Database Manual / Security / Database Users

Built-In Roles内置角色

MongoDB grants access to data and commands through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system. MongoDB通过基于角色的授权授予对数据和命令的访问权限,并提供内置角色,提供数据库系统中通常需要的不同级别的访问权限。You can additionally create user-defined roles.您还可以创建用户定义的角色

A role grants privileges to perform sets of actions on defined resources. A given role applies to the database on which it is defined and can grant access down to a collection level of granularity.角色授予对已定义资源执行操作集的权限。给定的角色适用于定义它的数据库,并且可以授予低到粒度集合级别的访问权限。

System collections include those in:“系统集合”包括以下集合:

For details, see System Collections.有关详细信息,请参阅系统集合

Non-system collections are those not in namespaces in the previous list.“非系统集合”是指不在前面列表中的命名空间中的集合。

Each of MongoDB's built-in roles defines access at the database level for all non-system collections in the role's database and at the collection level for all system collections.MongoDB的每个内置角色都定义了该角色数据库中所有非系统集合的数据库级别访问权限,以及所有系统集合的集合级别访问权限。

This section describes the privileges for each built-in role. You can also view the privileges for a built-in role at any time by issuing the rolesInfo command with the showPrivileges and showBuiltinRoles fields both set to true.本节介绍每个内置角色的权限。您还可以通过在showPrivilegesshowBuiltinRoles字段都设置为true的情况下发出rolesInfo命令,随时查看内置角色的权限。

MongoDB Atlas Built-In RolesMongoDB Atlas内置角色

Although database users in MongoDB Atlas have different built-in roles than self-hosted deployments, the built-in roles for each type of deployment are built from the same set of privilege actions.尽管MongoDB Atlas中的数据库用户具有与自托管部署不同的内置角色,但每种部署类型的内置角色都是基于同一组权限操作构建的。

For the built-in database user roles for deployments hosted in MongoDB Atlas, see Atlas Built-In Roles and Privileges.有关MongoDB Atlas中托管的部署的内置数据库用户角色,请参阅Atlas内置角色和权限

You can create database users and assign built-in roles in the MongoDB Atlas user interface. To learn more, see Add Database Users.您可以在MongoDB Atlas用户界面中创建数据库用户并分配内置角色。要了解更多信息,请参阅添加数据库用户

Database Built-In Roles数据库内置角色

MongoDB provides the following built-in roles in self-hosted deployments:MongoDB在自托管部署中提供了以下内置角色:

Database User Roles数据库用户角色

Every database includes the following client roles:每个数据库都包括以下客户端角色:

read

Provides the ability to read data on all non-system collections and the system.js collection.提供读取所有非系统集合和system.js集合上的数据的能力。

Note

The role does not provide privileges to directly access the system.namespaces collection directly.该角色不提供直接访问system.namespaces集合的权限。

The role provides read access by granting the following actions:该角色通过授予以下操作提供读取权限:

If the user does not have the listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run with authorizedDatabases option unspecified or set to true.如果用户没有listDatabases权限操作,并且未指定authorizedDatabases选项或将其设置为true,则用户可以运行listDatabases命令以返回用户具有权限的数据库列表(包括用户在特定集合上具有权限的数据库)。

readWrite

Provides all the privileges of the read role plus ability to modify data on all non-system collections and the system.js collection.提供read角色的所有权限,以及修改所有非系统集合和system.js集合上的数据的能力。

The role provides the following actions on those collections:该角色对这些集合提供以下操作:

Database Administration Roles数据库管理角色

Every database includes the following database administration roles:每个数据库都包括以下数据库管理角色:

dbAdmin

Provides the ability to perform administrative tasks such as schema-related tasks, indexing, and gathering statistics. This role does not grant privileges for user and role management.提供执行管理任务的能力,如与架构相关的任务、索引和集合统计信息。此角色不授予用户和角色管理权限。

Specifically, the role provides the following privileges:具体而言,该角色提供以下权限:

Resource资源Permitted Actions允许的行动
system.profile
All non-system collections (i.e. database resource)所有非系统集合(即数据库资源

For these collections, dbAdmin does not include full read access (i.e. find).对于这些集合,dbAdmin不包括完全读取权限(即find)。

dbOwner

The database owner can perform any administrative action on the database. 数据库所有者可以对数据库执行任何管理操作。This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles.此角色结合了readWritedbAdminuserAdmin角色授予的权限。

userAdmin

Provides the ability to create and modify roles and users on the current database. Since the userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster.提供在当前数据库上创建和修改角色和用户的功能。由于userAdmin角色允许用户向任何用户(包括他们自己)授予任何权限,因此该角色还间接为超级用户提供对数据库的访问权限,或者如果仅限于管理员数据库,则提供对集群的访问权限。

