On this page本页内容
MongoDB employs Role-Based Access Control (RBAC) to govern access to a MongoDB system.MongoDB使用基于角色的访问控制(RBAC)来管理对MongoDB系统的访问。A user is granted one or more roles that determine the user’s access to database resources and operations.向用户授予一个或多个角色,这些角色决定用户对数据库资源和操作的访问权限。Outside of role assignments, the user has no access to the system.在角色分配之外,用户无权访问系统。
MongoDB does not enable access control by default.默认情况下,MongoDB不启用访问控制。You can enable authorization using the 可以使用--auth or the security.authorization setting.--auth或security.authorization设置。Enabling internal authentication also enables client authorization.启用内部身份验证还可以启用客户端授权。
Once access control is enabled, users must authenticate themselves.一旦启用了访问控制,用户就必须对自己进行身份验证。
A role grants privileges to perform the specified actions on resource.角色授予对资源执行指定操作的权限。Each privilege is either specified explicitly in the role or inherited from another role or both.每个特权要么在角色中显式指定,要么从另一个角色继承,要么两者都继承。
A privilege consists of a specified resource and the actions permitted on the resource.特权由指定的资源和该资源上允许的操作组成。
A resource is a database, collection, set of collections, or the cluster.资源是数据库、集合、集合集或集群。If the resource is the cluster, the affiliated actions affect the state of the system rather than a specific database or collection.如果资源是集群,则附属操作会影响系统的状态,而不是特定的数据库或集合。For information on the resource documents, see Resource Document.有关资源文档的信息,请参阅资源文档。
An action specifies the operation allowed on the resource.操作指定资源上允许的操作。For available actions see Privilege Actions.有关可用操作,请参阅特权操作。
A role can include one or more existing roles in its definition, in which case the role inherits all the privileges of the included roles.角色可以在其定义中包含一个或多个现有角色,在这种情况下,角色将继承所包含角色的所有权限。
A role can inherit privileges from other roles in its database.角色可以从其数据库中的其他角色继承权限。A role created on the 在admin database can inherit privileges from roles in any database.admin数据库上创建的角色可以从任何数据库中的角色继承权限。
You can assign roles to users during the user creation.您可以在用户创建期间为用户分配角色。You can also update existing users to grant or revoke roles.还可以更新现有用户以授予或撤消角色。For a full list of user management methods, see User Management有关用户管理方法的完整列表,请参阅用户管理
A user assigned a role receives all the privileges of that role.分配了角色的用户将获得该角色的所有权限。A user can have multiple roles.一个用户可以有多个角色。By assigning to the user roles in various databases, a user created in one database can have permissions to act on other databases.通过在各种数据库中分配用户角色,在一个数据库中创建的用户可以拥有对其他数据库执行操作的权限。
Note
The first user created in the database should be a user administrator who has the privileges to manage other users.在数据库中创建的第一个用户应该是具有管理其他用户权限的用户管理员。See Enable Access Control.请参见启用访问控制。
MongoDB provides built-in roles that provide set of privileges commonly needed in a database system.MongoDB提供了内置角色,这些角色提供了数据库系统中通常需要的一组特权。
If these built-in-roles cannot provide the desired set of privileges, MongoDB provides methods to create and modify user-defined roles.如果这些内置角色无法提供所需的权限集,MongoDB将提供创建和修改用户定义角色的方法。