Docs HomeMongoDB Manual

Built-In Roles内置角色

On this page本页内容

MongoDB grants access to data and commands through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system. MongoDB通过基于角色的授权授予对数据和命令的访问权限,并提供内置角色,提供数据库系统中通常需要的不同级别的访问权限。You can additionally create user-defined roles.您还可以创建用户定义的角色

A role grants privileges to perform sets of actions on defined resources. 角色授予对定义的资源执行一组操作的权限。A given role applies to the database on which it is defined and can grant access down to a collection level of granularity.给定的角色应用于在其上定义它的数据库,并且可以授予访问权限,访问权限可以降低到粒度的集合级别。

Each of MongoDB's built-in roles defines access at the database level for all non-system collections in the role's database and at the collection level for all system collections.MongoDB的每个内置角色都定义了在数据库级别访问角色数据库中的所有非系统集合,以及在集合级别访问所有系统集合。

MongoDB provides the built-in database user and database administration roles on every database. MongoDB为每个数据库提供了内置的数据库用户数据库管理角色。MongoDB provides all other built-in roles only on the admin database.MongoDB只在admin数据库上提供所有其他内置角色。

This section describes the privileges for each built-in role. 本节介绍每个内置角色的权限。You can also view the privileges for a built-in role at any time by issuing the rolesInfo command with the showPrivileges and showBuiltinRoles fields both set to true.您还可以通过发出rolesInfo命令随时查看内置角色的权限,其中showPrivilegesshowBuiltinRoles字段均设置为true

Database User Roles数据库用户角色

Every database includes the following client roles:每个数据库都包括以下客户端角色:

read

Provides the ability to read data on all non-system collections and the system.js collection.提供读取所有非系统集合和system.js集合上的数据的能力。

Note

Starting in MongoDB 4.2, the role no longer provides privileges to access the system.namespaces collection directly. 从MongoDB 4.2开始,该角色不再提供直接访问system.namespaces集合的权限。Direct access to the collection has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,对该集合的直接访问一直被弃用。

In earlier versions, the role provided the aforementioned privilege actions on the system.namespaces collection, thereby allowing direct access.在早期版本中,角色对system.namespaces集合提供了上述权限操作,从而允许直接访问。

The role provides read access by granting the following actions:该角色通过授予以下操作来提供读取访问权限:

If the user does not have the listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run with authorizedDatabases option unspecified or set to true.如果用户没有listDatabases权限操作,则如果在authorizedDatabases选项未指定或设置为true的情况下运行该命令,则用户可以运行listDatabases命令以返回用户具有权限的数据库列表(包括用户在特定集合上具有权限的数据库)。

readWrite

Provides all the privileges of the read role plus ability to modify data on all non-system collections and the system.js collection.提供read角色的所有权限,以及修改所有非系统集合和system.js集合上的数据的能力。

The role provides the following actions on those collections:该角色对这些集合提供以下操作:

Database Administration Roles数据库管理角色

Every database includes the following database administration roles:每个数据库都包括以下数据库管理角色:

dbAdmin

Provides the ability to perform administrative tasks such as schema-related tasks, indexing, and gathering statistics. This role does not grant privileges for user and role management.提供执行管理任务的能力,例如与架构相关的任务、索引和集合统计信息。此角色不授予用户和角色管理权限。

Specifically, the role provides the following privileges:具体而言,该角色提供以下权限:

Resource资源Permitted Actions允许的操作
system.profile
Note

Aside

Starting in version 4.2, MongoDB removes the system.indexes and system.namespaces collections. 从4.2版本开始,MongoDB删除了system.indexessystem.namespaces集合。As such, the dbAdmin role no longer provides privileges to access these collections. Direct access to these collections has been deprecated since MongoDB 3.0.因此,dbAdmin角色不再提供访问这些集合的权限。自MongoDB 3.0以来,对这些集合的直接访问一直被弃用。

