Docs Menu
Docs Home
/
MongoDB 매뉴얼
/
자체 관리 배포서버
/
보안
/
참조

system.roles 자체 관리형 배포의 컬렉션

이 페이지의 내용

The system.roles collection in the admin database stores the user-defined roles. To create and manage these user-defined roles, MongoDB provides role management commands.

system.roles 스키마

system.roles 컬렉션의 문서에는 다음과 같은 스키마가 있습니다.

{
  _id: <system-defined id>,
  role: "<role name>",
  db: "<database>",
  privileges:
      [
          {
              resource: { <resource> },
              actions: [ "<action>", ... ]
          },
          ...
      ],
  roles:
      [
          { role: "<role name>", db: "<database>" },
          ...
      ]
}

a system.roles document has the following fields:

admin.system.roles.role

The role field is a string that specifies the name of the role.

admin.system.roles.db

The db field is a string that specifies the database to which the role belongs. MongoDB uniquely identifies each role by the pairing of its name (i.e. role) and its database.

admin.system.roles.privileges

The privileges array contains the privilege documents that define the privileges for the role.

A privilege document has the following syntax:

{
  resource: { <resource> },
  actions: [ "<action>", ... ]
}

Each privilege document has the following fields:

admin.system.roles.privileges[n].resource

A document that specifies the resources upon which the privilege actions apply. The document has one of the following form:

{ db: <database>, collection: <collection> }

or

{ cluster : true }

See 자체 관리형 배포에 대한 리소스 문서 for more details.

admin.system.roles.privileges[n].actions

An array of actions permitted on the resource. For a list of actions, see 자체 관리형 배포서버에 대한 권한 작업.

admin.system.roles.roles

The roles array contains role documents that specify the roles from which this role inherits privileges.

역할 문서에는 다음과 같은 구문이 있습니다.

{ role: "<role name>", db: "<database>" }

역할 문서에는 다음과 같은 필드가 있습니다.

admin.system.roles.roles[n].role

The name of the role. A role can be a built-in role provided by MongoDB or a user-defined role.

admin.system.roles.roles[n].db

The name of the database where the role is defined.

예시

Consider the following sample documents found in system.roles collection of the admin database.

A User-Defined Role Specifies Privileges

The following is a sample document for a user-defined role appUser defined for the myApp database:

{
  _id: "myApp.appUser",
  role: "appUser",
  db: "myApp",
  privileges: [
       { resource: { db: "myApp" , collection: "" },
         actions: [ "find", "createCollection", "dbStats", "collStats" ] },
       { resource: { db: "myApp", collection: "logs" },
         actions: [ "insert" ] },
       { resource: { db: "myApp", collection: "data" },
         actions: [ "insert", "update", "remove", "compact" ] },
       { resource: { db: "myApp", collection: "system.js" },
         actions: [ "find" ] },
  ],
  roles: []
}

The privileges array lists the five privileges that the appUser role specifies:

As indicated by the empty roles array, appUser inherits no additional privileges from other roles.

User-Defined Role Inherits from Other Roles

The following is a sample document for a user-defined role appAdmin defined for the myApp database: The document shows that the appAdmin role specifies privileges as well as inherits privileges from other roles:

{
  _id: "myApp.appAdmin",
  role: "appAdmin",
  db: "myApp",
  privileges: [
      {
         resource: { db: "myApp", collection: "" },
         actions: [ "insert", "dbStats", "collStats", "compact" ]
      }
  ],
  roles: [
      { role: "appUser", db: "myApp" }
  ]
}

The privileges array lists the privileges that the appAdmin role specifies. This role has a single privilege that permits its actions ( "insert", "dbStats", "collStats", "compact") on all the collections in the myApp database excluding its system collections. See 데이터베이스를 리소스로 지정.

The roles array lists the roles, identified by the role names and databases, from which the role appAdmin inherits privileges.

돌아가기

참조

다음

system.users 컬렉션

이 페이지의 내용