MongoDB的内置角色 Built-In Roles
关于芒果的权限控制说白了就是定义 Role(角色) 来控制对数据库进行的操作(调用的方法比如查询方法find)。
系统内置的Role分为 以下几大类:
Database User Roles 这个是针对非系统数据库和部分系统表的角色组
Database Administration Roles 可以操作所有数据库
Cluster Administration Roles 管理员族 针对整个系统进行管理
Backup and Restoration Roles 备份还原角色组
All-Database Roles 角色里面有一些跟超管差不多了级别了,针对所有数据库的
Superuser Roles 超级管理员 不用多说了
Internal Role 内部系统角色,比超管牛,别乱设哦
翻译的很烂,凑合看吧,有纠正我的请留言。
MongoDB grants access to data and commands through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system. You can additionally createuser-defined roles.
芒果通过角色基本权限控制授予(用户)数据和命令的使用权,并且提供给内置角色数据系统一般需要的不同层次的权限。另外,你也可以创建用户定义角色。
A role grants privileges to perform sets of actions on defined resources. A given role applies to the database on which it is defined and can grant access down to a collection level of granularity.
一个角色授予权限去执行被定义资源的操作设定。一个给定的角色适用于被定义并且可以授予集合水平力度的数据库。
Each of MongoDB’s built-in roles defines access at the database level for all non-system collections in the role’s database and at the collection level for all system collections.
每个MongoDB的内置角色定义了访问数据库级的角色的数据库中所有非系统的集合和集合级别的系统集合。
MongoDB provides the built-in database user and database administration roles on every database. MongoDB provides all other built-in roles only on the admin
database.
芒果在每个数据库上提供了内置数据库用户和和数据库管理员角色。芒果仅仅在admin数据库上提供了所有其他内置角色。
This section describes the privileges for each built-in role. You can also view the privileges for a built-in role at any time by issuing the rolesInfo
command with the showPrivileges
and showBuiltinRoles
fields both set to true
.
这节描述了各个内置角色的权限。你可以发出rolesInfo的命令:把showPrivileges
和showBuiltinRoles
fields 设为true,在任何时间查看内置角色的权限。
Database User Roles
Every database includes the following client roles:
每个数据库都包含以下客户角色:
read
读
-
Provides the ability to read data on all non-system collections and on the following system collections:
system.indexes
,system.js
, andsystem.namespaces
collections. The role provides read access by granting the following actions:提供能力读取非系统集合和以下系统集合
system.indexes
,system.js
, andsystem.namespaces
的集合。该角色通过授予以下动作来提供读的权限:
Database Administration Roles
Every database includes the following database administration roles:
每个数据库都包含以下管理角色:
dbAdmin
数据库管理员
-
Provides the following actions on the database’s
system.indexes
,system.namespaces
, andsystem.profile
collections:为数据库的
system.indexes
,system.namespaces
,system.profile集合
提供以下操作:collStats
dbHash
dbStats
find
killCursors
listIndexes
listCollections
dropCollection
andcreateCollection
onsystem.profile
only
Changed in version 2.6.4:
dbAdmin
added thecreateCollection
for thesystem.profile
collection. Previous versions only had thedropCollection
on thesystem.profile
collection.更改于版本2.6.4:dbAdmin 为了
system.profile添加
createCollection。
更早的版本在
system.profile集合上只有
dropCollection
Provides the following actions on all non-system collections. This role does not include full read access on non-system collections:
dbOwner
数据库所有者
-
The database owner can perform any administrative action on the database. This role combines the privileges granted by the
readWrite
,dbAdmin
anduserAdmin
roles.数据库所有者可以执行数据库所有管理的操作。这个角色合并了
readWrite
,dbAdmin
,userAdmin角色的权限
userAdmin
- 用户管理员
-
Provides the ability to create and modify roles and users on the current database. This role also indirectly provides superuser access to either the database or, if scoped to the
admin
database, the cluster. TheuserAdmin
role allows users to grant any user any privilege, including themselves.提供在当前数据库创建和修改角色和用户的能力。这个角色也可以直接提供超级权限要么到数据库,要么,如果范围仅仅是admin数据库,这个簇群。用户管理员角色允许用户授权任意用户的权限,包括它们自己的。
-
The
userAdmin
role explicitly provides the following actions:用户管理员角色明确的提供以下的操作:
Cluster Administration Roles
The admin
database includes the following roles for administering the whole system rather than just a single database. These roles include but are not limited to replica set and sharded cluster administrative functions.
