Resource Document资源文档
On this page本页内容
The resource document specifies the resources upon which a privilege permits 资源文档指定权限允许操作的资源。actions.
Database and/or Collection Resource数据库和/或集合资源
To specify databases and/or collections, use the following syntax:要指定数据库和/或集合,请使用以下语法:
{ db: <database>, collection: <collection> }
Specify a Collection of a Database as Resource将数据库的集合指定为资源
If the resource document specifies both the 如果资源文档将db and collection fields as non-empty strings, the resource is the specified collection in the specified database. db字段和collection字段都指定为非空字符串,则该资源就是指定数据库中的指定集合。For example, the following document specifies a resource of the 例如,以下文档指定了inventory collection in the products database:products数据库中inventory集合的资源:
{ db: "products", collection: "inventory" }
For a user-defined role scoped for a non-对于非admin database, the resource specification for its privileges must specify the same database as the role. admin数据库的用户定义角色,其权限的资源规范必须指定与该角色相同的数据库。User-defined roles scoped for the admin database can specify other databases.admin数据库范围内的用户定义角色可以指定其他数据库。
Specify a Database as Resource将数据库指定为资源
If only the 如果只有collection field is an empty string (""), the resource is the specified database, excluding the system collections. collection字段是空字符串(""),则资源是指定的数据库,不包括系统集合。For example, the following resource document specifies the resource of the 例如,以下资源文档指定test database, excluding the system collections:test数据库的资源,不包括系统集合:
{ db: "test", collection: "" }
For a user-defined role scoped for a non-对于非admin database, the resource specification for its privileges must specify the same database as the role. User-defined roles scoped for the admin database can specify other databases.admin数据库的用户定义角色,其权限的资源规范必须指定与该角色相同的数据库。admin数据库范围内的用户定义角色可以指定其他数据库。
When you specify a database as the resource, system collections are excluded, unless you name them explicitly, as in the following:将数据库指定为资源时,系统集合将被排除在外,除非显式命名,如下所示:
{ db: "test", collection: "system.js" }
System collections include but are not limited to the following:系统集合包括但不限于以下内容:
<database>.system.profile<database>.system.jssystem.usersCollection in theadmindatabaseadmin数据库中的system.users集合system.rolesCollection in theadmindatabaseadmin数据库中的system.roles集合
Specify Collections Across Databases as Resource将跨数据库的集合指定为资源
If only the 如果只有db field is an empty string (""), the resource is all collections with the specified name across all databases. db字段是空字符串(""),则资源是所有数据库中具有指定名称的所有集合。For example, the following document specifies the resource of all the 例如,以下文档指定了所有数据库中所有accounts collections across all the databases:accounts集合的资源:
{ db: "", collection: "accounts" }
For user-defined roles, only roles scoped for the 对于用户定义的角色,只有admin database can have this resource specification for their privileges.admin数据库范围内的角色才能具有此资源规范的权限。
Specify All Non-System Collections in All Databases指定所有数据库中的所有非系统集合
If both the 如果db and collection fields are empty strings (""), the resource is all collections, excluding the system collections, in all the databases:db和collection字段都是空字符串(""),则资源是所有数据库中的所有集合,不包括系统集合:
{ db: "", collection: "" }
For user-defined roles, only roles scoped for the 对于用户定义的角色,只有admin database can have this resource specification for their privileges.admin数据库范围内的角色才能具有此资源规范的权限。
Cluster Resource群集资源
To specify the cluster as the resource, use the following syntax:要将群集指定为资源,请使用以下语法:
{ cluster : true }
Use the 将cluster resource for actions that affect the state of the system rather than act on specific set of databases or collections. cluster资源用于影响系统状态的操作,而不是对特定的数据库或集合集执行操作。Examples of such actions are 此类操作的示例有shutdown, replSetReconfig, and addShard. shutdown、replSetReconfig和addShard。For example, the following document grants the action 例如,以下文档授予shutdown on the cluster.cluster上的操作shutdown权限。
{ resource: { cluster : true }, actions: [ "shutdown" ] }
For user-defined roles, only roles scoped for the 对于用户定义的角色,只有admin database can have this resource specification for their privileges.admin数据库范围内的角色才能具有此资源规范的权限。
anyResource
The internal resource 内部资源anyResource gives access to every resource in the system and is intended for internal use. anyResource允许访问系统中的每个资源,并用于内部使用。Do not use this resource, other than in exceptional circumstances. 除非在特殊情况下,否则不要使用此资源。The syntax for this resource is 此资源的语法为{ anyResource: true }.{ anyResource: true }。