system.roles Collection集合

On this page本页内容

The system.roles collection in the admin database stores the user-defined roles. admin数据库中的system.roles集合存储用户定义的角色。To create and manage these user-defined roles, MongoDB provides role management commands.为了创建和管理这些用户定义的角色,MongoDB提供了角色管理命令

system.roles Schema架构

The documents in the system.roles collection have the following schema:system.roles集合中的文档具有以下架构:

{
  _id: <system-defined id>,
  role: "<role name>",
  db: "<database>",
  privileges:
      [
          {
              resource: { <resource> },
              actions: [ "<action>", ... ]
          },
          ...
      ],
  roles:
      [
          { role: "<role name>", db: "<database>" },
          ...
      ]
}

A system.roles document has the following fields:system.roles文档包含以下字段:

admin.system.roles.role

The role field is a string that specifies the name of the role.role字段是指定角色名称的字符串。

admin.system.roles.db

The db field is a string that specifies the database to which the role belongs. db字段是一个字符串,用于指定角色所属的数据库。MongoDB uniquely identifies each role by the pairing of its name (i.e. role) and its database.MongoDB通过其名称(即role)和数据库的配对来唯一地标识每个角色。

admin.system.roles.privileges

The privileges array contains the privilege documents that define the privileges for the role.privileges数组包含定义角色权限的权限文档。

A privilege document has the following syntax:权限文档具有以下语法:

{
  resource: { <resource> },
  actions: [ "<action>", ... ]
}

Each privilege document has the following fields:每个权限文档都有以下字段:

admin.system.roles.privileges[n].resource

A document that specifies the resources upon which the privilege actions apply. 指定应用权限actions的资源的文档。The document has one of the following form:该文件具有以下形式之一:

{ db: <database>, collection: <collection> }

or

{ cluster : true }

See Resource Document for more details.有关更多详细信息,请参阅资源文档

admin.system.roles.privileges[n].actions

An array of actions permitted on the resource. 资源上允许的一系列操作。For a list of actions, see Privilege Actions.有关操作列表,请参阅权限操作

admin.system.roles.roles

The roles array contains role documents that specify the roles from which this role inherits privileges.roles数组包含指定此角色从中继承权限的角色的角色文档。

A role document has the following syntax:角色文档具有以下语法:

{ role: "<role name>", db: "<database>" }

A role document has the following fields:角色文档包含以下字段:

admin.system.roles.roles[n].role

The name of the role. 角色的名称。A role can be a built-in role provided by MongoDB or a user-defined role.角色可以是MongoDB提供的内置角色,也可以是用户定义的角色

admin.system.roles.roles[n].db

The name of the database where the role is defined.定义角色的数据库的名称。

Examples示例

Consider the following sample documents found in system.roles collection of the admin database.考虑admin数据库的system.roles集合中发现的以下示例文档。

A User-Defined Role Specifies Privileges用户定义的角色指定权限

The following is a sample document for a user-defined role appUser defined for the myApp database:以下是为myApp数据库定义的用户定义角色appUser的示例文档:

{
  _id: "myApp.appUser",
  role: "appUser",
  db: "myApp",
  privileges: [
       { resource: { db: "myApp" , collection: "" },
         actions: [ "find", "createCollection", "dbStats", "collStats" ] },
       { resource: { db: "myApp", collection: "logs" },
         actions: [ "insert" ] },
       { resource: { db: "myApp", collection: "data" },
         actions: [ "insert", "update", "remove", "compact" ] },
       { resource: { db: "myApp", collection: "system.js" },
         actions: [ "find" ] },
  ],
  roles: []
}

The privileges array lists the five privileges that the appUser role specifies:privileges数组列出了appUser角色指定的五种权限:

  • The first privilege permits its actions ( "find", "createCollection", "dbStats", "collStats") on all the collections in the myApp database excluding its system collections. 第一个权限允许其对myApp数据库中的所有集合(不包括其系统集合)执行操作("find""createCollection""dbStats""collStats")。See Specify a Database as Resource.请参见将数据库指定为资源
  • The next two privileges permits additional actions on specific collections, logs and data, in the myApp database. 接下来的两个权限允许对myApp数据库中的特定集合、logsdata执行其他操作。See Specify a Collection of a Database as Resource.请参见将数据库的集合指定为资源
  • The last privilege permits actions on one system collections in the myApp database. 最后一个权限允许对myApp数据库中的一个系统集合执行操作。While the first privilege gives database-wide permission for the find action, the action does not apply to myApp's system collections. 虽然第一个权限为find操作提供了数据库范围的权限,但该操作不适用于myApp的系统集合。To give access to a system collection, a privilege must explicitly specify the collection. 要授予对系统集合的访问权限,权限必须明确指定集合。See Resource Document.请参阅资源文档

As indicated by the empty roles array, appUser inherits no additional privileges from other roles.如空roles数组所示,appUser不从其他角色继承其他权限。

User-Defined Role Inherits from Other Roles用户定义的角色继承自其他角色

The following is a sample document for a user-defined role appAdmin defined for the myApp database: The document shows that the appAdmin role specifies privileges as well as inherits privileges from other roles:以下是为myApp数据库定义的用户定义角色appAdmin的示例文档:该文档显示appAdmin角色指定权限,并从其他角色继承权限:

{
  _id: "myApp.appAdmin",
  role: "appAdmin",
  db: "myApp",
  privileges: [
      {
         resource: { db: "myApp", collection: "" },
         actions: [ "insert", "dbStats", "collStats", "compact" ]
      }
  ],
  roles: [
      { role: "appUser", db: "myApp" }
  ]
}

The privileges array lists the privileges that the appAdmin role specifies. privileges数组列出appAdmin角色指定的权限。This role has a single privilege that permits its actions ( "insert", "dbStats", "collStats", "compact") on all the collections in the myApp database excluding its system collections. 此角色有一个权限,允许其对myApp数据库中的所有集合(不包括其系统集合)执行操作("insert""dbStats""collStats""compact")。See Specify a Database as Resource.请参见将数据库指定为资源

The roles array lists the roles, identified by the role names and databases, from which the role appAdmin inherits privileges.roles数组列出角色名称和数据库标识的角色,角色appAdmin从中继承权限。

←  Security Referencesystem.users Collection →