为了管理整个系统而不是仅仅单个数据库,admin数据库包括以下的角色。这些角色包括但不受 replica set 和sharded cluster 管理方法的限制
clusterAdmin
- 集群管理员
-
Provides the greatest cluster-management access. This role combines the privileges granted by the
clusterManager
,clusterMonitor
, andhostManager
roles. Additionally, the role provides thedropDatabase
action.提供最高集群管理权限。这个角色包括了
clusterManager
,clusterMonitor
,hostManager角色的权限,这个角色提供了
dropDatabase的操作。
clusterManager
集群管理者
-
Provides management and monitoring actions on the cluster. A user with this role can access the
config
andlocal
databases, which are used in sharding and replication, respectively.在集群上提供管理和监视操作。一个拥有此角色用户可以有权管理分别被用来共享、复制的设置和本地数据库
Provides the following actions on the cluster as a whole:
把集群看成一个整体的基础上提供以下操作:
addShard
applicationMessage
cleanupOrphaned
flushRouterConfig
listShards
removeShard
replSetConfigure
replSetGetStatus
replSetStateChange
resync
Provides the following actions on all databases in the cluster:
在集群中的所有数据库提供以下方法:
On the
config
database, provides the following actions on thesettings
collection:在配置数据库中, 为
settings集合
提供以下的
操作On the
config
database, provides the following actions on all configuration collections and on thesystem.indexes
,system.js
, andsystem.namespaces
collections:在配置数据库里,为configuration,
system.indexes
,system.js
,system.namespaces
集合提供以下操作:On the
local
database, provides the following actions on thereplset
collection:在本地数据库里,为
replset
集合提供以下操作:
clusterMonitor
集合监视者
-
Provides read-only access to monitoring tools, such as the MongoDB Cloud Manager and Ops Managermonitoring agent.
Provides the following actions on the cluster as a whole:
为监视工具提供只读的权限,包括 MongoDB Cloud Manager 和Ops Managermonitoring agent两个工具。
把集群看成一个整体的基础上提供以下操作:
connPoolStats
cursorInfo
getCmdLineOpts
getLog
getParameter
getShardMap
hostInfo
inprog
listDatabases
listShards
netstat
replSetGetStatus
serverStatus
shardingState
top
Provides the following actions on all databases in the cluster:
在集群中的所有数据库提供以下方法:
Provides the
find
action on allsystem.profile
collections in the cluster.Provides the following actions on the
config
database’s configuration collections andsystem.indexes
,system.js
, andsystem.namespaces
collections:为所有在集群里的
system.profile
集合提供find
操作:
hostManager
- 主机管理者
-
Provides the ability to monitor and manage servers.
