On this page本页内容
Privilege actions define the operations a user can perform on a resource. A MongoDB privilege comprises a resource and the permitted actions. This page lists available actions grouped by common purpose.
MongoDB provides built-in roles with pre-defined pairings of resources and permitted actions. For lists of the actions granted, see Built-In Roles. To define custom roles, see Create a User-Defined Role.
find¶User can perform the following commands, and their equivalent helper methods:
aggregate for all pipeline operations except
$collStats, $out, and $indexStats.checkShardingIndexcountdataSizedistinctfilemd5findgeoSearchgetLastErrorgetMorekillCursors, provided that the cursor is associated with a currently authenticated user.listCollectionslistIndexesmapReduce with the {out: inline} option.resetError (Deprecated)Required for the query portion of the mapReduce command and db.collection.mapReduce helper method when outputting to a collection.
Required for the query portion of the findAndModify command and db.collection.findAndModify helper method.
Required on the source collection for the cloneCollectionAsCapped and renameCollection commands and the db.collection.renameCollection() helper method.
listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run with authorizedDatabases option unspecified or set to true.listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has the find action privilege if the command is run with authorizedDatabases option unspecified or set to true.listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has the find action privilege.Apply this action to database or collection resources.
insert¶User can perform the following commands and their equivalent methods:
Required for the output portion of the mapReduce command and db.collection.mapReduce() helper method when outputting to a collection.
Required for the aggregate command and db.collection.aggregate() helper method when using the $out or $merge pipeline operator.
Required for the update and findAndModify commands and equivalent helper methods when used with the upsert option.
Required on the destination collection for the following commands and their helper methods:
Apply this action to database or collection resources.
remove¶User can perform the delete command and equivalent helper method.
Required for the write portion of the findAndModify command and db.collection.findAndModify() method.
Required for the mapReduce command and db.collection.mapReduce() helper method when you specify the replace action when outputting to a collection.
Required for the aggregate command and db.collection.aggregate() helper method when using the $out pipeline operator.
Apply this action to database or collection resources.
update¶User can perform the update command and equivalent helper methods.
Required for the mapReduce command and db.collection.mapReduce() helper method when outputting to a collection without specifying the replace action.
Required for the findAndModify command and db.collection.findAndModify() helper method.
Apply this action to database or collection resources.
bypassDocumentValidation¶New in version 3.2.版本3.2中的新功能。
Users can bypass document validation on commands and methods that support the bypassDocumentValidation option. The following commands and their equivalent methods support bypassing document validation:
Apply this action to database or collection resources.
useUUID¶New in version 3.6.版本3.6中的新功能。
User can execute the following commands using a UUID as if it were a namespace:
For example, this privilege authorizes a user to run the following command which executes a find command on a collection with the given UUID. In order to be successful, this operation also requires that the user is authorized to execute the find command on the collection namespace corresponding to the given UUID.
For more information on collection UUIDs, see Collections.
Apply this action to the cluster resource.
changeCustomData¶User can change the custom information of any user in the given database. Apply this action to database resources.
changeOwnCustomData¶Users can change their own custom information. Apply this action to database resources. See also Change Your Password and Custom Data.
changeOwnPassword¶Users can change their own passwords. Apply this action to database resources. See also Change Your Password and Custom Data.
changePassword¶User can change the password of any user in the given database. Apply this action to database resources.
createCollection¶User can perform the db.createCollection() method. Apply this action to database or collection resources.
createIndex¶Provides access to the db.collection.createIndex() method and the createIndexes command. Apply this action to database or collection resources.
createRole¶User can create new roles in the given database. Apply this action to database resources.
createUser¶User can create new users in the given database. Apply this action to database resources.
dropCollection¶User can perform the db.collection.drop() method. Apply this action to database or collection resources.
dropRole¶User can delete any role from the given database. Apply this action to database resources.
dropUser¶User can remove any user from the given database. Apply this action to database resources.
enableProfiler¶User can perform the db.setProfilingLevel() method. Apply this action to database resources.
grantRole¶User can grant any role in the database to any user from any database in the system. Apply this action to database resources.
killCursors¶Starting in MongoDB 4.2, users can always kill their own cursors, regardless of whether the users have the privilege to killCursors. As such, the killCursors privilege has no effect in MongoDB 4.2+.
