db.grantPrivilegesToRole()
On this page本页内容
Definition定义
db.grantPrivilegesToRole(rolename, privileges, writeConcern)-
Grants additional privileges to a user-defined role.向用户定义的角色授予额外权限。Importantmongosh Method
This page documents a
mongoshmethod. This is not the documentation for database commands or language-specific drivers, such as Node.js.For the database command, see the
grantPrivilegesToRolecommand.For MongoDB API drivers, refer to the language-specific MongoDB driver documentation.
For the legacy
mongoshell documentation, refer to the documentation for the corresponding MongoDB Server release:Thedb.grantPrivilegesToRole()method uses the following syntax:db.grantPrivilegesToRole()方法使用以下语法:db.grantPrivilegesToRole(
"< rolename >",
[
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
{ < writeConcern > }
)Thedb.grantPrivilegesToRole()method takes the following arguments:db.grantPrivilegesToRole()方法采用以下参数:Parameter参数Type类型Description描述rolenamestring The name of the role to grant privileges to.要授予权限的角色的名称。privilegesarray The privileges to add to the role.要添加到角色的权限。For the format of a privilege, see有关权限的格式,请参阅privileges.privileges。writeConcerndocument Optional.可选的。The level of write concern for the operation. See Write Concern Specification.操作的写入关注级别。请参阅写入关注规范。Thedb.grantPrivilegesToRole()method can grant one or more privileges. Each<privilege>has the following syntax:db.grantPrivilegesToRole()方法可以授予一个或多个权限。每个<privilege>都有以下语法:{ resource: { <resource> }, actions: [ "<action>", ... ] }
Behavior行为
Replica set副本集
If run on a replica set, 如果在副本集上运行,db.grantPrivilegesToRole() is executed using "majority" write concern by default.db.grantPrivilegesToRole()默认情况下使用"majority"写入关注执行。
Scope范围
Except for roles created in the 除了在admin database, a role can only include privileges that apply to its databaseadmin数据库中创建的角色外,角色只能包括应用于其数据库的权限
A role created in the 在admin database can include privileges that apply to the admin database, other databases or to the cluster resource.admin数据库中创建的角色可以包括应用于admin数据库、其他数据库或集群资源的权限。
Required Access所需访问权限
You must have the 必须对权限目标数据库执行grantRole action on the database a privilege targets in order to grant the privilege. grantRole 操作才能授予权限。To grant a privilege on multiple databases or on the 要在多个数据库或cluster resource, you must have the grantRole action on the admin database.cluster资源上授予权限,必须对admin数据库执行grantRole操作。
Example实例
The following 以下db.grantPrivilegesToRole() operation grants two additional privileges to the role inventoryCntrl01, which exists on the products database. db.grantPrivilegesToRole()操作为角色inventoryCntrl01授予两个额外的权限,该角色存在于products数据库中。The operation is run on that database:操作在该数据库上运行:
use products
db.grantPrivilegesToRole(
"inventoryCntrl01",
[
{
resource: { db: "products", collection: "" },
actions: [ "insert" ]
},
{
resource: { db: "products", collection: "system.js" },
actions: [ "find" ]
}
],
{ w: "majority" }
)
The first privilege permits users with this role to perform the 第一个权限允许具有此角色的用户对insert action on all collections of the products database, except the system collections. products数据库的所有集合(系统集合除外)执行insert 操作。To access a system collection, a privilege must explicitly specify the system collection in the resource document, as in the second privilege.要访问系统集合,权限必须在资源文档中显式指定系统集合,就像第二个权限一样。
The second privilege permits users with this role to perform the 第二个权限允许具有此角色的用户对名为find action on the product database's system collection named system.js.system.js的product数据库的系统集合执行find 操作。