Built-In Roles内置角色

On this page本页内容

MongoDB grants access to data and commands through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system.MongoDB通过基于角色的授权授予对数据和命令的访问权,并提供内置角色,这些角色提供数据库系统中通常需要的不同级别的访问。You can additionally create user-defined roles.您还可以创建用户定义的角色

A role grants privileges to perform sets of actions on defined resources.角色授予对定义的资源执行一组操作的权限。A given role applies to the database on which it is defined and can grant access down to a collection level of granularity.给定的角色应用于在其上定义该角色的数据库,并可以授予访问权限,直至达到粒度级别。

Each of MongoDB’s built-in roles defines access at the database level for all non-system collections in the role’s database and at the collection level for all system collections.MongoDB的每个内置角色在数据库级别为角色数据库中的所有非系统集合定义访问权限,在集合级别为所有系统集合定义访问权限。

MongoDB provides the built-in database user and database administration roles on every database.MongoDB为每个数据库提供内置的数据库用户数据库管理角色。MongoDB provides all other built-in roles only on the admin database.MongoDB只在admin数据库上提供所有其他内置角色。

This section describes the privileges for each built-in role.本节介绍每个内置角色的权限。You can also view the privileges for a built-in role at any time by issuing the rolesInfo command with the showPrivileges and showBuiltinRoles fields both set to true.您还可以随时查看内置角色的权限,方法是在showPrivilegesshowBuiltinRoles字段都设置为true的情况下发出rolesInfo命令。

Database User Roles数据库用户角色

Every database includes the following client roles:每个数据库都包含以下客户端角色:

read

Provides the ability to read data on all non-system collections and the system.js collection.提供读取所有非系统集合和 system.js集合上的数据的能力。

Aside

Starting in MongoDB 4.2, the role no longer provides privileges to access the system.namespaces collection directly.从MongoDB 4.2开始,角色不再提供直接访问system.namespaces集合的特权。Direct access to the collection has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,对集合的直接访问已被弃用。

In earlier versions, the role provided the aforementioned privilege actions on the system.namespaces collection, thereby allowing direct access.在早期版本中,角色在system.namespaces集合上提供了上述特权操作,从而允许直接访问。

The role provides read access by granting the following actions:角色通过授予以下操作来提供读访问权限:

For MongoDB 4.0.6+:对于MongoDB 4.0.6+:
If the user does not have the listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run with authorizedDatabases option unspecified or set to true.如果用户没有listDatabases权限操作,则如果在未指定authorizedDatabases选项或将其设置为true的情况下运行该命令,则用户可以运行listDatabases命令以返回用户具有权限的数据库列表(包括用户对特定集合具有权限的数据库)。
For MongoDB 4.0.5:对于MongoDB 4.0.5:
If the user does not have the listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has the find action privilege if the command is run with authorizedDatabases option unspecified or set to true.如果用户没有listDatabases权限操作,则如果在未指定authorizedDatabases选项或将其设置为true的情况下运行该命令,则用户可以运行listDatabases命令以返回用户具有查找操作权限的数据库列表。
For MongoDB 4.0.0-4.0.4:对于MongoDB 4.0.0-4.0.4:
If the user does not have the listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has the find action privilege.如果用户没有listDatabases权限操作,则用户可以运行listDatabases命令返回用户具有查找操作权限的数据库列表。
readWrite

Provides all the privileges of the read role plus ability to modify data on all non-system collections and the system.js collection.提供read角色的所有权限以及修改所有非系统集合和system.js集合上的数据的能力。

The role provides the following actions on those collections:角色对这些集合提供以下操作:

Database Administration Roles数据库管理角色

Every database includes the following database administration roles:每个数据库都包含以下数据库管理角色:

dbAdmin

Provides the ability to perform administrative tasks such as schema-related tasks, indexing, and gathering statistics.提供执行管理任务的能力,例如与架构相关的任务、索引和收集统计信息。This role does not grant privileges for user and role management.此角色不授予用户和角色管理权限。

Specifically, the role provides the following privileges:具体而言,角色提供以下特权:

Resource资源Permitted Actions允许的操作
system.profile

Aside旁白

Starting in version 4.2, MongoDB removes the system.indexes and system.namespaces collections.从版本4.2开始,MongoDB删除了system.indexes集合和system.namespaces集合。As such, the dbAdmin role no longer provides privileges to access these collections.因此,dbAdmin角色不再提供访问这些集合的权限。Direct access to these collections has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,对这些集合的直接访问已被弃用。