In earlier versions, the dbAdmin role provides the aforementioned privilege actions (except dropCollection and createCollection) on system.indexes and system.namespaces collections, thereby allowing direct access to the system.indexes and system.namespaces collections.在早期版本中,dbAdmin角色在system.indexessystem.namespaces集合上提供上述权限操作(dropCollectioncreateCollection除外),从而允许直接访问system.indexessystem.namespaces集合。

All non-system collections (i.e. database resource)所有非系统集合(即数据库资源

For these collections, dbAdmin does not include full read access (i.e. find).对于这些集合,dbAdmin不包括完全读取访问权限(即find)。
dbOwner

The database owner can perform any administrative action on the database. 数据库所有者可以对数据库执行任何管理操作。This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles.此角色结合了readWritedbAdminuserAdmin角色授予的权限。

userAdmin

Provides the ability to create and modify roles and users on the current database. 提供在当前数据库中创建和修改角色和用户的功能。Since the userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster.由于userAdmin角色允许用户向任何用户(包括他们自己)授予任何权限,因此该角色还间接地为superuser提供对数据库的访问,或者如果作用域为admin数据库,则提供对集群的访问。

The userAdmin role explicitly provides the following actions:userAdmin角色明确提供以下操作:

Warning

It is important to understand the security implications of granting the userAdmin role: a user with this role for a database can assign themselves any privilege on that database. 了解授予userAdmin角色的安全含义很重要:对于数据库具有此角色的用户可以为自己分配该数据库的任何权限。Granting the userAdmin role on the admin database has further security implications as this indirectly provides superuser access to a cluster. admin数据库上授予userAdmin角色会带来进一步的安全影响,因为这会间接地为超级用户提供对集群的访问。With admin scope a user with the userAdmin role can grant cluster-wide roles or privileges including userAdminAnyDatabase.使用admin作用域,具有userAdmin角色的用户可以授予集群范围的角色或权限,包括userAdminAnyDatabase

Cluster Administration Roles群集管理角色

The admin database includes the following roles for administering the whole system rather than just a single database. admin数据库包括以下用于管理整个系统而不仅仅是单个数据库的角色。These roles include but are not limited to replica set and sharded cluster administrative functions.这些角色包括但不限于副本集分片集群管理功能。

clusterAdmin

Provides the greatest cluster-management access. 提供最大的群集管理访问权限。This role combines the privileges granted by the clusterManager, clusterMonitor, and hostManager roles. 此角色组合了clusterManagerclusterMonitorhostManager角色授予的权限。Additionally, the role provides the dropDatabase action.此外,该角色还提供dropDatabase操作。

clusterManager

Provides management and monitoring actions on the cluster. 提供对群集的管理和监视操作。A user with this role can access the config and local databases, which are used in sharding and replication, respectively.具有此角色的用户可以访问分别用于分片和复制的config数据库和local数据库。

Resource资源Actions操作
cluster
All databases

clusterManager provides additional privileges for the config and local databases.config数据库和local数据库提供了额外的权限。

On the config database, permits the following actions:config数据库上,允许执行以下操作:

Resource资源Actions操作
All non-system collections in the config databaseconfig数据库中的所有非系统集合
system.js
Note

Aside

Starting in version 4.2, MongoDB removes the system.indexes and system.namespaces collections. 从4.2版本开始,MongoDB删除了system.indexessystem.namespaces集合。As such, the clusterManager role no longer provides privileges to access these collections. 因此,clusterManager角色不再提供访问这些集合的权限。Direct access to these collections has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,对这些集合的直接访问一直被弃用。

In earlier versions, the clusterManager role provides the aforementioned privilege actions on the system.indexes and system.namespaces collections, thereby allowing direct access to the system.indexes and system.namespaces collections.在早期版本中,clusterManager角色在system.indexessystem.namespaces集合上提供上述权限操作,从而允许直接访问system.indexessystem.namespaces集合。

On the local database, permits the following actions:local数据库上,允许执行以下操作:

Resource资源Actions操作
All non-system collections in the local databaselocal数据库中的所有非系统集合
system.replset collection集合
clusterMonitor

