Definition定义
updateRoleUpdates a user-defined role. The更新用户定义的角色。updateRolecommand must run on the role's database.updateRole命令必须在角色的数据库上运行。Tip
In在mongosh, this command can also be run through thedb.updateRole()helper method.mongosh中,此命令也可以通过db.updateRole()辅助方法运行。Helper methods are convenient for助手方法对mongoshusers, but they may not return the same level of information as database commands. In cases where the convenience is not needed or the additional return fields are required, use the database command.mongosh用户来说很方便,但它们可能不会返回与数据库命令相同级别的信息。如果不需要便利性或需要额外的返回字段,请使用database命令。An update to a field completely replaces the previous field's values. To grant or remove roles or privileges without replacing all values, use one or more of the following commands:字段的更新将完全替换前一个字段的值。要授予或删除角色或权限而不替换所有值,请使用以下一个或多个命令:Warning
An update to theprivilegesorrolesarray completely replaces the previous array's values.privileges或roles数组的更新将完全替换前一个数组的值。
Compatibility兼容性
This command is available in deployments hosted in the following environments:此命令在以下环境中托管的部署中可用:
- MongoDB Enterprise
: The subscription-based, self-managed version of MongoDB:MongoDB的基于订阅的自我管理版本 - MongoDB Community
: The source-available, free-to-use, and self-managed version of MongoDB:MongoDB的源代码可用、免费使用和自我管理版本
Important
This command is not supported in MongoDB Atlas clusters. MongoDB Atlas集群不支持此命令。For information on Atlas support for all commands, see Unsupported Commands.有关Atlas支持所有命令的信息,请参阅不支持的命令。
Syntax语法
To update a role, you must provide the 要更新角色,您必须提供privileges array, roles array, or both.privileges数组、roles数组或两者都提供。
The command uses the following syntax:该命令使用以下语法:
db.runCommand(
{
updateRole: "<role>",
privileges:
[
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
roles:
[
{ role: "<role>", db: "<database>" } | "<role>",
...
],
authenticationRestrictions:
[
{
clientSource: ["<IP>" | "<CIDR range>", ...],
serverAddress: ["<IP>", ...]
},
...
]
writeConcern: <write concern document>,
comment: <any>
}
)Command Fields命令字段
The command takes the following fields:该命令包含以下字段:
updateRole | ||
privileges | roles array. roles数组,则为必填项。privileges array overrides the previous array's values.privileges数组的更新会覆盖前一个数组的值。privileges array.privileges数组。 | |
roles | privileges array. privileges数组,则为必填项。roles array overrides the previous array's values.roles数组的更新会覆盖前一个数组的值。 | |
authenticationRestrictions |
| |
writeConcern | ||
comment |
|
Roles角色
In the 在roles field, you can specify both built-in roles and user-defined roles.roles字段中,您可以指定内置角色和用户定义的角色。
To specify a role that exists in the same database where 要指定存在于运行updateRole runs, you can either specify the role with the name of the role:updateRole的同一数据库中的角色,您可以使用角色的名称指定角色:
"readWrite"Or you can specify the role with a document, as in:或者,您可以在文档中指定角色,如:
{ role: "<role>", db: "<database>" }To specify a role that exists in a different database, specify the role with a document.若要指定存在于其他数据库中的角色,请使用文档指定该角色。
Authentication Restrictions身份验证限制
The authenticationRestrictions document can contain only the following fields. The server throws an error if the authenticationRestrictions document contains an unrecognized field:authenticationRestrictions文档只能包含以下字段。如果authenticationRestrictions文档包含无法识别的字段,服务器将抛出错误:
clientSource | ||
serverAddress |
Important
If a user inherits multiple roles with incompatible authentication restrictions, that user becomes unusable.如果用户继承了多个身份验证限制不兼容的角色,则该用户将无法使用。
For example, if a user inherits one role in which the 例如,如果用户继承了一个角色,其中clientSource field is ["198.51.100.0"] and another role in which the clientSource field is ["203.0.113.0"] the server is unable to authenticate the user.clientSource字段为["198.51.100.0"],另一个角色的clientSource字段是["203.0.113.0"],则服务器无法对用户进行身份验证。
For more information on authentication in MongoDB, see Authentication on Self-Managed Deployments.有关MongoDB中身份验证的更多信息,请参阅自我管理部署的身份验证。
Behavior行为
A role's privileges apply to the database where the role is created. The role can inherit privileges from other roles in its database. 角色的权限适用于创建该角色的数据库。该角色可以继承其数据库中其他角色的权限。A role created on the 在admin database can include privileges that apply to all databases or to the cluster and can inherit privileges from roles in other databases.admin数据库上创建的角色可以包括应用于所有数据库或集群的权限,并且可以继承其他数据库中角色的权限。
Required Access所需访问权限
You must have the 您必须对所有数据库执行revokeRole action on all databases in order to update a role.revokeRole操作才能更新角色。
You must have the 您必须对角色数组中每个角色的数据库执行grantRole action on the database of each role in the roles array to update the array.grantRole操作才能更新数组。
You must have the 您必须对grantRole action on the database of each privilege in the privileges array to update the array. privileges数组中每个权限的数据库执行grantRole操作才能更新数组。If a privilege's resource spans databases, you must have 如果权限的资源跨越数据库,则必须在grantRole on the admin database. A privilege spans databases if the privilege is any of the following:admin数据库上具有grantRole。如果权限是以下任何一种,则该权限跨越数据库:
a collection in all databases所有数据库中的集合all collections and all database所有集合和所有数据库theclusterresourcecluster资源
You must have the 您必须对目标角色的数据库执行setAuthenticationRestriction action on the database of the target role to update a role's authenticationRestrictions document.setAuthenticationRestriction操作,才能更新角色的authenticationRestrictions文档。
Example示例
The following is an example of the 以下是updateRole command that updates the myClusterwideAdmin role on the admin database. updateRole命令的示例,该命令更新管理数据库上的myClusterwideAdmin角色。While the 虽然privileges and the roles arrays are both optional, at least one of the two is required:privileges和roles数组都是可选的,但至少需要其中之一:
db.adminCommand(
{
updateRole: "myClusterwideAdmin",
privileges:
[
{
resource: { db: "", collection: "" },
actions: [ "find" , "update", "insert", "remove" ]
}
],
roles:
[
{ role: "dbAdminAnyDatabase", db: "admin" }
],
writeConcern: { w: "majority" }
}
)To view a role's privileges, use the 要查看角色的权限,请使用rolesInfo command.rolesInfo命令。