The userAdmin role explicitly provides the following actions:userAdmin角色明确提供以下操作:

Warning

It is important to understand the security implications of granting the userAdmin role: a user with this role for a database can assign themselves any privilege on that database. 了解授予userAdmin角色的安全影响非常重要:具有此数据库角色的用户可以在该数据库上为自己分配任何权限。Granting the userAdmin role on the admin database has further security implications as this indirectly provides superuser access to a cluster. 授予admin数据库上的userAdmin角色具有进一步的安全意义,因为这间接地提供了超级用户对集群的访问。With admin scope a user with the userAdmin role can grant cluster-wide roles or privileges including userAdminAnyDatabase.通过admin范围,具有userAdmin角色的用户可以授予集群范围内的角色或权限,包括userAdminAnyDatabase

Cluster Administration Roles群集管理角色

The admin database includes the following roles for administering the whole system rather than just a single database. These roles include but are not limited to replica set and sharded cluster administrative functions.admin数据库包括以下角色,用于管理整个系统,而不仅仅是单个数据库。这些角色包括但不限于副本集分片集群管理功能。

clusterAdmin

Provides the greatest cluster-management access. 提供最大的群集管理访问权限。This role combines the privileges granted by the clusterManager, clusterMonitor, and hostManager roles. 此角色结合了clusterManagerclusterMonitorhostManager角色授予的权限。Additionally, the role provides the dropDatabase action.此外,该角色还提供dropDatabase操作。

clusterManager

Provides management and monitoring actions on the cluster. A user with this role can access the config and local databases, which are used in sharding and replication, respectively. 提供群集上的管理和监视操作。具有此角色的用户可以访问config数据库和local数据库,分别用于分片和复制。Additionally, the role provides the querySettings action.此外,该角色还提供querySettings操作。

Resource资源Actions操作
cluster
All databases所有数据库

clusterManager provides additional privileges for the config and local databases.clusterManagerconfiglocal数据库提供了额外的权限。

On the config database, permits the following actions:config数据库上,允许执行以下操作:

Resource资源Actions操作
All non-system collections in the config databaseconfig数据库中的所有非系统集合
system.js

On the local database, permits the following actions:config数据库上,允许执行以下操作:

Resource资源Actions操作
All non-system collections in the local databaselocal数据库中的所有非系统集合
system.replset collection集合
clusterMonitor

Provides read-only access to monitoring tools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent.提供对监控工具的只读访问,如MongoDB Cloud ManagerOps Manager监控代理。

Permits the following actions on the cluster as a whole:允许对整个集群执行以下操作:

Permits the following actions on all databases in the cluster:允许对群集中的所有数据库执行以下操作:

Permits the find action on all system.profile collections in the cluster.允许对群集中的所有system.profile集合执行find操作。

On the config database, permits the following actions:config数据库上,允许执行以下操作:

Resource资源Actions操作
All non-system collections in the config databaseconfig数据库中的所有非系统集合collStats
dbHash
dbStats
find
indexStats
killCursors
listCollections
listIndexes
listSearchIndexes
planCacheRead
system.js collection集合collStats
dbHash
dbStats
find
killCursors
listCollections
listIndexes
planCacheRead

On the local database, permits the following actions:local数据库上,允许执行以下操作:

Resource资源Actions操作
All non-system collections in the local databaselocal数据库中的所有非系统集合collStats
dbHash
dbStats
find
indexStats
killCursors
listCollections
listIndexes
listSearchIndexes
planCacheRead
system.js collection集合collStats
dbHash
dbStats
find
killCursors
listCollections
listIndexes
listSearchIndexes
planCacheRead
system.replset,
system.profile,		find
directShardOperations

Starting in MongoDB 8.0, you can use the directShardOperations role to perform maintenance operations that require you to execute commands directly against a shard.从MongoDB 8.0开始,您可以使用directShardOperations角色执行维护操作,这些操作要求您直接对分片执行命令。

Warning

Running commands using the directShardOperations role can cause your cluster to stop working correctly and may cause data corruption. 使用directShardOperations角色运行命令可能会导致集群停止正常工作,并可能导致数据损坏。Only use the directShardOperations role for maintenance purposes or under the guidance of MongoDB support. 仅将directShardOperations角色用于维护目的或在MongoDB支持的指导下使用。Once you are done performing maintenance operations, stop using the directShardOperations role.完成维护操作后,停止使用directShardOperations角色。

enableSharding

Provides the ability to enable sharding for a collection and modify existing shard keys.提供为集合启用分片和修改现有分片键的能力。