Provides read-only access to monitoring tools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent.提供对监控工具的只读访问,如MongoDB Cloud ManagerOps Manager监控代理。

Permits the following actions on the cluster as a whole:允许对整个集群执行以下操作:

Permits the following actions on all databases in the cluster:允许对群集中的所有数据库执行以下操作:

Permits the find action on all system.profile collections in the cluster.允许对群集中的所有system.profile集合执行find操作。

On the config database, permits the following actions:config数据库上,允许执行以下操作:

Resource资源Actions操作
All non-system collections in the config databaseconfig数据库中的所有非系统集合collStats
dbHash
dbStats
find
getShardVersion
indexStats
killCursors
listCollections
listIndexes
listSearchIndexes
planCacheRead
system.js collectioncollStats
dbHash
dbStats
find
killCursors
listCollections
listIndexes
planCacheRead
Note

Aside

Starting in version 4.2, MongoDB removes the system.indexes and system.namespaces collections. 从4.2版本开始,MongoDB删除了system.indexessystem.namespaces集合。As such, the clusterMonitor role no longer provides privileges to access these collections. 因此,clusterMonitor角色不再提供访问这些集合的权限。Direct access to these collections has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,对这些集合的直接访问一直被弃用。
In earlier versions, the role provides the aforementioned privilege actions on the system.indexes and system.namespaces collections, thereby allowing direct access to the system.indexes and system.namespaces collections.在早期版本中,角色对system.indexessystem.namespaces集合提供上述权限操作,从而允许直接访问system.indexessystem.namespaces集合。

On the local database, permits the following actions:local数据库上,允许执行以下操作:

Resource资源Actions操作
All collections in the local databaselocal数据库中的所有集合collStats
dbHash
dbStats
find
getShardVersion
indexStats
killCursors
listCollections
listIndexes
listSearchIndexes
planCacheRead
system.js collection集合collStats
dbHash
dbStats
find
killCursors
listCollections
listIndexes
listSearchIndexes
planCacheRead
Starting in version 4.2, MongoDB removes the system.indexes and system.namespaces collections. 从4.2版本开始,MongoDB删除了system.indexessystem.namespaces集合。As such, the clusterMonitor role no longer provides privileges to access these collections. 因此,clusterMonitor角色不再提供访问这些集合的权限。Direct access to these collections has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,对这些集合的直接访问一直被弃用。
In earlier versions, the role provides the aforementioned privilege actions on the system.indexes and system.namespaces collections, thereby allowing direct access to the system.indexes and system.namespaces collections.在早期版本中,角色对system.indexessystem.namespaces集合提供上述权限操作,从而允许直接访问system.indexessystem.namespaces集合。
system.replset,
system.profile,		find
hostManager

Provides the ability to monitor and manage servers.提供监视和管理服务器的能力。

On the cluster as a whole, provides the following actions:在整个集群上,提供以下操作:

Changed in version 4.4.4.4版更改。Starting in version 4.4, hostManager no longer provides the cpuProfiler privilege action on the cluster.从版本4.4开始,hostManager不再在集群上提供cpuProfiler权限操作。

On all databases in the cluster, provides the following actions:在群集中的所有数据库上,提供以下操作:

Backup and Restoration Roles备份和恢复角色

The admin database includes the following roles for backing up and restoring data:admin数据库包括以下用于备份和恢复数据的角色:

backup

Provides minimal privileges needed for backing up data. 提供备份数据所需的最低权限。This role provides sufficient privileges to use the MongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use mongodump to back up an entire mongod instance.此角色提供足够的权限来使用MongoDB Cloud Manager备份代理、Ops Manager备份代理,或使用mongodump备份整个mongod实例。

Provides the insert and update actions on the settings collection in the config database.提供对config数据库中的settings集合的insertupdate操作。

On anyResource, provides theanyResource上,提供

On the cluster as a whole, provides the在整个群集上,提供

Provides the find action on the following:对以下内容提供find操作:

Provides the insert and update actions on the config.settings collection.提供对config.settings集合的insertupdate操作。

