Implement Field Level Redaction实施现场级补救措施
On this page本页内容
The $redact pipeline operator restricts the contents of the documents based on information stored in the documents themselves.$redact管道运算符根据存储在文档中的信息来限制文档的内容。
To store the access criteria data, add a field to the documents and embedded documents. To allow for multiple combinations of access levels for the same data, consider setting the access field to an array of arrays. Each array element contains a required set that allows a user with that set to access the data.若要存储访问条件数据,请在文档和嵌入文档中添加一个字段。要允许对同一数据进行多个访问级别组合,请考虑将访问字段设置为数组。每个数组元素都包含一个必需的集合,该集合允许具有该集合的用户访问数据。
Then, include the 然后,在$redact stage in the db.collection.aggregate() operation to restrict contents of the result set based on the access required to view the data.db.collection.aggregate()>操作中包含$redact阶段,以根据查看数据所需的访问权限限制结果集的内容。
For more information on the 有关$redact pipeline operator, including its syntax and associated system variables as well as additional examples, see $redact.$redact管道运算符的更多信息,包括其语法和关联的系统变量以及其他示例,请参阅$redact。
Procedure过程
For example, a 例如,forecasts collection contains documents of the following form where the tags field determines the access levels required to view the data:forecasts集合包含以下形式的文档,其中tags字段确定查看数据所需的访问级别:
{
_id: 1,
title: "123 Department Report",
tags: [ [ "G" ], [ "FDW" ] ],
year: 2014,
subsections: [
{
subtitle: "Section 1: Overview",
tags: [ [ "SI", "G" ], [ "FDW" ] ],
content: "Section 1: This is the content of section 1."
},
{
subtitle: "Section 2: Analysis",
tags: [ [ "STLW" ] ],
content: "Section 2: This is the content of section 2."
},
{
subtitle: "Section 3: Budgeting",
tags: [ [ "TK" ], [ "FDW", "TGE" ] ],
content: {
text: "Section 3: This is the content of section3.",
tags: [ [ "HCS"], [ "FDW", "TGE", "BX" ] ]
}
}
]
}
For each document, the 对于每个文档,tags field contains various access groupings necessary to view the data. For example, the value [ [ "G" ], ["FDW", "TGE" ] ] can specify that a user requires either access level ["G"] or both [ "FDW", "TGE" ] to view the data.tags字段包含查看数据所需的各种访问分组。例如,值[ [ "G" ], ["FDW", "TGE" ] ]可以指定用户需要访问级别["G"]或同时需要[ "FDW", "TGE" ]来查看数据。
Consider a user who only has access to view information tagged with either 考虑一个只能查看标记为"FDW" or "TGE". "FDW"或"TGE"的信息的用户。To run a query on all documents with year 要对该用户2014 for this user, include a $redact stage as in the following:2014年的所有文档运行查询,请包括$redact阶段,如下所示:
var userAccess = [ "FDW", "TGE" ];
db.forecasts.aggregate(
[
{ $match: { year: 2014 } },
{ $redact:
{
$cond: {
if: { $anyElementTrue:
{
$map: {
input: "$tags" ,
as: "fieldTag",
in: { $setIsSubset: [ "$$fieldTag", userAccess ] }
}
}
},
then: "$$DESCEND",
else: "$$PRUNE"
}
}
}
]
)
The aggregation operation returns the following "redacted" document for the user:聚合操作为用户返回以下“已编辑”的文档:
{ "_id" : 1,
"title" : "123 Department Report",
"tags" : [ [ "G" ], [ "FDW" ] ],
"year" : 2014,
"subsections" :
[
{
"subtitle" : "Section 1: Overview",
"tags" : [ [ "SI", "G" ], [ "FDW" ] ],
"content" : "Section 1: This is the content of section 1."
},
{
"subtitle" : "Section 3: Budgeting",
"tags" : [ [ "TK" ], [ "FDW", "TGE" ] ]
}
]
}