Definition定义
revokePrivilegesFromRoleRemoves the specified privileges from the user-defined role on the database where the command is run.从运行命令的数据库上的用户定义角色中删除指定的权限。Tip
In在mongosh, this command can also be run through thedb.revokePrivilegesFromRole()helper method.mongosh中,此命令也可以通过db.revokePrivilegesFromRole()辅助方法运行。Helper methods are convenient for助手方法对mongoshusers, but they may not return the same level of information as database commands.mongosh用户来说很方便,但它们可能不会返回与数据库命令相同级别的信息。In cases where the convenience is not needed or the additional return fields are required, use the database command.如果不需要便利性或需要额外的返回字段,请使用database命令。
Compatibility兼容性
This command is available in deployments hosted in the following environments:此命令在以下环境中托管的部署中可用:
- MongoDB Atlas
: The fully managed service for MongoDB deployments in the cloud:云中MongoDB部署的完全托管服务
Important
This command is not supported in M0 and Flex clusters. For more information, see Unsupported Commands.M0和Flex集群不支持此命令。有关详细信息,请参阅不支持的命令。
- MongoDB Enterprise
: The subscription-based, self-managed version of MongoDB:MongoDB的基于订阅的自我管理版本 - MongoDB Community
: The source-available, free-to-use, and self-managed version of MongoDB:MongoDB的源代码可用、免费使用和自我管理版本
Syntax语法
The command has the following syntax:该命令具有以下语法:
db.runCommand(
{
revokePrivilegesFromRole: "<role>",
privileges: [
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
writeConcern: <write concern document>,
comment: <any>
}
)Command Fields命令字段
The command takes the following fields:该命令包含以下字段:
revokePrivilegesFromRole | ||
privileges | privileges for more information on the format of the privileges.privileges。 | |
writeConcern | ||
comment |
|
Behavior行为
To revoke a privilege, the resource document pattern must match exactly the 要撤销权限,资源文档模式必须与该权限的resource field of that privilege. resource字段完全匹配。The actions field can be a subset or match exactly.actions字段可以是子集或完全匹配。
For example, consider the role 例如,考虑accountRole in the products database with the following privilege that specifies the products database as the resource:products数据库中具有以下权限的角色accountRole,该权限将products数据库指定为资源:
{
"resource" : {
"db" : "products",
"collection" : ""
},
"actions" : [
"find",
"update"
]
}You cannot revoke 您不能仅从find and/or update from just one collection in the products database. The following operations result in no change to the role:products数据库中的一个集合中撤销find和/或update。以下操作不会更改角色:
use products
db.runCommand(
{
revokePrivilegesFromRole: "accountRole",
privileges:
[
{
resource : {
db : "products",
collection : "gadgets"
},
actions : [
"find",
"update"
]
}
]
}
)
db.runCommand(
{
revokePrivilegesFromRole: "accountRole",
privileges:
[
{
resource : {
db : "products",
collection : "gadgets"
},
actions : [
"find"
]
}
]
}
)To revoke the 要撤销角色"find" and/or the "update" action from the role accountRole, you must match the resource document exactly. For example, the following operation revokes just the "find" action from the existing privilege.accountRole的"find"和/或"update"操作,您必须与资源文档完全匹配。例如,以下操作仅从现有权限中撤销“find”操作。
use products
db.runCommand(
{
revokePrivilegesFromRole: "accountRole",
privileges:
[
{
resource : {
db : "products",
collection : ""
},
actions : [
"find"
]
}
]
}
)Required Access所需访问权限
You must have the 您必须对权限目标数据库执行revokeRole action on the database a privilege targets in order to revoke that privilege. revokeRole操作,才能撤销该权限。If the privilege targets multiple databases or the 如果权限针对多个数据库或cluster resource, you must have the revokeRole action on the admin database.cluster资源,则必须对admin数据库执行revokeRole操作。
Example示例
The following operation removes multiple privileges from the 以下操作将从associates role in the products database:products数据库中的associates角色中删除多个权限:
use products
db.runCommand(
{
revokePrivilegesFromRole: "associate",
privileges:
[
{
resource: { db: "products", collection: "" },
actions: [ "createCollection", "createIndex", "find" ]
},
{
resource: { db: "products", collection: "orders" },
actions: [ "insert" ]
}
],
writeConcern: { w: "majority" }
}
)