Provides the following actions on all non-system collections:对所有非系统集合提供以下操作:

hostManager

Provides the ability to monitor and manage servers.提供监视和管理服务器的能力。

On the cluster as a whole, provides the following actions:在整个集群上,提供以下操作:

On all databases in the cluster, provides the following actions:在群集中的所有数据库上,提供以下操作:

searchCoordinator

Provides readAnyDatabase privileges and write permissions on the __mdb_internal_search database.__mdb_internal_search数据库上提供readAnyDatabase权限和写入权限。

Important

Do not modify the contents of the __mdb_internal_search database.不要修改__mdb_internal_search数据库的内容。

On the cluster as a whole, provides the following action:在整个集群上,提供以下操作:

Backup and Restoration Roles备份和恢复角色

The admin database includes the following roles for backing up and restoring data:admin数据库包括以下用于备份和还原数据的角色:

backup

Provides minimal privileges needed for backing up data. This role provides sufficient privileges to use the MongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use mongodump to back up an entire mongod instance.提供备份数据所需的最小权限。此角色提供足够的权限来使用MongoDB Cloud Manager备份代理、Ops Manager备份代理,或使用mongodump备份整个mongod实例。

Provides the insert and update actions on the settings collection in the config database.提供对配置数据库中的settings集合的insertupdate操作。

On anyResource, provides theanyResource上,提供

On the cluster as a whole, provides the在整个集群上,提供

Provides the find action on the following:提供以下内容的find操作:

  • all non-system collections in the cluster, including those in the config and local databases集群中的所有非系统集合,包括configlocal数据库中的集合

  • The following system collections in the cluster:群集中的以下系统集合:

    system.js, and 以及system.profile

  • The admin.system.users and admin.system.roles collections集合
  • The config.settings collection集合
  • Legacy system.users collections from versions of MongoDB prior to 2.62.6之前版本的MongoDB的遗留system.users集合

Provides the insert and update actions on the config.settings collection.提供config.settings集合的insertupdate操作。

The backup role provides additional privileges to back up the system.profile collection that exists when running with database profiling.backup角色提供了额外的权限来备份与数据库分析一起运行时存在的system.profile集合。

restore

Provides convertToCapped on non-system collections.在非系统集合上提供convertToCapped

Provides the necessary privileges to restore data from backups if the data does not include system.profile collection data and you run mongorestore without the --oplogReplay option.如果数据不包括system.profile集合数据,并且您在没有--oplogReplay选项的情况下运行mongorestore,则提供从备份还原数据所需的权限。

If the backup data includes system.profile collection data or you run with --oplogReplay, you need additional privileges:如果备份数据包含system.profile集合数据,或者您使用--oplogReplay运行,则需要额外的权限:

system.profile

If the backup data includes system.profile collection data and the target database does not contain the system.profile collection, mongorestore attempts to create the collection even though the program does not actually restore system.profile documents. 如果备份数据包括system.profile集合数据,而目标数据库不包含system.profile集合,即使程序实际上没有还原system.profile文档,mongorestore也会尝试创建该集合。As such, the user requires additional privileges to perform createCollection and convertToCapped actions on the system.profile collection for a database.因此,用户需要额外的权限才能对数据库的system.profile集合执行createCollectionconvertToCapped操作。

Both the built-in roles dbAdmin and dbAdminAnyDatabase provide the additional privileges.内置角色dbAdmindbAdminAnyDatabase都提供了额外的权限。

--oplogReplay

To run with --oplogReplay, create a user-defined role that has anyAction on anyResource.要使用--oplogReplay运行,请创建一个用户定义的角色,该角色在anyResource上具有anyAction

Grant only to users who must run mongorestore with --oplogReplay.仅授予必须使用--oplogReplay运行mongorestore的用户。

Provides the following action on the cluster as a whole:对整个群集提供以下操作:

Provides the following actions on all non-system collections:对所有非系统集合提供以下操作:

Provides the following actions on system.js collection:system.js集合上提供以下操作:

Provides the following action on anyResource:anyResource上提供以下操作:

Provides the following actions on all non-system collections on the config and the local databases:configlocal数据库上的所有非系统集合提供以下操作:

Provides the following actions on admin.system.versionadmin.system.version上提供以下操作

Provides the following action on admin.system.rolesadmin.system.roles上提供以下操作

Provides the following actions on admin.system.users and legacy system.users collections:admin.system.users和旧system.users集合上提供以下操作:

Although, restore includes the ability to modify the documents in the admin.system.users collection using normal modification operations, only modify these data using the user management methods.虽然restore包括使用正常的修改操作修改admin.system.users集合中的文档的能力,但只能使用用户管理方法修改这些数据。

Provides the following action on the <database>.system.views collection:<database>.system.views系统视图集合上提供以下操作:

On the cluster as a whole, provides the following actions:在整个集群上,提供以下操作:

All-Database Roles所有数据库角色

The following roles are available on the admin database and provide privileges which apply to all databases except local and config:以下角色在admin数据库上可用,并提供适用于除localconfig之外的所有数据库的权限:

readAnyDatabase

Provides the same read-only privileges as read on all databases except local and config. The role also provides the listDatabases action on the cluster as a whole.在除localconfig之外的所有数据库上提供与read相同的只读权限。该角色还为整个集群提供listDatabases操作。

See also the clusterManager and clusterMonitor roles for access to the config and local databases.另请参阅clusterManagerclusterMonitor角色,以访问configlocal数据库。

readWriteAnyDatabase

Provides the same privileges as readWrite on all databases except local and config. The role also provides:在除localconfig之外的所有数据库上提供与readWrite相同的权限。该角色还提供:

See also the clusterManager and clusterMonitor roles for access to the config and local databases.另请参阅clusterManagerclusterMonitor角色,以访问configlocal数据库。

userAdminAnyDatabase

Provides the same access to user administration operations as userAdmin on all databases except local and config.在除localconfig之外的所有数据库上,提供与userAdmin相同的用户管理操作访问权限。

userAdminAnyDatabase also provides the following privilege actions on the cluster:还提供集群上的以下权限操作:

The role provides the following privilege actions on the system.users and system.roles collections on the admin database, and on legacy system.users collections from versions of MongoDB prior to 2.6:该角色对admin数据库上的system.userssystem.roles集合以及2.6之前MongoDB版本的遗留system.users集合提供以下权限操作:

The userAdminAnyDatabase role does not restrict the privileges that a user can grant. As a result, userAdminAnyDatabase users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration. userAdminAnyDatabase角色不限制用户可以授予的权限。因此,userAdminAnyDatabase用户可以授予自己超出当前权限的权限,甚至可以授予自己所有权限,即使该角色没有明确授权用户管理之外的权限。This role is effectively a MongoDB system superuser.这个角色实际上是MongoDB系统的超级用户

See also the clusterManager and clusterMonitor roles for access to the config and local databases.另请参阅clusterManagerclusterMonitor角色,以访问configlocal数据库。

dbAdminAnyDatabase

Provides the same privileges as dbAdmin on all databases except local and config. The role also provides the listDatabases action on the cluster as a whole.在除localconfig之外的所有数据库上提供与dbAdmin相同的权限。该角色还为整个集群提供listDatabases操作。

See also the clusterManager and clusterMonitor roles for access to the config and local databases.另请参阅clusterManagerclusterMonitor角色,以访问configlocal数据库。

Starting in MongoDB 5.0, dbAdminAnyDatabase includes the applyOps privilege action.从MongoDB 5.0开始,dbAdminAnyDatabase包含applyOps权限操作。

Superuser Roles超级用户角色

Several roles provide either indirect or direct system-wide superuser access.几个角色提供间接或直接的系统范围超级用户访问。

The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:以下角色提供了在任何数据库上为任何用户分配任何权限的能力,这意味着具有这些角色之一的用户可以在任何数据库中为自己分配任何权限:

  • dbOwner role, when scoped to the admin database角色,当作用域为admin数据库时
  • userAdmin role, when scoped to the admin database角色,当作用域为admin数据库时
  • userAdminAnyDatabase role

The following role provides full privileges on all resources:以下角色提供所有资源的完全权限:

root

Provides access to the operations and all the resources of the following roles combined:提供对以下角色组合的操作和所有资源的访问:

Also provides the following privilege actions:还提供以下权限操作:

Changed in version 6.0.在版本6.0中的更改。 The root role includes find and remove privileges on the system.preimages collection in the config database.root角色包括在config数据库中system.preimages集合上的findremove权限。

Internal Role内部角色

__system

MongoDB assigns this role to user objects that represent cluster members, such as replica set members and mongos instances. The role entitles its holder to take any action against any object in the database.MongoDB将此角色分配给表示集群成员的用户对象,如副本集成员和mongos实例。该角色赋予其持有者对数据库中的任何对象采取任何行动的权利。

Do not assign this role to user objects representing applications or human administrators, other than in exceptional circumstances.除非在特殊情况下,否则不要将此角色分配给代表应用程序或人类管理员的用户对象。

If you need access to all actions on all resources, for example to run applyOps commands, do not assign this role. 如果您需要访问所有资源上的所有操作,例如运行applyOps命令,请不要分配此角色。Instead, create a user-defined role that grants anyAction on anyResource and ensure that only the users who need access to these operations have this access.相反,创建一个用户定义的角色,授予anyResource上的anyAction,并确保只有需要访问这些操作的用户才有此访问权限。