In earlier versions, the dbAdmin role provides the aforementioned privilege actions (except dropCollection and createCollection) on system.indexes and system.namespaces collections, thereby allowing direct access to the system.indexes and system.namespaces collections.在早期版本中,dbAdmin角色在system.indexes集合和system.namespaces集合上提供上述特权操作(dropCollectioncreateCollection除外),从而允许直接访问system.indexes集合和system.namespaces集合。

All non-system collections (i.e. database resource)所有非系统集合(即数据库资源

For these collections, dbAdmin does not include full read access (i.e. find).对于这些集合,dbAdmin不包括完全读取访问(即find)。

dbOwner

The database owner can perform any administrative action on the database.数据库所有者可以对数据库执行任何管理操作。 This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles.此角色结合了readWritedbAdminuserAdmin角色授予的权限。

userAdmin

Provides the ability to create and modify roles and users on the current database.提供在当前数据库上创建和修改角色和用户的功能。Since the userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster.由于userAdmin角色允许用户向任何用户(包括他们自己)授予任何权限,因此该角色还间接地向超级用户提供对数据库或集群(如果作用域为admin数据库)的访问。

The userAdmin role explicitly provides the following actions:userAdmin角色显式提供以下操作:

Warning

It is important to understand the security implications of granting the userAdmin role: a user with this role for a database can assign themselves any privilege on that database.理解授予userAdmin角色的安全含义是很重要的:对于数据库具有此角色的用户可以为自己分配对该数据库的任何权限。Granting the userAdmin role on the admin database has further security implications as this indirectly provides superuser access to a cluster.授予admin数据库上的userAdmin角色会带来进一步的安全问题,因为这会间接提供超级用户对集群的访问。With admin scope a user with the userAdmin role can grant cluster-wide roles or privileges including userAdminAnyDatabase.使用admin范围,具有userAdmin角色的用户可以授予集群范围的角色或权限,包括userAdminAnyDatabase

Cluster Administration Roles群集管理角色

The admin database includes the following roles for administering the whole system rather than just a single database.admin数据库包括以下角色,用于管理整个系统,而不仅仅是单个数据库。These roles include but are not limited to replica set and sharded cluster administrative functions.这些角色包括但不限于副本集分片集群管理功能。

clusterAdmin

Provides the greatest cluster-management access.提供最大的群集管理访问。This role combines the privileges granted by the clusterManager, clusterMonitor, and hostManager roles.此角色结合了clusterManagerclusterMonitorhostManager角色授予的权限。Additionally, the role provides the dropDatabase action.此外,角色还提供dropDatabase操作。

clusterManager

Changed in version 3.4.在版本3.4中更改。

Provides management and monitoring actions on the cluster.提供群集上的管理和监视操作。A user with this role can access the config and local databases, which are used in sharding and replication, respectively.具有此角色的用户可以访问config数据库和local数据库,它们分别用于分片和复制。

Resource资源Actions操作
cluster集群
All databases所有数据库

clusterManager provides additional privileges for the config and local databases.clusterManagerconfig数据库和local数据库提供额外的权限。

On the config database, permits the following actions:config数据库上,允许执行以下操作:

Resource资源Actions操作
All non-system collections in the config databaseconfig数据库中的所有非系统集合
system.js

Aside旁白

Starting in version 4.2, MongoDB removes the system.indexes and system.namespaces collections.从4.2版开始,MongoDB删除了system.indexes集合和system.namespaces集合。As such, the clusterManager role no longer provides privileges to access these collections.因此,clusterManager角色不再提供访问这些集合的权限。Direct access to these collections has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,对这些集合的直接访问已被弃用。

In earlier versions, the clusterManager role provides the aforementioned privilege actions on the system.indexes and system.namespaces collections, thereby allowing direct access to the system.indexes and system.namespaces collections.在早期版本中,clusterManager角色在system.indexes集合和system.namespaces集合上提供上述权限,从而允许直接访问system.indexes集合和system.namespaces集合。

On the local database, permits the following actions:local数据库上,允许执行以下操作:

Resource资源Actions操作
All non-system collections in the local databaselocal数据库中的所有非系统集合
system.replset collection集合
clusterMonitor

Changed in version 3.4.在版本3.4中更改。

Provides read-only access to monitoring tools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent.提供对监控工具(如MongoDB Cloud ManagerOps Manager监控代理)的只读访问。

Permits the following actions on the cluster as a whole:允许对整个群集执行以下操作:

Permits the following actions on all databases in the cluster:允许对群集中的所有数据库执行以下操作:

Permits the find action on all system.profile collections in the cluster.允许在所有system.profile集合上执行find操作。

On the config database, permits the following actions:config数据库上,允许执行以下操作:

Resource资源Actions操作
All non-system collections in the config databaseconfig数据库中的所有非系统集合
collStats
dbHash
dbStats
find
getShardVersion
indexStats
killCursors
listCollections
listIndexes
planCacheRead
system.js collection集合
collStats
dbHash
dbStats
find
killCursors
listCollections
listIndexes
planCacheRead

Aside旁白

Starting in version 4.2, MongoDB removes the system.indexes and system.namespaces collections.从4.2版开始,MongoDB删除了system.indexes集合和systen.namespaces集合。As such, the clusterMonitor role no longer provides privileges to access these collections.因此,clusterMonitor角色不再提供访问这些集合的权限。 Direct access to these collections has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,对这些集合的直接访问已被弃用。

In earlier versions, the role provides the aforementioned privilege actions on the system.indexes and system.namespaces collections, thereby allowing direct access to the system.indexes and system.namespaces collections.在早期版本中,角色在system.indexes集合和system.namespaces集合上提供了上述权限操作,从而允许直接访问system.indexes集合和system.namespaces集合。

On the local database, permits the following actions:local数据库上,允许执行以下操作:

Resource资源Actions操作
All collections in the local databaselocal数据库中的所有集合
collStats
dbHash
dbStats
find
getShardVersion
indexStats
killCursors
listCollections
listIndexes
planCacheRead
system.js collection集合
collStats
dbHash
dbStats
find
killCursors
listCollections
listIndexes
planCacheRead

Starting in version 4.2, MongoDB removes the system.indexes and system.namespaces collections.从4.2版开始,MongoDB删除了system.indexes集合和system.namespaces集合。As such, the clusterMonitor role no longer provides privileges to access these collections.因此,clusterMonitor角色不再提供访问这些集合的权限。 Direct access to these collections has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,对这些集合的直接访问已被弃用。

In earlier versions, the role provides the aforementioned privilege actions on the system.indexes and system.namespaces collections, thereby allowing direct access to the system.indexes and system.namespaces collections.在早期版本中,角色在system.indexes集合和system.namespaces集合上提供了上述权限操作,从而允许直接访问system.indexes集合和system.namespaces集合。

system.replset,
system.profile,
 find
hostManager

Provides the ability to monitor and manage servers.提供监视和管理服务器的功能。

On the cluster as a whole, provides the following actions:在整个集群上,提供以下操作:

4.4 Change

Starting in version 4.4, hostManager no longer provides the cpuProfiler privilege action on the cluster.从版本4.4开始,hostManager不再在集群上提供cpuProfiler特权操作。

On all databases in the cluster, provides the following actions:在群集中的所有数据库上,提供以下操作:

Backup and Restoration Roles备份和恢复角色

The admin database includes the following roles for backing up and restoring data:admin数据库包括以下用于备份和还原数据的角色:

backup备份

Provides minimal privileges needed for backing up data.提供备份数据所需的最低权限。This role provides sufficient privileges to use the MongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use mongodump to back up an entire mongod instance.此角色提供足够的权限来使用MongoDB Cloud Manager备份代理、Ops Manager备份代理或使用mongodump备份整个mongod实例。

Provides the insert and update actions on the mms.backup collection in the admin database and on the settings collection in the config database.admin数据库中的mms.backup集合上和config数据库中的settings集合上提供insertupdate操作。

On anyResource, provides the任何资源上,提供

On the cluster as a whole, provides the在整个集群上,提供

Provides the find action on the following:提供以下find操作:

Provides the insert and update actions on the config.settings collection.config.settings集合上提供insertupdate操作。

Changed in version 3.2.1:在版本3.2.1中更改:The backup role provides additional privileges to back up the system.profile collection that exists when running with database profiling.backup角色提供其他权限来备份system.profile集合,该集合在使用数据库明细运行时存在。Previously, users required read access on this collection.以前,用户要求对此集合具有read权限。

restore

Changed in version 3.6:在版本3.6中更改:Provides convertToCapped on non-system collections.在非系统集合上提供convertToCapped

Provides the necessary privileges to restore data from backups if the data does not include system.profile collection data and you run mongorestore without the --oplogReplay option.提供从备份中还原数据(如果数据不包括system.profile集合数据)所需的权限,以及运行mongorestore而不使用--oplogReplay选项所需的权限。