The backup role provides additional privileges to back up the system.profile collection that exists when running with database profiling.backup角色提供了备份system.profile文件集合的额外权限,该集合在与数据库分析一起运行时存在。

restore

Provides convertToCapped on non-system collections.在非系统集合上提供convertToCapped

Provides the necessary privileges to restore data from backups if the data does not include system.profile collection data and you run mongorestore without the --oplogReplay option.如果数据不包括system.profile集合数据,并且您在不使用--oplogReplay选项的情况下运行mongorestore,则提供从备份中恢复数据所需的权限。

If the backup data includes system.profile collection data or you run with --oplogReplay, you need additional privileges:如果备份数据包括system.profile集合数据,或者使用--oplogReplay运行,则需要其他权限:
system.profileIf the backup data includes system.profile collection data and the target database does not contain the system.profile collection, mongorestore attempts to create the collection even though the program does not actually restore system.profile documents. 如果备份数据包括system.profile集合数据,而目标数据库不包含system.profile集合,则即使程序实际上没有还原system.profile文档,mongorestore也会尝试创建该集合。As such, the user requires additional privileges to perform createCollection and convertToCapped actions on the system.profile collection for a database.因此,用户需要额外的权限才能对数据库的系统配置文件集合执行createCollectionconvertToCapped操作。
Both the built-in roles dbAdmin and dbAdminAnyDatabase provide the additional privileges. 内置角色dbAdmindbAdminAnyDatabase都提供了额外的权限。
--oplogReplayTo run with --oplogReplay, create a user-defined role that has anyAction on anyResource.要使用--oplogReplay运行,请在anyResource上创建一个具有anyAction用户定义角色
Grant only to users who must run mongorestore with --oplogReplay. 仅授予必须使用--oplogReplay运行mongorestore的用户。

Provides the following action on the cluster as a whole:在整个群集上提供以下操作:

Provides the following actions on all non-system collections:对所有非系统集合提供以下操作:

Provides the following actions on system.js collection:system.js集合提供以下操作:

Provides the following action on anyResource:anyResource提供以下操作:

Provides the following actions on all non-system collections on the config and the local databases:config数据库和local数据库上的所有非系统集合提供以下操作:

Provides the following actions on admin.system.versionadmin.system.version上提供以下操作

Provides the following action on admin.system.rolesadmin.system.roles提供以下操作

Provides the following actions on admin.system.users and legacy system.users collections:admin.system.users和旧版system.users集合提供以下操作:

Although, restore includes the ability to modify the documents in the admin.system.users collection using normal modification operations, only modify these data using the user management methods.尽管restore包括使用常规修改操作修改admin.system.users集合中文档的功能,但只能使用用户管理方法修改这些数据。

On the cluster as a whole, provides the following actions:在整个集群上,提供以下操作:

Note

Aside

Starting in version 4.2, MongoDB removes the system.namespaces collection. As such, the restore role no longer provides privileges to access these collections. 从4.2版本开始,MongoDB删除了system.namespaces集合。因此,restore角色不再提供访问这些集合的权限。Direct access to these collections has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,对这些集合的直接访问一直被弃用。

In earlier versions, the restore role provides the aforementioned privilege actions on the system.namespaces collection, thereby allowing direct access to the collection.在早期版本中,restore角色对system.namespaces集合提供上述权限操作,从而允许直接访问该集合。

All-Database Roles所有数据库角色

The following roles are available on the admin database and provide privileges which apply to all databases except local and config:以下角色在admin数据库上可用,并提供适用于除localconfig之外的所有数据库的权限:

readAnyDatabase

Provides the same read-only privileges as read on all databases except local and config. 在除localconfig之外的所有数据库上提供与read相同的只读权限。The role also provides the listDatabases action on the cluster as a whole.该角色还提供了整个集群上的listDatabases操作。

See also the clusterManager and clusterMonitor roles for access to the config and local databases.另请参阅clusterManagerclusterMonitor角色,以访问配置数据库和本地数据库。

readWriteAnyDatabase

Provides the same privileges as readWrite on all databases except local and config. 在除localconfig之外的所有数据库上提供与readWrite相同的权限。The role also provides:该角色还提供:

