Database Manual / Reference / Database Commands / User Management

revokeRolesFromUser (database command数据库命令)

Definition定义

revokeRolesFromUser

Removes one or more roles from a user on the database where the roles exist.从存在角色的数据库上的用户中删除一个或多个角色。

Tip

In mongosh, this command can also be run through the db.revokeRolesFromUser() helper method.mongosh中,此命令也可以通过db.revokeRolesFromUser()辅助方法运行。

Helper methods are convenient for mongosh users, but they may not return the same level of information as database commands. 助手方法对mongosh用户来说很方便,但它们可能不会返回与数据库命令相同级别的信息。In cases where the convenience is not needed or the additional return fields are required, use the database command.如果不需要便利性或需要额外的返回字段,请使用database命令。

Compatibility兼容性

This command is available in deployments hosted in the following environments:此命令在以下环境中托管的部署中可用:

  • MongoDB Enterprise: The subscription-based, self-managed version of MongoDB:MongoDB的基于订阅的自我管理版本
  • MongoDB Community: The source-available, free-to-use, and self-managed version of MongoDB:MongoDB的源代码可用、免费使用和自我管理版本

Important

This command is not supported in MongoDB Atlas clusters. MongoDB Atlas集群不支持此命令。For information on Atlas support for all commands, see Unsupported Commands.有关Atlas支持所有命令的信息,请参阅不支持的命令

Syntax语法

The command has the following syntax:该命令具有以下语法:

db.runCommand(
   {
     revokeRolesFromUser: "<user>",
     roles: [
       { role: "<role>", db: "<database>" } | "<role>",
       ...
     ],
     writeConcern: { <write concern> },
     comment: <any>
   }
)

Command Fields命令字段

The command takes the following fields:该命令包含以下字段:

Field字段Type类型Description描述
revokeRolesFromUserstring字符串The user to remove roles from.要从中删除角色的用户。
rolesarray数组The roles to remove from the user.要从用户中删除的角色。
writeConcerndocument文档Optional. 可选。The level of write concern for the operation. 操作的写入关注级别。See Write Concern Specification.请参阅写入关注规范
commentany任意

Optional. 可选。A user-provided comment to attach to this command. Once set, this comment appears alongside records of this command in the following locations:用户提供了要附加到此命令的注释。设置后,此注释将与此命令的记录一起出现在以下位置:

A comment can be any valid BSON type (string, integer, object, array, etc).注释可以是任何有效的BSON类型(字符串、整数、对象、数组等)。

In the roles field, you can specify both built-in roles and user-defined roles.roles字段中,您可以指定内置角色用户定义的角色

To specify a role that exists in the same database where revokeRolesFromUser runs, you can either specify the role with the name of the role:要指定存在于运行revokeRolesFromUser的同一数据库中的角色,您可以使用角色名称指定角色:

"readWrite"

Or you can specify the role with a document, as in:或者,您可以在文档中指定角色,如:

{ role: "<role>", db: "<database>" }

To specify a role that exists in a different database, specify the role with a document.若要指定存在于其他数据库中的角色,请使用文档指定该角色。

Required Access所需访问权限

You must have the revokeRole action on a database to revoke a role on that database.您必须对数据库执行revokeRole操作才能撤销该数据库上的角色。

Example示例

The accountUser01 user in the products database has the following roles:products品数据库中的accountUser01用户具有以下角色:

"roles" : [
    { "role" : "assetsReader",
      "db" : "assets"
    },
    { "role" : "read",
      "db" : "stock"
    },
    { "role" : "readWrite",
      "db" : "products"
    }
]

The following revokeRolesFromUser command removes the two of the user's roles: the read role on the stock database and the readWrite role on the products database, which is also the database on which the command runs:以下revokeRolesFromUser命令删除了用户的两个角色:stock数据库上的read角色和products数据库上的readWrite角色,产品数据库也是运行该命令的数据库:

use products
db.runCommand( { revokeRolesFromUser: "accountUser01",
                 roles: [
                          { role: "read", db: "stock" },
                          "readWrite"
                 ],
                 writeConcern: { w: "majority" }
             } )

The user accountUser01 in the products database now has only one remaining role:products数据库中的用户accountUser01现在只剩下一个角色:

"roles" : [
    { "role" : "assetsReader",
      "db" : "assets"
    }
]