If the backup data includes system.profile collection data or you run with --oplogReplay, you need additional privileges:如果备份数据包括system.profile集合数据,或你使用--oplogReplay运行数据还原,你就需要另外的权限。

system.profile

If the backup data includes system.profile collection data and the target database does not contain the system.profile collection, mongorestore attempts to create the collection even though the program does not actually restore system.profile documents.如果备份数据包括system.profile集合数据,并且目标数据库不包含system.profile集合,则mongorestore会尝试创建集合,即使程序没有实际还原system.profile文件。As such, the user requires additional privileges to perform createCollection and convertToCapped actions on the system.profile collection for a database.因此,用户需要额外的权限才能在数据库的system.profile集合上执行createCollectionconvertToCapped操作。

Both the built-in roles dbAdmin and dbAdminAnyDatabase provide the additional privileges.内置角色dbAdmindbAdminAnyDatabase都提供额外的权限。

--oplogReplay

To run with --oplogReplay, create a user-defined role that has anyAction on anyResource.要使用--oplogReplay运行,请创建对任何资源具有anyAction用户定义角色

Grant only to users who must run mongorestore with --oplogReplay.仅授予必须使用--oplogReplay运行mongorestore的用户。

Provides the following action on the cluster as a whole:对整个群集提供以下操作:

Provides the following actions on all non-system collections:对所有系统集合提供以下操作:

Provides the following actions on system.js collection:system.js集合上提供以下操作:

Provides the following action on anyResource:任意资源上提供以下操作:

Provides the following actions on all non-system collections on the config and the local databases:config数据库和local数据库上的所有非系统集合提供以下操作:

Provides the following actions on admin.system.versionadmin.system.version上提供以下操作:

Provides the following action on admin.system.rolesadmin.system.roles上提供以下操作:

Provides the following actions on admin.system.users and legacy system.users collections:admin.system.users和历史遗留的system.users集合上提供以下操作:

Although, restore includes the ability to modify the documents in the admin.system.users collection using normal modification operations, only modify these data using the user management methods.不过,restore包括使用常规的修改操作修改admin.system.users中的文档的能力,只使用用户管理方法修改这些数据。

Aside旁白

Starting in version 4.2, MongoDB removes the system.namespaces collection.从4.2版开始,MongoDB删除了system.namespaces集合。As such, the restore role no longer provides privileges to access these collections.因此,restore角色不再提供访问这些集合的权限。Direct access to these collections has been deprecated since MongoDB 3.0.自MongoDB 3.0以来,对这些集合的直接访问已被弃用。

In earlier versions, the restore role provides the aforementioned privilege actions on the system.namespaces collection, thereby allowing direct access to the collection.在早期版本中,restore角色在system.namespaces集合上提供上述的特权操作,从而允许直接访问该集合。

All-Database Roles所有数据库角色

Changed in version 3.4.在版本3.4中更改。

The following roles are available on the admin database and provide privileges which apply to all databases except local and config:以下角色在admin数据库上可用,并提供适用于除localconfig之外的所有数据库的权限:

readAnyDatabase

Provides the same read-only privileges as read on all databases except local and config.提供与在除localconfig之外的所有数据库上read相同的只读权限。The role also provides the listDatabases action on the cluster as a whole.该角色还提供对整个集群的listDatabases操作。

Changed in version 3.4:在版本3.4中更改:Prior to 3.4, readAnyDatabase includes local and config databases.在3.4之前,readAnyDatabase包括localconfig数据库。To provide read privileges on the local database, create a user in the admin database with read role in the local database.要在local数据库上提供read权限,请在admin数据库中创建一个在local数据库中具有read角色的用户。

See also the clusterManager and clusterMonitor roles for access to the config and local databases.另请参阅clusterManagerclusterMonitor角色以获取对配置和本地数据库的访问。

readWriteAnyDatabase

Provides the same privileges as readWrite on all databases except local and config.在除localconfig之外的所有数据库上提供与readWrite相同的权限。The role also provides the listDatabases action on the cluster as a whole.该角色还提供对整个集群的listDatabases操作。

Changed in version 3.4:在版本3.4中更改:Prior to 3.4, readWriteAnyDatabase includes local and config databases.在3.4之前,readWriteAnyDatabase包括localconfig数据库。To provide readWrite privileges on the local database, create a user in the admin database with readWrite role in the local database.要在local数据库上提供readWrite权限,请在admin数据库中创建一个在local数据库中具有readWrite角色的用户。

