档指定了所有数据库中所有accounts collections across all the databases:accounts集合的资源:
{ db: "", collection: "accounts" }
For user-defined roles, only roles scoped for the 对于用户定义的角色,只有在admin database can have this resource specification for their privileges.admin数据库范围内的角色才能将此资源规范作为其权限。
If both the 如果db and collection fields are empty strings (""), the resource is all collections, excluding the system collections, in all the databases:db和collection字段都是空字符串(""),则资源是所有数据库中的所有集合,不包括系统集合:
{ db: "", collection: "" }
For user-defined roles, only roles scoped for the 对于用户定义的角色,只有在admin database can have this resource specification for their privileges.admin数据库范围内的角色才能将此资源规范作为其权限。
To specify the cluster as the resource, use the following syntax:要将群集指定为资源,请使用以下语法:
{ cluster : true }
Use the 使用cluster resource for actions that affect the state of the system rather than act on specific set of databases or collections. cluster资源执行影响系统状态的操作,而不是对特定的数据库集或集合执行操作。Examples of such actions are 此类操作的示例有shutdown, replSetReconfig, and addShard. shutdown、replSetReconfig和addShard。For example, the following document grants the action 例如,以下文档授予shutdown on the cluster.cluster上的操作shutdown。
{ resource: { cluster : true }, actions: [ "shutdown" ] }
For user-defined roles, only roles scoped for the 对于用户定义的角色,只有在admin database can have this resource specification for their privileges.admin数据库范围内的角色才能将此资源规范作为其权限。
anyResourceThe internal resource 内部资源anyResource gives access to every resource in the system and is intended for internal use. anyResource允许访问系统中的每个资源,并用于内部使用。Do not use this resource, other than in exceptional circumstances. 除特殊情况外,请勿使用此资源。The syntax for this resource is 此资源的语法为{ anyResource: true }.{ anyResource: true }。