在mongodb中通过逐一的权限来实现各种权限的,我个人的理解意思是账户有账户的权限,数据库有数据库的权限,各自分开又有连接的功能,所以在使用的时候需要各自配置好权限,这样在安全方面会比较好,就像主管有主管的权限,经理有经理的权限,员工有员工的权限是一样的,
那么目前我在学习mongodb数据库中理解到的权限为如下:(使用版本[V3.2],版本不同存在比较大的差异)
后期会慢慢翻译成中文,也锻炼一下自己的英文阅读能力。
Database User Roles(数据库用户角色权限)
| Role | Short Description |
|---|---|
| read | Provides the ability to read data on all non-system collections and on the following system collections:system.indexes,system.js, andsystem.namespaces collections. For the specific privileges granted by the role, see read. |
| readWrite | Provides all the privileges of the read role and the ability to modify data on allnon-system collections and the system.js collection. For the specific privileges granted by the role, see readWrite. |
Database Administration Roles(数据库管理角色权限)
| Role | Short Description |
|---|---|
| dbAdmin | Provides the ability to perform administrative tasks such as schema-related tasks, indexing, gathering statistics. This role does not grant privileges for user and role management. For the specific privileges granted by the role, see dbAdmin. |
| dbOwner | Provides the ability to perform any administrative action on the database. This role combines the privileges granted by thereadWrite,dbAdmin anduserAdmin roles. |
| userAdmin | Provides the ability to create and modify roles and users on the current database. Since theuserAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly providessuperuser access to either the database or, if scoped to the admin database, the cluster. For the specific privileges granted by the role, see userAdmin. |
Cluster Administration Roles(集群管理角色权限)
The admin database includes the following roles for administering the whole system rather than a specific database. These roles include but are not limited toreplica set and sharded cluster administrative functions.
| Role | Short Description |
|---|---|
| clusterAdmin | Provides the greatest cluster-management access. This role combines the privileges granted by theclusterManager,clusterMonitor, andhostManager roles. Additionally, the role provides thedropDatabase action. |
| clusterManager | Provides management and monitoring actions on the cluster. A user with this role can access theconfig and local databases, which are used in sharding and replication, respectively. For the specific privileges granted by the role, see clusterManager. |
| clusterMonitor | Provides read-only access to monitoring tools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent. For the specific privileges granted by the role, see clusterMonitor. |
| hostManager | Provides the ability to monitor and manage servers. For the specific privileges granted by the role, see hostManager. |
Backup and Restoration Roles(备份和恢复角色权限)
The admin database includes the following roles for backing up and restoring data:
| Role | Short Description |
|---|---|
| backup | Provides privileges needed to back up data except for the system.profile collection. This role provides sufficient privileges to use theMongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use mongodump. For the specific privileges granted by the role, see backup. |
| restore | Provides privileges needed to restore data with mongorestore without the–oplogReplay option. For the specific privileges granted by the role, see restore. |
All-Database Roles(所有数据库角色权限)
The admin database provides the following roles that apply to all databases in amongod instance and are roughly equivalent to their single-database equivalents:
| Role | Short Description |
|---|---|
| readAnyDatabase | Provides the same read-only permissions as read, except it applies toall databases in the cluster. The role also provides the listDatabases action on the cluster as a whole. For the specific privileges granted by the role, see readAnyDatabase. |
| readWriteAnyDatabase | Provides the same read and write permissions as readWrite, except it applies toalldatabases in the cluster. The role also provides the listDatabases action on the cluster as a whole. For the specific privileges granted by the role, see readWriteAnyDatabase. |
| userAdminAnyDatabase | Provides the same access to user administration operations as userAdmin, except it applies toall databases in the cluster. Since the userAdminAnyDatabase role allows users to grant any privilege to any user, including themselves, the role also indirectly providessuperuser access. For the specific privileges granted by the role, see userAdminAnyDatabase. |
| dbAdminAnyDatabase | Provides the same access to database administration operations asdbAdmin, except it applies toall databases in the cluster. The role also provides the listDatabasesaction on the cluster as a whole. For the specific privileges granted by the role, see dbAdminAnyDatabase. |
Superuser Roles(超级用户角色权限)
The following role provides full privileges on all resources:
| Role | Short Description |
|---|---|
| root | Provides access to the operations and all the resources of thereadWriteAnyDatabase,dbAdminAnyDatabase,userAdminAnyDatabase andclusterAdmin roles combined. For the specific privileges granted by the role, see root. |
Internal Role(内部作用权限)
| Role | Short Description |
|---|---|
| __system | Provides privileges to take any action against any object in the database. Do not assign this role to user objects representing applications or human administrators, other than in exceptional circumstances. For more information, see root. |
这个是官方的说明,后续有更新会更新的。
users collection:
{
_id : ...,
username : ...,
roles : [roleId1, roleId2, ...]
}
roles collection:
{
_id : ...,
name : ...,
users : [userId1, userId2, ...]
}
查询某个用户的所有角色:
user = db.users.findOne({_id : ...});
roles = db.roles.find({_id : {$in : user['roles']}})
9495
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
