關於芒果的權限控制說白了就是定義 Role(角色) 來控制對數據庫進行的操做(調用的方法好比查詢方法find)。mongodb
系統內置的Role分爲 如下幾大類:數據庫
Database User Roles 這個是針對非系統數據庫和部分系統表的角色組服務器
Database Administration Roles 能夠操做全部數據庫app
Cluster Administration Roles 管理員族 針對整個系統進行管理ide
Backup and Restoration Roles 備份還原角色組工具
All-Database Roles 角色裏面有一些跟超管差很少了級別了,針對全部數據庫的ui
Superuser Roles 超級管理員 不用多說了this
Internal Role 內部系統角色,比超管牛,別亂設哦spa
翻譯的很爛,湊合看吧,有糾正個人請留言。.net
MongoDB grants access to data and commands through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system. You can additionally createuser-defined roles.
芒果經過角色基本權限控制授予(用戶)數據和命令的使用權,而且提供給內置角色數據系統通常須要的不一樣層次的權限。另外,你也能夠建立用戶定義角色。
A role grants privileges to perform sets of actions on defined resources. A given role applies to the database on which it is defined and can grant access down to a collection level of granularity.
一個角色授予權限去執行被定義資源的操做設定。一個給定的角色適用於被定義而且能夠授予集合水平力度的數據庫。
Each of MongoDB’s built-in roles defines access at the database level for all non-system collections in the role’s database and at the collection level for all system collections.
每一個MongoDB的內置角色定義了訪問數據庫級的角色的數據庫中全部非系統的集合和集合級別的系統集合。
MongoDB provides the built-in database user and database administration roles on every database. MongoDB provides all other built-in roles only on the admin
database.
芒果在每一個數據庫上提供了內置數據庫用戶和和數據庫管理員角色。芒果僅僅在admin數據庫上提供了全部其餘內置角色。
This section describes the privileges for each built-in role. You can also view the privileges for a built-in role at any time by issuing the rolesInfo
command with the showPrivileges
and showBuiltinRoles
fields both set to true
.
這節描述了各個內置角色的權限。你能夠發出rolesInfo的命令:把showPrivileges
和showBuiltinRoles
fields 設爲true,在任什麼時候間查看內置角色的權限。
Every database includes the following client roles:
每一個數據庫都包含如下客戶角色:
read
讀
Provides the ability to read data on all non-system collections and on the following system collections:system.indexes
, system.js
, and system.namespaces
collections. The role provides read access by granting the following actions:
提供能力讀取非系統集合和如下系統集合system.indexes
, system.js
, and system.namespaces
的集合。該角色經過授予如下動做來提供讀的權限:
Every database includes the following database administration roles:
每一個數據庫都包含如下管理角色:
dbAdmin
數據庫管理員
Provides the following actions on the database’s system.indexes
, system.namespaces
, andsystem.profile
collections:
爲數據庫的 system.indexes
, system.namespaces
, system.profile集合
提供如下操做:
collStats
dbHash
dbStats
find
killCursors
listIndexes
listCollections
dropCollection
and createCollection
on system.profile
onlyChanged in version 2.6.4: dbAdmin
added the createCollection
for the system.profile
collection. Previous versions only had the dropCollection
on the system.profile
collection.
更改於版本2.6.4:dbAdmin 爲了system.profile添加
createCollection。
更早的版本在
system.profile集合上只有
dropCollection
Provides the following actions on all non-system collections. This role does not include full read access on non-system collections:
dbOwner
數據庫全部者
The database owner can perform any administrative action on the database. This role combines the privileges granted by the readWrite
, dbAdmin
and userAdmin
roles.
數據庫全部者能夠執行數據庫全部管理的操做。這個角色合併了readWrite
, dbAdmin
,userAdmin角色的權限
userAdmin
Provides the ability to create and modify roles and users on the current database. This role also indirectly provides superuser access to either the database or, if scoped to the admin
database, the cluster. TheuserAdmin
role allows users to grant any user any privilege, including themselves.
