Role-Based Access Control基于角色的访问控制
On this page本页内容
MongoDB employs Role-Based Access Control (RBAC) to govern access to a MongoDB system. MongoDB使用基于角色的访问控制(RBAC)来管理对MongoDB系统的访问。A user is granted one or more roles that determine the user's access to database resources and operations. 授予用户一个或多个角色,这些角色决定用户对数据库资源和操作的访问权限。Outside of role assignments, the user has no access to the system.除了角色分配之外,用户无权访问系统。
Enable Access Control启用访问控制
MongoDB does not enable access control by default. MongoDB默认情况下不启用访问控制。You can enable authorization using the 您可以使用--auth or the security.authorization setting. --auth或security.authorization设置启用授权。Enabling internal authentication also enables client authorization.启用内部身份验证还可以启用客户端授权。
Once access control is enabled, users must authenticate themselves.启用访问控制后,用户必须对自己进行身份验证。
Roles角色
A role grants privileges to perform the specified actions on resource. 角色授予对资源执行指定操作的权限。Each privilege is either specified explicitly in the role or inherited from another role or both.每个权限要么在角色中显式指定,要么从另一个角色继承,或者两者兼而有之。
Access通道
Roles never limit privileges. 角色从不限制权限。If a user has two roles, the role with the greater access takes precedence.若一个用户有两个角色,那个么具有较大访问权限的角色优先。
For example, if you grant the 例如,如果将数据库上的read role on a database to a user that already has the readWriteAnyDatabase role, the read grant does not revoke write access on the database.read角色授予已具有readWriteAnyDatabase角色的用户,则read授予不会撤消对该数据库的写入访问权限。
To revoke a role from a user, use the 要撤消用户的角色,请使用revokeRolesFromUser command.revokeRolesFromUser命令。
Authentication Restrictions身份验证限制
Roles can impose authentication restrictions on users, requiring them to connect from specified source and destination IP address ranges.角色可以对用户施加身份验证限制,要求他们从指定的源和目标IP地址范围进行连接。
For more information, see Authentication Restrictions.有关详细信息,请参阅身份验证限制。
Privileges权限
A privilege consists of a specified resource and the actions permitted on the resource.权限由指定的资源和对该资源允许的操作组成。
A resource is a database, collection, set of collections, or the cluster. 资源是数据库、集合、集合集或集群。If the resource is the cluster, the affiliated actions affect the state of the system rather than a specific database or collection. 如果资源是集群,则附属操作会影响系统的状态,而不是特定的数据库或集合。For information on the resource documents, see Resource Document.有关资源文档的信息,请参阅资源文档。
An action specifies the operation allowed on the resource. 操作指定对资源允许的操作。For available actions see Privilege Actions.有关可用操作,请参阅权限操作。
Inherited Privileges继承的权限
A role can include one or more existing roles in its definition, in which case the role inherits all the privileges of the included roles.一个角色可以在其定义中包含一个或多个现有角色,在这种情况下,该角色将继承所包含角色的所有权限。
A role can inherit privileges from other roles in its database. 角色可以从其数据库中的其他角色继承权限。A role created on the 在管理数据库上创建的角色可以从任何数据库中的角色继承权限。admin database can inherit privileges from roles in any database.
View Role's Privileges查看角色的权限
You can view the privileges for a role by issuing the 您可以通过在rolesInfo command with the showPrivileges and showBuiltinRoles fields both set to true.showPrivileges和showBuiltinRoles字段均设置为true的情况下发出rolesInfo命令来查看角色的权限。
Users and Roles用户和角色
You can assign roles to users during the user creation. You can also update existing users to grant or revoke roles. 您可以在创建用户期间为用户分配角色。您还可以更新现有用户以授予或撤销角色。For a full list of user management methods, see User Management有关用户管理方法的完整列表,请参阅用户管理
A user assigned a role receives all the privileges of that role. 分配了角色的用户将获得该角色的所有权限。A user can have multiple roles. By assigning to the user roles in various databases, a user created in one database can have permissions to act on other databases.一个用户可以有多个角色。通过分配给不同数据库中的用户角色,在一个数据库中创建的用户可以拥有对其他数据库执行操作的权限。
The first user created in the database should be a user administrator who has the privileges to manage other users. 在数据库中创建的第一个用户应该是具有管理其他用户权限的用户管理员。See Enable Access Control.请参见启用访问控制。
Built-In Roles and User-Defined Roles内置角色和用户定义的角色
MongoDB provides built-in roles that provide set of privileges commonly needed in a database system.MongoDB提供了内置的角色,这些角色提供了数据库系统中通常需要的一组权限。
If these built-in-roles cannot provide the desired set of privileges, MongoDB provides methods to create and modify user-defined roles.如果这些内置角色无法提供所需的权限集,MongoDB将提供创建和修改用户定义角色的方法。
LDAP AuthorizationLDAP授权
MongoDB Enterprise supports querying an LDAP server for the LDAP groups the authenticated user is a member of. MongoDB Enterprise支持在LDAP服务器上查询经过身份验证的用户所属的LDAP组。MongoDB maps the Distinguished Names (DN) of each returned group to roles on the MongoDB将每个返回组的可分辨名称(DN)映射到admin database. admin数据库上的角色。MongoDB authorizes the user based on the mapped roles and their associated privileges. See LDAP Authorization for more information.