Collection-Level Access Control集合级访问控制
On this page本页内容
Collection-level access control allows administrators to grant users privileges that are scoped to specific collections.集合级访问控制允许管理员授予用户特定集合范围内的权限。
Administrators can implement collection-level access control through user-defined roles. 管理员可以通过用户定义的角色实现集合级访问控制。By creating a role with privileges that are scoped to a specific collection in a particular database, administrators can provision users with roles that grant privileges on a collection level.通过创建权限范围为特定数据库中特定集合的角色,管理员可以为用户提供在集合级别授予权限的角色。
Privileges and Scope权限和范围
A privilege consists of actions and the resources upon which the actions are permissible; i.e. the resources define the scope of the actions for that privilege.权限由操作和允许操作的资源组成;即资源定义了该权限的操作范围。
By specifying both the database and the collection in the resource document for a privilege, administrator can limit the privilege actions just to a specific collection in a specific database. 通过在资源文档中为权限指定数据库和集合,管理员可以将权限操作仅限于特定数据库中的特定集合。Each privilege action in a role can be scoped to a different collection.一个角色中的每个权限操作都可以作用域到不同的集合。
For example, a user defined role can contain the following privileges:例如,用户定义的角色可以包含以下权限:
privileges: [
{ resource: { db: "products", collection: "inventory" }, actions: [ "find", "update", "insert" ] },
{ resource: { db: "products", collection: "orders" }, actions: [ "find" ] }
]
The first privilege scopes its actions to the 第一个权限将其操作范围扩展到inventory collection of the products database. The second privilege scopes its actions to the orders collection of the products database.products数据库的inventory集合。第二个权限将其操作范围扩展到products数据库的orders集合。
Additional Information附加信息
For more information on user-defined roles and MongoDB authorization model, see Role-Based Access Control. For a tutorial on creating user-defined roles, see Manage Users and Roles.有关用户定义角色和MongoDB授权模型的更多信息,请参阅基于角色的访问控制。有关创建用户定义角色的教程,请参阅管理用户和角色。