See also the clusterManager and clusterMonitor roles for access to the config and local databases.另请参阅clusterManagerclusterMonitor角色,以访问配置数据库和本地数据库。

userAdminAnyDatabase

Provides the same access to user administration operations as userAdmin on all databases except local and config.在除localconfig之外的所有数据库上,提供与userAdmin相同的对用户管理操作的访问权限。

userAdminAnyDatabase also provides the following privilege actions on the cluster:还提供了对群集的以下权限操作:

The role provides the following privilege actions on the system.users and system.roles collections on the admin database, and on legacy system.users collections from versions of MongoDB prior to 2.6:该角色对admin数据库上的system.userssystem.roles集合,以及2.6之前版本的MongoDB中的遗留system.users集合提供以下权限操作:

The userAdminAnyDatabase role does not restrict the privileges that a user can grant. As a result, userAdminAnyDatabase users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration. userAdminAnyDatabase角色不限制用户可以授予的权限。因此,userAdminAnyDatabase用户可以授予自己超出当前权限的权限,甚至可以授予自己所有权限,即使角色没有明确授权超出用户管理权限的权限。This role is effectively a MongoDB system superuser.这个角色实际上是MongoDB系统的超级用户

See also the clusterManager and clusterMonitor roles for access to the config and local databases.另请参阅clusterManagerclusterMonitor角色,以访问config数据库和local数据库。

dbAdminAnyDatabase

Provides the same privileges as dbAdmin on all databases except local and config. 在除localconfig之外的所有数据库上提供与dbAdmin相同的权限。The role also provides the listDatabases action on the cluster as a whole.该角色还提供了整个集群上的listDatabases操作。

See also the clusterManager and clusterMonitor roles for access to the config and local databases.另请参阅clusterManagerclusterMonitor角色,以访问配置数据库和本地数据库。

Starting in MongoDB 5.0, dbAdminAnyDatabase includes the applyOps privilege action.从MongoDB 5.0开始,dbAdminAnyDatabase包含applyOps权限操作。

Superuser Roles超级用户角色

Several roles provide either indirect or direct system-wide superuser access.几个角色提供间接或直接的系统范围的超级用户访问。

The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:以下角色可以为任何用户分配任何数据库上的任何权限,这意味着具有其中一个角色的用户可以为自己分配任何数据库的任何权限:

  • dbOwner role, when scoped to the admin database角色,当作用域为admin数据库时
  • userAdmin role, when scoped to the admin database角色,当作用域为admin数据库时
  • userAdminAnyDatabase role角色

The following role provides full privileges on all resources:以下角色提供对所有资源的完全权限:

root

Provides access to the operations and all the resources of the following roles combined:提供对以下角色组合的操作和所有资源的访问权限:

Also provides the validate privilege action on system. collections.还提供了对system.集合的validate权限操作。

Changed in version 6.0.6.0版更改。The root role includes find and remove privileges on the system.preimages collection in the config database.root角色包括对配置数据库中的system.preimages集合的findremove权限。

Internal Role内部角色

__system

MongoDB assigns this role to user objects that represent cluster members, such as replica set members and mongos instances. MongoDB将此角色分配给代表集群成员的用户对象,例如副本集成员和mongos实例。The role entitles its holder to take any action against any object in the database.该角色使其持有者有权对数据库中的任何对象采取任何操作。

Do not assign this role to user objects representing applications or human administrators, other than in exceptional circumstances.除非在特殊情况下,否则不要将此角色分配给代表应用程序或管理员的用户对象。

If you need access to all actions on all resources, for example to run applyOps commands, do not assign this role. Instead, create a user-defined role that grants anyAction on anyResource and ensure that only the users who need access to these operations have this access.如果您需要访问所有资源上的所有操作,例如运行applyOps命令,请不要分配此角色。相反,创建一个用户定义的角色,授予anyResource上的anyAction,并确保只有需要访问这些操作的用户才有此访问权限。