In MongoDB 3.6.3 through MongoDB 4.0.x, users require killCursors privilege to kill their own curors when access control is enabled. Cursors are associated with the users at the time of cursor creation. Apply this action to collection resources.
killAnyCursor¶New in version 3.6.3.
User can kill any cursor, even cursors created by other users. Apply this action to collection resources.
revokeRole¶User can remove any role from any user from any database in the system. Apply this action to database resources.
setAuthenticationRestriction¶New in version 3.6.版本3.6中的新功能。
User can specify the authenticationRestrictions field in the user document when running the following commands:
User can specify the authenticationRestrictions field in the role document when running the following commands:
Note
The following built-in roles grant this privilege:
userAdmin role provides this privilege on the database that the role is assigned.userAdminAnyDatabase role provides this privilege on all databases.Transitively, the restore and root roles also provide this privilege.
Apply this action to database resources.
unlock¶User can perform the db.fsyncUnlock() method. Apply this action to the cluster resource.
viewRole¶User can view information about any role in the given database. Apply this action to database resources.
viewUser¶User can view the information of any user in the given database. Apply this action to database resources.
authSchemaUpgrade¶User can perform the authSchemaUpgrade command. Apply this action to the cluster resource.
cleanupOrphaned¶User can perform the cleanupOrphaned command. Apply this action to the cluster resource.
cpuProfiler¶User can enable and use the CPU profiler. Apply this action to the cluster resource.
inprog¶User can use the db.currentOp() method to return information on pending and active operations. Apply this action to the cluster resource.
invalidateUserCache¶Provides access to the invalidateUserCache command. Apply this action to the cluster resource.
killop¶User can perform the db.killOp() method. Apply this action to the cluster resource.
planCacheRead¶User can run the following operations:
$planCacheStats aggregation stage.Apply this action to database or collection resources.
planCacheWrite¶User can perform the planCacheClear command and the PlanCache.clear() and PlanCache.clearPlansByQuery() methods. Apply this action to database or collection resources.
storageDetails¶User can perform the storageDetails command. Apply this action to database or collection resources.
changeStream¶User with changeStream and find on the specific collection, all non-system collections in a specifc database, or all non-system collections across all databases can open change stream cursor for that resource.
appendOplogNote¶User can append notes to the oplog. Apply this action to the cluster resource.
replSetConfigure¶User can configure a replica set. Apply this action to the cluster resource.
replSetGetConfig¶User can view a replica set’s configuration. Provides access to the replSetGetConfig command and rs.conf() helper method.
Apply this action to the cluster resource.
replSetGetStatus¶User can perform the replSetGetStatus command. Apply this action to the cluster resource.
replSetHeartbeat¶User can perform the replSetHeartbeat command. Apply this action to the cluster resource.
replSetStateChange¶User can change the state of a replica set through the replSetFreeze, replSetMaintenance, replSetStepDown, and replSetSyncFrom commands. Apply this action to the cluster resource.
resync¶User can perform the resync command. Apply this action to the cluster resource.
clearJumboFlag¶Available starting in 4.2.3 and 4.0.15
Required to clear a chunk’s jumbo flag using the clearJumboFlag command. Apply this action to database or collection resources.
Included in the clusterManager built-in role.
enableSharding¶Applicable Resources
The action can apply to either:
| Resources | |
|---|---|
Grants users privileges to perform the following operations:
| |
Starting in version 4.2.2, 4.0.14, 3.6.16 |
Grants users privileges to perform the following shard zone operations: You can also perform these shard zone operations if you have |
refineCollectionShardKey¶Provides privileges to refine the shard key for a sharded collection; i.e. run the refineCollectionShardKey command. Apply this action to database or collection resource.
Included in the clusterManager built-in role.
New in version 4.4.版本4.4中的新功能。
flushRouterConfig¶User can perform the flushRouterConfig command. Apply this action to the cluster resource.
getShardMap¶User can perform the getShardMap command. Apply this action to the cluster resource.
getShardVersion¶User can perform the getShardVersion command. Apply this action to database resources.
listShards¶User can perform the listShards command. Apply this action to the cluster resource.
moveChunk¶User can perform the moveChunk command. In addition, user can perform the movePrimary command provided that the privilege is applied to an appropriate database resource. Apply this action to database or collection resources.
removeShard¶User can perform the removeShard command. Apply this action to the cluster resource.