See also the clusterManager and clusterMonitor roles for access to the config and local databases.另请参阅clusterManagerclusterMonitor角色以获取对configlocal数据库的访问。

userAdminAnyDatabase

Provides the same access to user administration operations as userAdmin on all databases except local and config.在除localconfig之外的所有数据库上提供与userAdmin相同的对用户管理操作的访问。

userAdminAnyDatabase also provides the following privilege actions on the cluster:还提供群集上的以下特权操作:

The role also provides the following privilege actions on the system.users and system.roles collections on the admin database, and on legacy system.users collections from versions of MongoDB prior to 2.6:该角色还在admin数据库的system.userssystem.roles集合上,以及在历史遗留的system.users集合(来自的MongoDB 2.6版以前的版本)上提供以下权限:

Changed in version 2.6.4:在版本2.6.4中更改:userAdminAnyDatabase added the following privilege actions on the admin.system.users and admin.system.roles collections:userAdminAnyDatabaseadmin.system.users集合以及admin.system.roles集合上添加了以下权限操作:

The userAdminAnyDatabase role does not restrict the privileges that a user can grant.userAdminAnyDatabase角色不限制用户可以授予的权限。As a result, userAdminAnyDatabase users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration.因此,userAdminAnyDatabase用户可以授予自己超出其当前权限的权限,甚至可以授予自己所有权限,即使该角色没有显式授权超出用户管理权限的权限。This role is effectively a MongoDB system superuser.这个角色实际上是MongoDB系统的超级用户

Changed in version 3.4:在版本3.4中更改:userAdminAnyDatabase no longer applies to the local and config databases.userAdminAnyDatabase不再应用于localconfig数据库。

See also the clusterManager and clusterMonitor roles for access to the config and local databases.另请参阅clusterManagerclusterMonitor角色以获取对configlocal数据库的访问。

dbAdminAnyDatabase

Provides the same privileges as dbAdmin on all databases except local and config.在除localconfig之外的所有数据库上提供与dbAdmin相同的权限。The role also provides the listDatabases action on the cluster as a whole.该角色还提供对整个集群的listDatabases操作。

Changed in version 3.4:在版本3.4中更改:Prior to 3.4, dbAdminAnyDatabase includes local and config databases.在3.4之前,dbAdminDatabase包括localconfig数据库。To provide dbAdmin privileges on the local database, create a user in the admin database with dbAdmin role in the local database.要在local数据库上提供dbAdmin权限,请在admin数据库中创建一个在local数据库中具有dbAdmin角色的用户。

See also the clusterManager and clusterMonitor roles for access to the config and local databases.另请参阅clusterManager角色和clusterMonitor角色以获取对configlocal数据库的访问。

Superuser Roles超级用户角色

Several roles provide either indirect or direct system-wide superuser access.有几个角色提供间接或直接的系统级超级用户访问。

The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:以下角色可以为任何用户分配任何数据库上的任何权限,这意味着具有这些角色之一的用户可以为自己分配任何数据库上的任何权限:

The following role provides full privileges on all resources:以下角色提供对所有资源的完全权限:

root

Provides access to the operations and all the resources of the following roles combined:提供对以下角色组合的操作和所有资源的访问:

Also provides the validate privilege action on system. collections.还在system.集合上提供alidate权限操作。

Changed in version 3.4:在版本3.4中更改:The root role includes privileges from the backup and restore roles.root角色包括backup角色和restore角色的权限。

Internal Role内部角色

__system

MongoDB assigns this role to user objects that represent cluster members, such as replica set members and mongos instances.MongoDB将此角色分配给表示集群成员的用户对象,例如副本集成员和mongos实例。The role entitles its holder to take any action against any object in the database.角色使其持有者有权对数据库中的任何对象执行任何操作。

Do not assign this role to user objects representing applications or human administrators, other than in exceptional circumstances.除非在特殊情况下,否则不要将此角色分配给表示应用程序或人员管理员的用户对象。

If you need access to all actions on all resources, for example to run applyOps commands, do not assign this role.如果需要访问所有资源上的所有操作(例如运行applyOps命令),请不要分配此角色。Instead, create a user-defined role that grants anyAction on anyResource and ensure that only the users who need access to these operations have this access.相反,创建一个用户定义的角色,授予对任何资源anyAction,并确保只有需要访问这些操作的用户才具有此访问权限。