提供在當前數據庫建立和修改角色和用戶的能力。這個角色也能夠直接提供超級權限要麼到數據庫,要麼,若是範圍僅僅是admin數據庫,這個簇羣。用戶管理員角色容許用戶受權任意用戶的權限,包括它們本身的。
The userAdmin
role explicitly provides the following actions:
用戶管理員角色明確的提供如下的操做:
The admin
database includes the following roles for administering the whole system rather than just a single database. These roles include but are not limited to replica set and sharded cluster administrative functions.
爲了管理整個系統而不是僅僅單個數據庫,admin數據庫包括如下的角色。這些角色包括但不受 replica set 和sharded cluster 管理方法的限制
clusterAdmin
Provides the greatest cluster-management access. This role combines the privileges granted by theclusterManager
, clusterMonitor
, and hostManager
roles. Additionally, the role provides thedropDatabase
action.
提供最高集羣管理權限。這個角色包括了clusterManager
, clusterMonitor
, hostManager角色的權限,這個角色提供了
dropDatabase的操做。
clusterManager
集羣管理者
Provides management and monitoring actions on the cluster. A user with this role can access the config
and local
databases, which are used in sharding and replication, respectively.
在集羣上提供管理和監視操做。一個擁有此角色用戶能夠有權管理分別被用來共享、複製的設置和本地數據庫
Provides the following actions on the cluster as a whole:
把集羣當作一個總體的基礎上提供如下操做:
addShard
applicationMessage
cleanupOrphaned
flushRouterConfig
listShards
removeShard
replSetConfigure
replSetGetStatus
replSetStateChange
resync
Provides the following actions on all databases in the cluster:
在集羣中的全部數據庫提供如下方法:
On the config
database, provides the following actions on the settings
collection:
在配置數據庫中, 爲settings集合
提供如下的
操做
On the config
database, provides the following actions on all configuration collections and on thesystem.indexes
, system.js
, and system.namespaces
collections:
在配置數據庫裏,爲configuration,system.indexes
, system.js
, system.namespaces
集合提供如下操做:
On the local
database, provides the following actions on the replset
collection:
在本地數據庫裏,爲 replset
集合提供如下操做:
clusterMonitor
集合監視者
Provides read-only access to monitoring tools, such as the MongoDB Cloud Manager and Ops Managermonitoring agent.
Provides the following actions on the cluster as a whole:
爲監視工具提供只讀的權限,包括 MongoDB Cloud Manager 和Ops Managermonitoring agent兩個工具。
把集羣當作一個總體的基礎上提供如下操做:
connPoolStats
cursorInfo
getCmdLineOpts
getLog
getParameter
getShardMap
hostInfo
inprog
listDatabases
listShards
netstat
replSetGetStatus
serverStatus
shardingState
top
Provides the following actions on all databases in the cluster:
在集羣中的全部數據庫提供如下方法:
Provides the find
action on all system.profile
collections in the cluster.
Provides the following actions on the config
database’s configuration collections andsystem.indexes
, system.js
, and system.namespaces
collections:
爲全部在集羣裏的system.profile
集合提供find
操做:
hostManager
Provides the ability to monitor and manage servers.
提供監視和管理服務器的能力。
Provides the following actions on the cluster as a whole:
把集羣當作一個總體的基礎上提供如下操做:
applicationMessage
closeAllDatabases
connPoolSync
cpuProfiler
diagLogging
flushRouterConfig
fsync
invalidateUserCache
killop
logRotate
resync
setParameter
shutdown
touch
unlock
Provides the following actions on all databases in the cluster:
在集羣中的全部數據庫提供如下方法:
The admin
database includes the following roles for backing up and restoring data:
admin數據庫包括如下備份和恢復的角色:
backup
備份
Provides minimal privileges needed for backing up data. This role provides sufficient privileges to use theMongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use mongodump
to back up an entire mongod
instance.
