Docs HomeMongoDB Manual

$redact (aggregation)

On this page本页内容

Definition定义

$redact

Restricts entire documents or content within documents from being outputted based on information stored in the documents themselves.根据存储在文档中的信息,限制整个文档或文档中的内容输出。

Diagram of security architecture with middleware and redaction.

The $redact stage has the following prototype form:$redact阶段具有以下原型形式:

{ $redact: <expression> }

The argument can be any valid expression as long as it resolves to the $$DESCEND, $$PRUNE, or $$KEEP system variables. 只要参数解析为$$DESCEND$$PRUNE$$KEEP系统变量,它就可以是任何有效的表达式For more information on expressions, see Expressions.有关表达式的详细信息,请参阅表达式

System Variable系统变量Description描述
$$DESCEND$redact returns the fields at the current document level, excluding embedded documents. 返回当前文档级别的字段,不包括嵌入的文档。To include embedded documents and embedded documents within arrays, apply the $cond expression to the embedded documents to determine access for these embedded documents.要将嵌入文档和嵌入文档包括在数组中,请将$cond表达式应用于嵌入文档,以确定对这些嵌入文档的访问权限。
$$PRUNE$redact excludes all fields at this current document/embedded document level, without further inspection of any of the excluded fields. 排除当前文档/嵌入文档级别的所有字段,而不进一步检查任何排除的字段。This applies even if the excluded field contains embedded documents that may have different access levels.即使排除的字段包含可能具有不同访问级别的嵌入文档,这也适用。
$$KEEP$redact returns or keeps all fields at this current document/embedded document level, without further inspection of the fields at this level. 返回或保留当前文档/嵌入文档级别的所有字段,而不需要进一步检查该级别的字段。This applies even if the included field contains embedded documents that may have different access levels.即使包含的字段包含可能具有不同访问级别的嵌入文档,这也适用。

Examples实例

The examples in this section use the db.collection.aggregate() helper.本节中的示例使用db.collection.aggregate()帮助程序。

Evaluate Access at Every Document Level评估每个文档级别的访问权限

A forecasts collection contains documents of the following form where the tags field lists the different access values for that document/embedded document level; i.e. a value of [ "G", "STLW" ] specifies either "G" or "STLW" can access the data:forecasts集合包含以下形式的文档,其中tags字段列出了该文档/嵌入文档级别的不同访问值;即,值[ "G", "STLW" ]指定"G""STLW"可以访问数据:

{
  _id: 1,
  title: "123 Department Report",
  tags: [ "G", "STLW" ],
  year: 2014,
  subsections: [
    {
      subtitle: "Section 1: Overview",
      tags: [ "SI", "G" ],
      content:  "Section 1: This is the content of section 1."
    },
    {
      subtitle: "Section 2: Analysis",
      tags: [ "STLW" ],
      content: "Section 2: This is the content of section 2."
    },
    {
      subtitle: "Section 3: Budgeting",
      tags: [ "TK" ],
      content: {
        text: "Section 3: This is the content of section 3.",
        tags: [ "HCS" ]
      }
    }
  ]
}

A user has access to view information with either the tag "STLW" or "G". 用户可以使用标签"STLW""G"查看信息。To run a query on all documents with year 2014 for this user, include a $redact stage as in the following:要对该用户2014年的所有文档运行查询,请包括$redact阶段,如下所示:

var userAccess = [ "STLW", "G" ];
db.forecasts.aggregate(
   [
     { $match: { year: 2014 } },
     { $redact: {
        $cond: {
           if: { $gt: [ { $size: { $setIntersection: [ "$tags", userAccess ] } }, 0 ] },
           then: "$$DESCEND",
           else: "$$PRUNE"
         }
       }
     }
   ]
);

The aggregation operation returns the following "redacted" document:聚合操作返回以下“已编辑”的文档:

{
  "_id" : 1,
  "title" : "123 Department Report",
  "tags" : [ "G", "STLW" ],
  "year" : 2014,
  "subsections" : [
    {
      "subtitle" : "Section 1: Overview",
      "tags" : [ "SI", "G" ],
      "content" : "Section 1: This is the content of section 1."
    },
    {
      "subtitle" : "Section 2: Analysis",
      "tags" : [ "STLW" ],
      "content" : "Section 2: This is the content of section 2."
    }
  ]
}
Tip

See also: 另请参阅:

Exclude All Fields at a Given Level排除给定级别的所有字段

A collection accounts contains the following document:accounts集合包含以下文档:

{
  _id: 1,
  level: 1,
  acct_id: "xyz123",
  cc: {
    level: 5,
    type: "yy",
    num: 000000000000,
    exp_date: ISODate("2015-11-01T00:00:00.000Z"),
    billing_addr: {
      level: 5,
      addr1: "123 ABC Street",
      city: "Some City"
    },
    shipping_addr: [
      {
        level: 3,
        addr1: "987 XYZ Ave",
        city: "Some City"
      },
      {
        level: 3,
        addr1: "PO Box 0123",
        city: "Some City"
      }
    ]
  },
  status: "A"
}

In this example document, the level field determines the access level required to view the data.在本示例文档中,level字段确定查看数据所需的访问级别。

To run a query on all documents with status A and exclude all fields contained in a document/embedded document at level 5, include a $redact stage that specifies the system variable "$$PRUNE" in the then field:要对状态为A的所有文档运行查询并排除级别5的文档/嵌入文档中包含的所有字段,请在then字段中包含一个$redact阶段,该阶段指定系统变量"$$PRUNE"

db.accounts.aggregate(
  [
    { $match: { status: "A" } },
    {
      $redact: {
        $cond: {
          if: { $eq: [ "$level", 5 ] },
          then: "$$PRUNE",
          else: "$$DESCEND"
        }
      }
    }
  ]
);

The $redact stage evaluates the level field to determine access. $redact阶段评估级别字段以确定访问权限。If the level field equals 5, then exclude all fields at that level, even if the excluded field contains embedded documents that may have different level values, such as the shipping_addr field.如果level字段等于5,则排除该级别的所有字段,即使排除的字段包含可能具有不同level值的嵌入文档,例如shipping_addr字段。

The aggregation operation returns the following "redacted" document:聚合操作返回以下“已编辑”的文档:

{
  "_id" : 1,
  "level" : 1,
  "acct_id" : "xyz123",
  "status" : "A"
}

The result set shows that the $redact stage excluded the field cc as a whole, including the shipping_addr field which contained embedded documents that had level field values equal to 3 and not 5.结果集显示,$redact阶段将字段cc作为一个整体排除在外,包括shipping_addr字段,该字段包含level字段值等于3而非5的嵌入文档。

Tip

See also: 另请参阅:

Implement Field Level Redaction实施现场级补救措施 for steps to set up multiple combinations of access for the same data.用于为相同数据设置多个访问组合的步骤。