我的书签
添加书签
移除书签Role-Based Access Control
MongoDB employs Role-Based Access Control (RBAC) to govern access to aMongoDB system. A user is granted one or more roles thatdetermine the user’s access to database resources and operations. Outsideof role assignments, the user has no access to the system.
Enable Access Control
MongoDB does not enable access control by default. You can enableauthorization using the —auth or thesecurity.authorization setting. Enabling internalauthentication also enablesclient authorization.
Once access control is enabled, users must authenticate themselves.
Roles
A role grants privileges to perform the specified actions on resource. Each privilege is either specifiedexplicitly in the role or inherited from another role or both.
Privileges
A privilege consists of a specified resource and the actions permitted on theresource.
A resource is a database,collection, set of collections, or the cluster. If the resource is thecluster, the affiliated actions affect the state of the system ratherthan a specific database or collection. For information on the resourcedocuments, see Resource Document.
An action specifies the operationallowed on the resource. For available actions seePrivilege Actions.
Inherited Privileges
A role can include one or more existing roles in its definition, in which casethe role inherits all the privileges of the included roles.
A role can inherit privileges from other roles in its database. A role createdon the admin database can inherit privileges from roles in any database.
View Role’s Privileges
You can view the privileges for a role by issuing the rolesInfocommand with the showPrivileges and showBuiltinRoles fields both set totrue.
Users and Roles
You can assign roles to users during the user creation. You can alsoupdate existing users to grant or revoke roles. For a full list of usermanagement methods, see User Management
A user assigned a role receives all the privileges of that role. A usercan have multiple roles. By assigning to the user roles in variousdatabases, a user created in one database can have permissions to act onother databases.
Note
The first user created in the database should be a user administratorwho has the privileges to manage other users. SeeEnable Access Control.
Built-In Roles and User-Defined Roles
MongoDB provides built-in roles thatprovide set of privileges commonly needed in a database system.
If these built-in-roles cannot provide the desired set of privileges,MongoDB provides methods to create and modify user-defined roles.