提供最低的權限爲了備份數據的須要。這個角色提供了足夠的權限來使用MongoDB Cloud Manager 備份代理, Ops Manager代理,或者使用 mongodump來備份怎個
mongod實例。
Provides the following actions on the mms.backup
collection in the admin
database:
爲admin
數據庫的mms.backup集合提供如下操做:
Provides the listDatabases
action on the cluster as a whole.
把集羣當作一個總體的基礎上提供listDatabases
操做。
Provides the listCollections
action on all databases.
在集羣中的全部數據庫提供listCollections
方法。
Provides the listIndexes
action for all collections.
在全部集合提供 listIndexes
方法。
Provides the bypassDocumentValidation
action for collections that have document validation.
在有document validation的集合提供 listIndexes
方法。
Provides the find
action on the following:
爲如下提供find
方法:
system.indexes
, system.namespaces
, and system.js
system.indexes
, system.namespaces
, system.js
admin.system.users
and admin.system.roles
collectionsadmin.system.users
和admin.system.roles
集合system.users
collections from versions of MongoDB prior to 2.6system.users
集合To back up the system.profile
collection, which is created when you activate database profiling, you must have additional read
access on this collection. Several roles provide this access, including theclusterAdmin
and dbAdmin
roles.
爲了備份當你啓用了數據壓縮時被建立的 system.profile集合,對這個集合你必須得到額外的讀取權限。若干角色提供這個權限,包括
clusterAdmin
和dbAdmin角色。
restore
還原
Provides privileges needed to restore data from backups. This role is sufficient when restoring data withmongorestore
without the --oplogReplay option. If running mongorestore
with --oplogReplay, however, the restore
role is insufficient to replay the oplog. To replay the oplog, create a user-defined role that has anyAction
on anyResource and grant only to users who must run mongorestore
with --oplogReplay.
提供還原備份所需權限。這個角色在沒有設置--oplogReplay 選項的時候有充足的權限使用mongorestore
還原數據。若是在運行mongorestore設置了--oplogReplay 選項,
restore
角色不管如何沒有充足的權限應用操做日誌。
Provides the following actions on all non-system collections and system.js
collections in the cluster; on the admin.system.users
and admin.system.roles
collections in the admin
database; and on legacy system.users
collections from versions of MongoDB prior to 2.6:
爲集羣中的非系統集合, system.js
集合admin數據庫的 admin.system.users
和admin.system.roles集合和2.6版本以前遺留的system.users集合
提供瞭如下操做:
Provides the listCollections
action on all databases.
爲全部數據庫提供listCollections操做
Provides the following additional actions on admin.system.users
and legacy system.users
collections:
爲admin.system.users
和遺留的system.users
collections提供額外的操做:
Provides the find
action on all the system.namespaces
collections in the cluster.
爲集羣的 system.namespaces
集合提供
。find
操做
Although, restore
includes the ability to modify the documents in the admin.system.users
collection using normal modification operations, only modify these data using the user management methods.
雖然restore角色包含了能夠使用普通修改方法去修改admin.system.users集合內文檔的能力,可是僅僅只能使用 用戶管理方法修改這些數據。
The admin
database provides the following roles that apply to all databases in a mongod
instance and are roughly equivalent to their single-database equivalents:
admin數據庫提供瞭如下角色適用於一個mongod
實例全部數據庫,這些角色基本至關於它們的單獨數據庫。
readAnyDatabase
Provides the same read-only permissions as read
, except it applies to all databases in the cluster. The role also provides the listDatabases
action on the cluster as a whole.
提供和read角色同樣的只讀權限,除了適用於集羣內全部數據庫這個特性。這個角色也爲整個集羣提供listDatabases
操做。
readWriteAnyDatabase
讀寫任何數據庫
Provides the same read and write permissions as readWrite
, except it applies to all databases in the cluster. The role also provides the listDatabases
action on the cluster as a whole.
