system.roles Collection em sistemas autogerenciados
Nesta página
The system.roles collection in the admin database stores the
user-defined roles. To create and manage these user-defined
roles, MongoDB provides role management commands.
system.roles Esquema
Os documentos na coleção system.roles têm o seguinte esquema:
{ _id: <system-defined id>, role: "<role name>", db: "<database>", privileges: [ { resource: { <resource> }, actions: [ "<action>", ... ] }, ... ], roles: [ { role: "<role name>", db: "<database>" }, ... ] }
uma system.roles document has the following fields:
admin.system.roles.roleThe
rolefield is a string that specifies the name of the role.
admin.system.roles.dbThe
dbfield is a string that specifies the database to which the role belongs. MongoDB uniquely identifies each role by the pairing of its name (i.e.role) and its database.
admin.system.roles.privilegesThe
privilegesarray contains the privilege documents that define the privileges for the role.A privilege document has the following syntax:
{ resource: { <resource> }, actions: [ "<action>", ... ] } Each privilege document has the following fields:
admin.system.roles.privileges[n].resourceA document that specifies the resources upon which the privilege
actionsapply. The document has one of the following form:{ db: <database>, collection: <collection> } ou
{ cluster : true } See Documento de recurso sobre sistemas autogerenciados for more details.
admin.system.roles.privileges[n].actionsAn array of actions permitted on the resource. For a list of actions, see Ações de privilégio para sistemas autogerenciados.
admin.system.roles.rolesThe
rolesarray contains role documents that specify the roles from which this role inherits privileges.Um documento de função tem a seguinte sintaxe:
{ role: "<role name>", db: "<database>" } Um documento de função tem os seguintes campos:
admin.system.roles.roles[n].roleThe name of the role. A role can be a built-in role provided by MongoDB or a user-defined role.
Exemplos
Consider the following sample documents found in system.roles
collection of the admin database.
A User-Defined Role Specifies Privileges
The following is a sample document for a user-defined role appUser
defined for the myApp database:
{ _id: "myApp.appUser", role: "appUser", db: "myApp", privileges: [ { resource: { db: "myApp" , collection: "" }, actions: [ "find", "createCollection", "dbStats", "collStats" ] }, { resource: { db: "myApp", collection: "logs" }, actions: [ "insert" ] }, { resource: { db: "myApp", collection: "data" }, actions: [ "insert", "update", "remove", "compact" ] }, { resource: { db: "myApp", collection: "system.js" }, actions: [ "find" ] }, ], roles: [] }
The privileges array lists the five privileges that the appUser
role specifies:
The first privilege permits its actions (
"find","createCollection","dbStats","collStats") on all the collections in themyAppdatabase excluding its system collections. See Especificar um banco de dados como recurso.The next two privileges permits additional actions on specific collections,
logsanddata, in themyAppdatabase. See Especifique uma Coleção de um Banco de Dados como Recurso.The last privilege permits actions on one system collections in the
myAppdatabase. While the first privilege gives database-wide permission for thefindaction, the action does not apply tomyApp's system collections. To give access to a system collection, a privilege must explicitly specify the collection. See Documento de recurso sobre sistemas autogerenciados.
As indicated by the empty roles array, appUser inherits no
additional privileges from other roles.
User-Defined Role Inherits from Other Roles
The following is a sample document for a user-defined role appAdmin
defined for the myApp database: The document shows that the
appAdmin role specifies privileges as well as inherits privileges
from other roles:
{ _id: "myApp.appAdmin", role: "appAdmin", db: "myApp", privileges: [ { resource: { db: "myApp", collection: "" }, actions: [ "insert", "dbStats", "collStats", "compact" ] } ], roles: [ { role: "appUser", db: "myApp" } ] }
The privileges array lists the privileges that the appAdmin
role specifies. This role has a single privilege that permits its
actions ( "insert", "dbStats", "collStats", "compact")
on all the collections in the myApp database excluding its system
collections. See Especificar um banco de dados como recurso.
The roles array lists the roles, identified by the role names and
databases, from which the role appAdmin inherits privileges.