The resource document specifies the resources upon which a privilege permits 资源文档指定了权限允许actions.actions的资源。
Database and/or Collection Resource数据库和/或集合资源
To specify databases and/or collections, use the following syntax:要指定数据库和/或集合,请使用以下语法:
{ db: <database>, collection: <collection> }Specify a Collection of a Database as Resource将数据库集合指定为资源
If the resource document specifies both the 如果资源文档将db and collection fields as non-empty strings, the resource is the specified collection in the specified database. For example, the following document specifies a resource of the inventory collection in the products database:db和collection字段都指定为非空字符串,则资源是指定数据库中的指定集合。例如,以下文档指定了产品数据库中inventory集合的资源:
{ db: "products", collection: "inventory" }For a user-defined role scoped for a non-对于非admin database, the resource specification for its privileges must specify the same database as the role. User-defined roles scoped for the admin database can specify other databases.admin数据库范围内的用户定义角色,其权限的资源规范必须指定与该角色相同的数据库。管理员数据库范围内的用户定义角色可以指定其他数据库。
Specify a Database as Resource将数据库指定为资源
If only the 如果只有collection field is an empty string (""), the resource is the specified database, excluding the system collections. For example, the following resource document specifies the resource of the test database, excluding the system collections:collection字段是空字符串(""),则资源是指定的数据库,不包括系统集合。例如,以下资源文档指定了test数据库的资源,不包括系统集合:
{ db: "test", collection: "" }For a user-defined role scoped for a non-对于非admin database, the resource specification for its privileges must specify the same database as the role. User-defined roles scoped for the admin database can specify other databases.admin数据库范围内的用户定义角色,其权限的资源规范必须指定与该角色相同的数据库。管理员数据库范围内的用户定义角色可以指定其他数据库。
Note
When you specify a database as the resource, system collections are excluded, unless you name them explicitly, as in the following:当您将数据库指定为资源时,系统集合将被排除在外,除非您明确地命名它们,如下所示:
{ db: "test", collection: "system.js" }System collections include but are not limited to the following:系统集合包括但不限于以下内容:
<database>.system.profile<database>.system.jssystem.usersCollection in Self-Managed Deployments in theadmindatabaseadmin数据库中自我管理部署中的system.users集合system.rolesCollection in Self-Managed Deployments in theadmindatabaseadmin数据库中自我管理部署中的system.roles集合
Specify Collections Across Databases as Resource将跨数据库的集合指定为资源
If only the 如果只有db field is an empty string (""), the resource is all collections with the specified name across all databases. For example, the following document specifies the resource of all the accounts collections across all the databases:db字段是空字符串(""),则资源是所有数据库中具有指定名称的所有集合。例如,以下文档指定了所有数据库中所有accounts集合的资源:
{ db: "", collection: "accounts" }For user-defined roles, only roles scoped for the 对于用户定义的角色,只有admin database can have this resource specification for their privileges.admin数据库范围内的角色才能拥有此资源规范作为其权限。
Specify All Non-System Collections in All Databases指定所有数据库中的所有非系统集合
If both the 如果db and collection fields are empty strings (""), the resource is all collections, excluding the system collections, in all the databases:db和collection字段都是空字符串(""),则资源是所有数据库中的所有集合,不包括系统集合:
{ db: "", collection: "" }For user-defined roles, only roles scoped for the 对于用户定义的角色,只有管理员数据库范围内的角色才能拥有此资源规范作为其权限。admin database can have this resource specification for their privileges.
Cluster Resource集群资源
To specify the cluster as the resource, use the following syntax:要将群集指定为资源,请使用以下语法:
{ cluster : true }Use the 将cluster resource for actions that affect the state of the system rather than act on specific set of databases or collections. cluster资源用于影响系统状态的操作,而不是对特定的数据库或集合进行操作。Examples of such actions are 此类操作的示例包括shutdown, replSetReconfig, and addShard. For example, the following document grants the action shutdown on the cluster.shutdown、replSetReconfig和addShard。例如,以下文档允许在集群上执行关闭操作。
{ resource: { cluster : true }, actions: [ "shutdown" ] }For user-defined roles, only roles scoped for the 对于用户定义的角色,只有admin database can have this resource specification for their privileges.admin数据库范围内的角色才能拥有此资源规范作为其权限。
anyResource
The internal resource 内部资源anyResource gives access to every resource in the system and is intended for internal use. Do not use this resource, other than in exceptional circumstances. The syntax for this resource is { anyResource: true }.anyResource允许访问系统中的所有资源,仅供内部使用。除非在特殊情况下,否则不要使用此资源。此资源的语法为{ anyResource: true }。