Definition定义
grantPrivilegesToRoleAssigns additional privileges to a user-defined role defined on the database on which the command is run.为在运行命令的数据库上定义的用户定义角色分配额外权限。Tip
In在mongosh, this command can also be run through thedb.grantPrivilegesToRole()helper method.mongosh中,此命令也可以通过db.grantPrivilegesToRole()辅助方法运行。Helper methods are convenient for助手方法对mongoshusers, but they may not return the same level of information as database commands.mongosh用户来说很方便,但它们可能不会返回与数据库命令相同级别的信息。In cases where the convenience is not needed or the additional return fields are required, use the database command.如果不需要便利性或需要额外的返回字段,请使用数据库命令。ThegrantPrivilegesToRolecommand uses the following syntax:grantPrivilegesToRole命令使用以下语法:
db.runCommand(
{
grantPrivilegesToRole: "<role>",
privileges: [
{
resource: { <resource> }, actions: [ "<action>", ... ]
},
...
],
writeConcern: { <write concern> },
comment: <any>
}
)Compatibility兼容性
This command is available in deployments hosted in the following environments:此命令在以下环境中托管的部署中可用:
- MongoDB Atlas
: The fully managed service for MongoDB deployments in the cloud:云中MongoDB部署的完全托管服务
Important
This command is not supported in M0 and Flex clusters. For more information, see Unsupported Commands.M0和Flex集群不支持此命令。有关详细信息,请参阅不支持的命令。
- MongoDB Enterprise
: The subscription-based, self-managed version of MongoDB:MongoDB的基于订阅的自我管理版本 - MongoDB Community
: The source-available, free-to-use, and self-managed version of MongoDB:MongoDB的源代码可用、免费使用和自我管理版本
Command Fields命令字段
The command has the following fields:该命令包含以下字段:
grantPrivilegesToRole | ||
privileges | privileges.privileges。 | |
writeConcern | ||
comment |
|
Behavior行为
A role's privileges apply to the database where the role is created. A role created on the 角色的权限适用于创建该角色的数据库。在admin database can include privileges that apply to all databases or to the cluster.admin数据库上创建的角色可以包括应用于所有数据库或集群的权限。
Required Access所需访问权限
You must have the 您必须对权限目标数据库执行grantRole action on the database a privilege targets in order to grant the privilege. grantRole操作才能授予权限。To grant a privilege on multiple databases or on the 要授予多个数据库或cluster resource, you must have the grantRole action on the admin database.cluster资源的权限,您必须对admin数据库执行grantRole操作。
Example示例
The following 以下grantPrivilegesToRole command grants two additional privileges to the service role that exists in the products database:grantPrivilegesToRole命令为产品数据库中存在的service角色授予了两个额外的权限:
use products
db.runCommand(
{
grantPrivilegesToRole: "service",
privileges: [
{
resource: { db: "products", collection: "" }, actions: [ "find" ]
},
{
resource: { db: "products", collection: "system.js" }, actions: [ "find" ]
}
],
writeConcern: { w: "majority" , wtimeout: 5000 }
}
)The first privilege in the privileges array allows the user to search on all non-system collections in the products database. privileges数组中的第一个权限允许用户搜索products数据库中的所有非系统集合。The privilege does not allow queries on system collections, such as the 该权限不允许对系统集合(如system.js collection. system.js集合)进行查询。To grant access to these system collections, explicitly provision access in the 要授予对这些系统集合的访问权限,请在privileges array. See Resource Document on Self-Managed Deployments.privileges数组中显式设置访问权限。请参阅关于自我管理部署的资源文档。
The second privilege explicitly allows the 第二个权限明确允许在所有数据库的find action on system.js collections on all databases.system.js集合上执行find操作。