提供监视和管理服务器的能力。
Provides the following actions on the cluster as a whole:
把集群看成一个整体的基础上提供以下操作:
applicationMessage
closeAllDatabases
connPoolSync
cpuProfiler
diagLogging
flushRouterConfig
fsync
invalidateUserCache
killop
logRotate
resync
setParameter
shutdown
touch
unlock
Provides the following actions on all databases in the cluster:
在集群中的所有数据库提供以下方法:
Backup and Restoration Roles
The admin
database includes the following roles for backing up and restoring data:
admin数据库包括以下备份和恢复的角色:
backup
备份
-
Provides minimal privileges needed for backing up data. This role provides sufficient privileges to use theMongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use
mongodump
to back up an entiremongod
instance.提供最低的权限为了备份数据的需要。这个角色提供了足够的权限来使用MongoDB Cloud Manager 备份代理, Ops Manager代理,或者使用
mongodump来备份怎个
mongod实例。
Provides the following actions on the
mms.backup
collection in theadmin
database:为
admin
数据库的mms.backup集合提供以下操作:Provides the
listDatabases
action on the cluster as a whole.把集群看成一个整体的基础上提供
listDatabases
操作。Provides the
listCollections
action on all databases.在集群中的所有数据库提供
listCollections
方法。Provides the
listIndexes
action for all collections.在所有集合提供
listIndexes
方法。Provides the
bypassDocumentValidation
action for collections that have document validation.在有document validation的集合提供
listIndexes
方法。Provides the
find
action on the following:为以下提供
find
方法:- all non-system collections in the cluster
- 所有在集群里的所有非系统集合
- all the following system collections in the cluster:
system.indexes
,system.namespaces
, andsystem.js
- 所有在集群里的系统集合
system.indexes
,system.namespaces
,system.js
- the
admin.system.users
andadmin.system.roles
collections -
admin.system.users
和admin.system.roles
集合 - legacy
system.users
collections from versions of MongoDB prior to 2.6 - 在2.6版本之前遗留的
system.users
集合
To back up the
system.profile
collection, which is created when you activate database profiling, you must have additionalread
access on this collection. Several roles provide this access, including theclusterAdmin
anddbAdmin
roles.为了备份当你启用了数据压缩时被创建的
system.profile集合,对这个集合你必须获得额外的读取权限。若干角色提供这个权限,包括
clusterAdmin
和dbAdmin角色。
restore
还原
-
Provides privileges needed to restore data from backups. This role is sufficient when restoring data with
mongorestore
without the --oplogReplay option. If runningmongorestore
with --oplogReplay, however, therestore
role is insufficient to replay the oplog. To replay the oplog, create a user-defined role that hasanyAction
on anyResource and grant only to users who must runmongorestore
with --oplogReplay.提供还原备份所需权限。这个角色在没有设置--oplogReplay 选项的时候有充足的权限使用
mongorestore
还原数据。如果在运行mongorestore设置了--oplogReplay 选项,
restore
角色无论如何没有充足的权限应用操作日志。Provides the following actions on all non-system collections and
system.js
collections in the cluster; on theadmin.system.users
andadmin.system.roles
collections in theadmin
database; and on legacysystem.users
collections from versions of MongoDB prior to 2.6:为集群中的非系统集合,
system.js
集合admin数据库的admin.system.users
和admin.system.roles集合和2.6版本之前遗留的system.users集合
提供了以下操作:Provides the
listCollections
action on all databases.为所有数据库提供
listCollections操作
Provides the following additional actions on
admin.system.users
and legacysystem.users
collections:为
admin.system.users
和遗留的system.users
collections提供额外的操作:Provides the
find
action on all thesystem.namespaces
collections in the cluster.为集群的
system.namespaces
集合提供
。find
操作Although,
restore
includes the ability to modify the documents in theadmin.system.users
collection using normal modification operations, only modify these data using the user management methods.虽然restore角色包含了可以使用普通修改方法去修改
admin.system.users集合内文档的能力,但是仅仅只能使用 用户管理方法修改这些数据。
All-Database Roles
The admin
database provides the following roles that apply to all databases in a mongod
instance and are roughly equivalent to their single-database equivalents:
admin数据库提供了以下角色适用于一个mongod
实例所有数据库,这些角色基本相当于它们的单独数据库。
