system.roles Collection集合

On this page本页内容

The system.roles collection in the admin database stores the user-defined roles.admin数据库中的system.roles集合存储用户定义的角色。To create and manage these user-defined roles, MongoDB provides role management commands.为了创建和管理这些用户定义的角色,MongoDB提供了角色管理命令

system.roles Schema架构

The documents in the system.roles collection have the following schema:文件在system.roles集合具有以下架构:

{
  _id: <system-defined id>,
  role: "<role name>",
  db: "<database>",
  privileges:
      [
          {
              resource: { <resource> },
              actions: [ "<action>", ... ]
          },
          ...
      ],
  roles:
      [
          { role: "<role name>", db: "<database>" },
          ...
      ]
}

A system.roles document has the following fields:system.roles文档包含以下字段:

admin.system.roles.role

The role field is a string that specifies the name of the role.role字段是指定角色名称的字符串。

admin.system.roles.db

The db field is a string that specifies the database to which the role belongs.db字段是一个字符串,用于指定角色所属的数据库。MongoDB uniquely identifies each role by the pairing of its name (i.e. role) and its database.MongoDB通过其名称(即role)和数据库的配对来唯一地标识每个角色。

admin.system.roles.privileges

The privileges array contains the privilege documents that define the privileges for the role.privileges数组包含定义角色 权限的权限文档。

A privilege document has the following syntax:特权文档具有以下语法:

{
  resource: { <resource> },
  actions: [ "<action>", ... ]
}

Each privilege document has the following fields:每个特权文档都有以下字段:

admin.system.roles.privileges[n].resource

A document that specifies the resources upon which the privilege actions apply. The document has one of the following form:

{ db: <database>, collection: <collection> }

or

{ cluster : true }

See Resource Document for more details.有关详细信息,请参阅资源文档

admin.system.roles.privileges[n].actions

An array of actions permitted on the resource.对资源允许的一系列操作。For a list of actions, see Privilege Actions.有关操作的列表,请参阅权限操作

admin.system.roles.roles

The roles array contains role documents that specify the roles from which this role inherits privileges.

A role document has the following syntax:角色文档具有以下语法:

{ role: "<role name>", db: "<database>" }

A role document has the following fields:角色文档具有以下字段:

admin.system.roles.roles[n].role

The name of the role. A role can be a built-in role provided by MongoDB or a user-defined role.

admin.system.roles.roles[n].db

The name of the database where the role is defined.定义角色的数据库的名称。

Examples示例

Consider the following sample documents found in system.roles collection of the admin database.

A User-Defined Role Specifies Privileges用户定义的角色指定权限

The following is a sample document for a user-defined role appUser defined for the myApp database:

{
  _id: "myApp.appUser",
  role: "appUser",
  db: "myApp",
  privileges: [
       { resource: { db: "myApp" , collection: "" },
         actions: [ "find", "createCollection", "dbStats", "collStats" ] },
       { resource: { db: "myApp", collection: "logs" },
         actions: [ "insert" ] },
       { resource: { db: "myApp", collection: "data" },
         actions: [ "insert", "update", "remove", "compact" ] },
       { resource: { db: "myApp", collection: "system.js" },
         actions: [ "find" ] },
  ],
  roles: []
}

The privileges array lists the five privileges that the appUser role specifies:

  • The first privilege permits its actions ( "find", "createCollection", "dbStats", "collStats") on all the collections in the myApp database excluding its system collections. See Specify a Database as Resource.
  • The next two privileges permits additional actions on specific collections, logs and data, in the myApp database. See Specify a Collection of a Database as Resource.
  • The last privilege permits actions on one system collections in the myApp database. While the first privilege gives database-wide permission for the find action, the action does not apply to myApp’s system collections. To give access to a system collection, a privilege must explicitly specify the collection. See Resource Document.

As indicated by the empty roles array, appUser inherits no additional privileges from other roles.

User-Defined Role Inherits from Other Roles用户定义的角色从其他角色继承

The following is a sample document for a user-defined role appAdmin defined for the myApp database: The document shows that the appAdmin role specifies privileges as well as inherits privileges from other roles:

{
  _id: "myApp.appAdmin",
  role: "appAdmin",
  db: "myApp",
  privileges: [
      {
         resource: { db: "myApp", collection: "" },
         actions: [ "insert", "dbStats", "collStats", "compact" ]
      }
  ],
  roles: [
      { role: "appUser", db: "myApp" }
  ]
}

The privileges array lists the privileges that the appAdmin role specifies. This role has a single privilege that permits its actions ( "insert", "dbStats", "collStats", "compact") on all the collections in the myApp database excluding its system collections. See Specify a Database as Resource.

The roles array lists the roles, identified by the role names and databases, from which the role appAdmin inherits privileges.roles数组列出了角色appAdmin从中继承权限的角色,这些角色由角色名称和数据库标识。