提供和readWrite角色同樣的讀寫權限,除了適用於集羣內全部數據庫這個特性。這個角色也爲整個集羣提供listDatabases
操做。
userAdminAnyDatabase
用戶管理任何數據庫
Provides the same access to user administration operations as userAdmin
, except it applies to alldatabases in the cluster. The role also provides the following actions on the cluster as a whole:
提供和userAdmin角色同樣的讀寫權限,除了適用於集羣內全部數據庫這個特性。這個角色也爲整個集羣提供如下操做:
The role also provides the following actions on the admin.system.users
andadmin.system.roles
collections on the admin
database, and on legacy system.users
collections from versions of MongoDB prior to 2.6:
該角色也爲原有早於2.6版本的admin數據庫的 admin.system.users
和admin.system.roles集合
提供瞭如下操做:
Changed in version 2.6.4: userAdminAnyDatabase
added the following permissions on theadmin.system.users
and admin.system.roles
collections:
在版本2.6.4的更改:userAdminAnyDatabase
角色添加了對admin.system.users
和admin.system.roles的權限。
The userAdminAnyDatabase
role does not restrict the permissions that a user can grant. As a result,userAdminAnyDatabase
users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration. This role is effectively a MongoDB system superuser.
userAdminAnyDatabase
角色沒有限制用戶能夠授予的權限。結果是,userAdminAnyDatabase
的用戶們能夠授予它們本身比如今更多的權限,甚至是全部權限,甚至不須要明確的設置超過用戶管理員權限。這個角色其實是芒果系統的超級用戶。
dbAdminAnyDatabase
任意數據庫管理員
Provides the same access to database administration operations as dbAdmin
, except it applies to alldatabases in the cluster. The role also provides the listDatabases
action on the cluster as a whole.
提供和dbAdmin角色同樣的讀寫權限,除了適用於集羣內全部數據庫這個特性。這個角色也爲整個集羣提供listDatabases
操做。
Several roles provide either indirect or direct system-wide superuser access.
若干角色提供了直接的或者全系統直接的超級用戶權限。
The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:
下面的角色提供了任何數據任何用戶的任何權限的能力,擁有這個角色的用戶能夠在任何數據庫上定義它們本身的權限。
dbOwner
role, when scoped to the admin
database 做用於admin數據庫時userAdmin
role, when scoped to the admin
database 做用於admin數據庫時userAdminAnyDatabase
roleThe following role provides full privileges on all resources:
下面的角色提供了所有資源的所有權限:
root
Provides access to the operations and all the resources of the readWriteAnyDatabase
,dbAdminAnyDatabase
, userAdminAnyDatabase
, clusterAdmin
roles, restore
combined.
提供了全部資源的全部操做,包括readWriteAnyDatabase
,dbAdminAnyDatabase
, userAdminAnyDatabase
, clusterAdmin
, restore 角色的權限。
Changed in version 3.0.7: The root
has validate
action on system.
collections. Previously, root
does not include any access to collections that begin with the system.
prefix.
3.0.7版本修改了:root角色在系統上有 validate操做的權限,在之前的版本中,root角色沒有包含system.前綴集合的權限。
The root
includes privileges from restore
.
root角色包括了restore角色的權限。
__system
系統角色
MongoDB assigns this role to user objects that represent cluster members, such as replica set members and mongos
instances. The role entitles its holder to take any action against any object in the database.
芒果爲集羣成員的用戶對象分配了這個角色,就像副本複本集成員和mongos的實例們。這個角色有權使其持有者對任何數據庫對象進行任意操做。
Do not assign this role to user objects representing applications or human administrators, other than in exceptional circumstances.
If you need access to all actions on all resources, for example to run applyOps
commands, do not assign this role. Instead, create a user-defined role that grants anyAction
on anyResource and ensure that only the users who need access to these operations have this access.
不要給應用程序或者管理人員分配這個角色,除了特殊狀況。若是你須要對全部資源進行全部操做,舉個例子,運行 applyOps命令,不要分配這個角色。反之,create a user-defined role 這個操做須要 anyResource 的
anyAction
受權,確保只有須要這些操做的用戶擁有這個權限。