readAnyDatabase
- 读任何数据库
-
Provides the same read-only permissions as
read
, except it applies to all databases in the cluster. The role also provides thelistDatabases
action on the cluster as a whole.提供和read角色一样的只读权限,除了适用于集群内所有数据库这个特性。这个角色也为整个集群提供
listDatabases
操作。
readWriteAnyDatabase
读写任何数据库
-
Provides the same read and write permissions as
readWrite
, except it applies to all databases in the cluster. The role also provides thelistDatabases
action on the cluster as a whole.提供和readWrite角色一样的读写权限,除了适用于集群内所有数据库这个特性。这个角色也为整个集群提供
listDatabases
操作。
userAdminAnyDatabase
用户管理任何数据库
-
Provides the same access to user administration operations as
userAdmin
, except it applies to alldatabases in the cluster. The role also provides the following actions on the cluster as a whole:提供和userAdmin角色一样的读写权限,除了适用于集群内所有数据库这个特性。这个角色也为整个集群提供以下操作:
The role also provides the following actions on the
admin.system.users
andadmin.system.roles
collections on theadmin
database, and on legacysystem.users
collections from versions of MongoDB prior to 2.6:该角色也为原有早于2.6版本的admin数据库的
admin.system.users
和admin.system.roles集合
提供了以下操作:Changed in version 2.6.4:
userAdminAnyDatabase
added the following permissions on theadmin.system.users
andadmin.system.roles
collections:在版本2.6.4的更改:
userAdminAnyDatabase
角色添加了对admin.system.users
和admin.system.roles的权限。
The
userAdminAnyDatabase
role does not restrict the permissions that a user can grant. As a result,userAdminAnyDatabase
users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration. This role is effectively a MongoDB system superuser.userAdminAnyDatabase
角色没有限制用户可以授予的权限。结果是,userAdminAnyDatabase
的用户们可以授予它们自己比现在更多的权限,甚至是所有权限,甚至不需要明确的设置超过用户管理员权限。这个角色实际上是芒果系统的超级用户。
dbAdminAnyDatabase
任意数据库管理员
-
Provides the same access to database administration operations as
dbAdmin
, except it applies to alldatabases in the cluster. The role also provides thelistDatabases
action on the cluster as a whole.提供和dbAdmin角色一样的读写权限,除了适用于集群内所有数据库这个特性。这个角色也为整个集群提供
listDatabases
操作。
Superuser Roles
Several roles provide either indirect or direct system-wide superuser access.
若干角色提供了直接的或者全系统直接的超级用户权限。
The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:
下面的角色提供了任何数据任何用户的任何权限的能力,拥有这个角色的用户可以在任何数据库上定义它们自己的权限。
dbOwner
role, when scoped to theadmin
database 作用于admin数据库时userAdmin
role, when scoped to theadmin
database 作用于admin数据库时userAdminAnyDatabase
role
The following role provides full privileges on all resources:
下面的角色提供了全部资源的全部权限:
root
-
Provides access to the operations and all the resources of the
readWriteAnyDatabase
,dbAdminAnyDatabase
,userAdminAnyDatabase
,clusterAdmin
roles,restore
combined.提供了所有资源的所有操作,包括
readWriteAnyDatabase
,dbAdminAnyDatabase
,userAdminAnyDatabase
,clusterAdmin
,restore 角色的权限。
Changed in version 3.0.7: The
root
hasvalidate
action onsystem.
collections. Previously,root
does not include any access to collections that begin with thesystem.
prefix.3.0.7版本修改了:root角色在系统上有
validate操作的权限,在以前的版本中,root角色没有包含system.前缀集合的权限。
The
root
includes privileges fromrestore
.root角色包括了restore角色的权限。
Internal Role
__system
系统角色
-
MongoDB assigns this role to user objects that represent cluster members, such as replica set members and
mongos
instances. The role entitles its holder to take any action against any object in the database.芒果为集群成员的用户对象分配了这个角色,就像副本复本集成员和
mongos的实例们。这个角色有权使其持有者对任何数据库对象进行任意操作。
Do not assign this role to user objects representing applications or human administrators, other than in exceptional circumstances.
If you need access to all actions on all resources, for example to run
applyOps
commands, do not assign this role. Instead, create a user-defined role that grantsanyAction
on anyResource and ensure that only the users who need access to these operations have this access.不要给应用程序或者管理人员分配这个角色,除了特殊情况。如果你需要对所有资源进行所有操作,举个例子,运行
applyOps命令,不要分配这个角色。反之,create a user-defined role 这个操作需要 anyResource 的
anyAction
授权,确保只有需要这些操作的用户拥有这个权限。