User can perform the shardingState command. Apply this action to the cluster resource.
splitChunk¶User can perform the splitChunk command and the mergeChunks command. Apply this action to database or collection resources.
splitVector¶User can perform the splitVector command. Apply this action to database or collection resources.
applicationMessage¶User can perform the logApplicationMessage command. Apply this action to the cluster resource.
closeAllDatabases¶User can perform the closeAllDatabases command. Apply this action to the cluster resource.
collMod¶User can perform the collMod command. Apply this action to database or collection resources.
compact¶User can perform the compact command. Apply this action to database or collection resources.
connPoolSync¶User can perform the connPoolSync command. Apply this action to the cluster resource.
convertToCapped¶User can perform the convertToCapped command. Apply this action to database or collection resources.
dropConnections¶User can perform the dropConnections command. Apply this action to the cluster resource.
dropDatabase¶User can perform the dropDatabase command. Apply this action to database resources.
dropIndex¶User can perform the dropIndexes command. Apply this action to database or collection resources.
forceUUID¶New in version 3.6.版本3.6中的新功能。
User can create a collection with a user-defined collection UUID using the applyOps command.
Apply this action to the cluster resource.
getDefaultRWConcern¶User can issue the administrative getDefaultRWConcern command. Apply this action to the cluster resource.
getParameter¶User can perform the getParameter command. Apply this action to the cluster resource.
hostInfo¶Provides information about the server the MongoDB instance runs on. Apply this action to the cluster resource.
reIndex¶User can perform the reIndex command. Apply this action to database or collection resources.
renameCollectionSameDB¶Allows the user to rename collections on the current database using the renameCollection command. Apply this action to database resources.
Additionally, the user must either have find on the source collection or not have find on the destination collection.
If a collection with the new name already exists, the user must also have the dropCollection action on the destination collection.
setDefaultRWConcern¶User can issue the administrative setDefaultRWConcern command. Apply this action to the cluster resource.
setParameter¶User can perform the setParameter command. Apply this action to the cluster resource.
touch¶User can perform the touch command. Apply this action to the cluster resource.
impersonate¶New in version 3.6.版本3.6中的新功能。
User can perform the killAllSessionsByPattern command with users and roles pattern. Apply this action to the cluster resource.
To run killAllSessionsByPattern command, users must also have killAnySession privileges on the cluster resource.
listSessions¶New in version 3.6.版本3.6中的新功能。
User can perform the $listSessions operation or $listLocalSessions operation for all users or specified user(s). Apply this action to the cluster resource.
killAnySession¶New in version 3.6.版本3.6中的新功能。
User can perform the killAllSessions and the killAllSessionsByPattern command. Apply this action to the cluster resource.
See also参阅
checkFreeMonitoringStatus¶User with this action on the cluster resource can check the status of Free Monitoring.
New in version 4.0.版本4.0中的新功能。
setFreeMonitoring¶User with this action on the cluster resource can enable or disable Free Monitoring.
New in version 4.0.版本4.0中的新功能。
collStats¶User can perform the collStats command. Apply this action to database or collection resources.
connPoolStats¶User can perform the connPoolStats and the deprecated shardConnPoolStats commands. Apply this action to the cluster resource.
cursorInfo¶User can perform the cursorInfo command. Apply this action to the cluster resource.
getCmdLineOpts¶User can perform the getCmdLineOpts command. Apply this action to the cluster resource.
indexStats¶User can perform the indexStats command. Apply this action to database or collection resources.
Changed in version 3.0.在版本3.0中更改。MongoDB 3.0 removes the indexStats command.
listDatabases¶User can perform the listDatabases command. Apply this action to the cluster resource.
listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run with authorizedDatabases option unspecified or set to true.listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has the find action privilege if the command is run with authorizedDatabases option unspecified or set to true.listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has the find action privilege.listCollections¶User can perform the listCollections command. Apply this action to database resources.
Note
Starting in version 4.0, user without the required privilege can run the listCollections command with both
authorizedCollections and nameOnly options set to true. In this case, the command returns just the name and type of the collection(s) to which the user has privileges.
listIndexes¶User can perform the listIndexes command. Apply this action to database or collection resources.
serverStatus¶User can perform the serverStatus command. Apply this action to the cluster resource.