Implement Field Level Redaction实施字段级编校

~~On this page~~本页内容

~~Procedure~~过程

~~The $redact pipeline operator restricts the contents of the documents based on information stored in the documents themselves.~~$redact管道运算符根据文档本身存储的信息限制文档的内容。

Diagram of security architecture with middleware and redaction.

~~To store the access criteria data, add a field to the documents and embedded documents.~~ 要存储访问条件数据，请在文档和嵌入文档中添加一个字段。~~To allow for multiple combinations of access levels for the same data, consider setting the access field to an array of arrays.~~ 要允许同一数据的多个访问级别组合，请考虑将访问字段设置为数组数组。~~Each array element contains a required set that allows a user with that set to access the data.~~每个数组元素都包含一个必需的集合，允许具有该集合的用户访问数据。

~~Then, include the $redact stage in the db.collection.aggregate() operation to restrict contents of the result set based on the access required to view the data.~~然后，在db.collection.aggregate()操作中包含$redact阶段，以根据查看数据所需的访问限制结果集的内容。

~~For more information on the $redact pipeline operator, including its syntax and associated system variables as well as additional examples, see $redact.~~有关$redact管道运算符的更多信息，包括其语法和相关系统变量以及其他示例，请参阅$redact。

Procedure过程

~~For example, a forecasts collection contains documents of the following form where the tags field determines the access levels required to view the data:~~例如，forecasts集合包含以下格式的文档，其中tags字段确定查看数据所需的访问级别：

{
   _id: 1,
   title: "123 Department Report",
   tags: [ [ "G" ], [ "FDW" ] ],
   year: 2014,
   subsections: [
       {
           subtitle: "Section 1: Overview",
           tags: [ [ "SI", "G" ], [ "FDW" ] ],
           content:  "Section 1: This is the content of section 1."
       },
       {
           subtitle: "Section 2: Analysis",
           tags: [ [ "STLW" ] ],
           content: "Section 2: This is the content of section 2."
       },
       {
           subtitle: "Section 3: Budgeting",
           tags: [ [ "TK" ], [ "FDW", "TGE" ] ],
           content: {
               text: "Section 3: This is the content of section3.",
               tags: [ [ "HCS"], [ "FDW", "TGE", "BX" ] ]
           }
       }
   ]
}

~~For each document, the tags field contains various access groupings necessary to view the data.~~ 对于每个文档，tags字段包含查看数据所需的各种访问分组。~~For example, the value [ [ "G" ], [ "FDW", "TGE" ] ] can specify that a user requires either access level ["G"] or both [ "FDW", "TGE" ] to view the data.~~例如，值[ [ "G" ], [ "FDW", "TGE" ] ]可以指定用户需要访问级别["G"]或两个[ "FDW", "TGE" ]来查看数据。

~~Consider a user who only has access to view information tagged with either "FDW" or "TGE".~~ 考虑一个只能查看标有"FDW"或"TGE"的信息的用户。~~To run a query on all documents with year 2014 for this user, include a $redact stage as in the following:~~要对该用户2014年的所有文档进行查询，请包括$redact阶段，如下所示：

var userAccess = [ "FDW", "TGE" ];
db.forecasts.aggregate(
   [
     { $match: { year: 2014 } },
     { $redact:
         {
           $cond: {
                    if: { $anyElementTrue:
                           {
                             $map: {
                                     input: "$tags" ,
                                     as: "fieldTag",
                                     in: { $setIsSubset: [ "$$fieldTag", userAccess ] }
                                   }
                           }
                        },
                     then: "$$DESCEND",
                     else: "$$PRUNE"
                  }
         }
     }
   ]
)

~~The aggregation operation returns the following "redacted" document for the user:~~聚合操作将为用户返回以下“编辑”文档：

{ "_id" : 1,
  "title" : "123 Department Report",
  "tags" : [ [ "G" ], [ "FDW" ] ],
  "year" : 2014,
  "subsections" :
     [
        {
          "subtitle" : "Section 1: Overview",
          "tags" : [ [ "SI", "G" ], [ "FDW" ] ],
          "content" : "Section 1: This is the content of section 1."
        },
       {
         "subtitle" : "Section 3: Budgeting",
         "tags" : [ [ "TK" ], [ "FDW", "TGE" ] ]
       }
     ]
}

~~Tip~~提示

~~See also:~~ 参阅：

← Configure Windows netsh Firewall for MongoDB Security Reference →