MongoDB employs Role-Based Access Control (RBAC) to govern access to a MongoDB system. A user is granted one or more roles that determine the user's access to database resources and operations. Outside of role assignments, the user has no access to the system.MongoDB采用基于角色的访问控制(RBAC)来管理对MongoDB系统的访问。用户被授予一个或多个角色,这些角色决定了用户对数据库资源和操作的访问权限。除角色分配外,用户无权访问系统。
Enable Access Control启用访问控制
MongoDB does not enable access control by default. You can enable authorization using the 默认情况下,MongoDB不启用访问控制。您可以使用--auth or the security.authorization setting. --auth或security.authorization设置启用授权。Enabling internal authentication also enables client authorization.启用内部身份验证还可以启用客户端授权。
Once access control is enabled, users must authenticate themselves.启用访问控制后,用户必须进行身份验证。
Roles角色
A role grants privileges to perform the specified actions on a resource. Each privilege is either specified explicitly in the role or inherited from another role or both.角色授予对资源执行指定操作的权限。每个权限要么在角色中明确指定,要么从另一个角色继承,或者两者兼而有之。
Access访问
Roles never limit privileges. If a user has two roles, the role with the greater access takes precedence.角色从不限制权限。如果用户有两个角色,则具有更大访问权限的角色优先。
For example, if you grant the 例如,如果将数据库上的read role on a database to a user that already has the readWriteAnyDatabase role, the read grant does not revoke write access on the database.read角色授予已经具有readWriteAnyDatabase角色的用户,则read权限不会撤销对数据库的写入访问。
To revoke a role from a user, use the 要撤销用户的角色,请使用revokeRolesFromUser command.revokeRolesFromUser命令。
Authentication Restrictions身份验证限制
Roles can impose authentication restrictions on users, requiring them to connect from specified source and destination IP address ranges.角色可以对用户施加身份验证限制,要求他们从指定的源和目标IP地址范围进行连接。
For more information, see Authentication Restrictions.有关详细信息,请参阅身份验证限制。
Privileges权限
A privilege consists of a specified resource and the actions permitted on the resource.权限由指定的资源和对该资源允许的操作组成。
A resource is a database, collection, set of collections, or the cluster. If the resource is the cluster, the affiliated actions affect the state of the system rather than a specific database or collection. 资源是数据库、集合、集合集或集群。如果资源是集群,则关联的操作会影响系统的状态,而不是特定的数据库或集合。For information on the resource documents, see Resource Document on Self-Managed Deployments.有关资源文档的信息,请参阅关于自我管理部署的资源文档。
An action specifies the operation allowed on the resource. For available actions see Privilege Actions.操作指定了资源上允许的操作。有关可用操作,请参阅权限操作。
Inherited Privileges继承的权限
A role can include one or more existing roles in its definition, in which case the role inherits all the privileges of the included roles.一个角色可以在其定义中包含一个或多个现有角色,在这种情况下,该角色继承所包含角色的所有权限。
A role can inherit privileges from other roles in its database. A role created on the 角色可以继承其数据库中其他角色的权限。在管理员数据库上创建的角色可以继承任何数据库中角色的权限。admin database can inherit privileges from roles in any database.
View Role's Privileges查看角色的权限
You can view the privileges for a role by issuing the 您可以通过在rolesInfo command with the showPrivileges and showBuiltinRoles fields both set to true.showPrivileges和showBuiltinRoles字段都设置为true的情况下发出rolesInfo命令来查看角色的权限。
Users and Roles用户及角色
You can assign roles to users during the user creation. You can also update existing users to grant or revoke roles. For a full list of user management methods, see User Management您可以在用户创建过程中为用户分配角色。您还可以更新现有用户以授予或撤销角色。有关用户管理方法的完整列表,请参阅用户管理
A user assigned a role receives all the privileges of that role. A user can have multiple roles. By assigning to the user roles in various databases, a user created in one database can have permissions to act on other databases.分配了角色的用户将获得该角色的所有权限。一个用户可以有多个角色。通过为各种数据库中的用户角色分配,在一个数据库中创建的用户可以对其他数据库进行操作。
Note
The first user created in the database should be a user administrator who has the privileges to manage other users. See Enable Access Control on Self-Managed Deployments.数据库中创建的第一个用户应该是具有管理其他用户权限的用户管理员。请参阅在自我管理部署上启用访问控制。
Built-In Roles and User-Defined Roles内置角色和用户定义角色
MongoDB provides built-in roles that provide set of privileges commonly needed in a database system.MongoDB提供了内置的角色,这些角色提供了数据库系统中通常需要的一组权限。
If these built-in-roles cannot provide the desired set of privileges, MongoDB provides methods to create and modify user-defined roles.如果这些内置角色无法提供所需的权限集,MongoDB提供了创建和修改用户定义角色的方法。
LDAP AuthorizationLDAP授权
Note
Starting in MongoDB 8.0, LDAP authentication and authorization is deprecated. LDAP is available and will continue to operate without changes throughout the lifetime of MongoDB 8. LDAP will be removed in a future major release.从MongoDB 8.0开始,LDAP身份验证和授权被弃用。LDAP是可用的,并将在MongoDB 8的整个生命周期内继续运行而不做任何更改。LDAP将在未来的主要版本中删除。
For details, see LDAP Deprecation.有关详细信息,请参阅LDAP弃用。
MongoDB Enterprise supports querying an LDAP server for the LDAP groups the authenticated user is a member of. MongoDB maps the Distinguished Names (DN) of each returned group to roles on the MongoDB企业版支持在LDAP服务器上查询经过身份验证的用户所属的LDAP组。MongoDB将每个返回组的可分辨名称(DN)映射到admin database. admin数据库上的角色。MongoDB authorizes the user based on the mapped roles and their associated privileges. See LDAP Authorization for more information.MongoDB根据映射的角色及其相关权限授权用户。有关更多信息,请参阅LDAP授权。