数据库的内建角色
数据库用户角色:read,readWrite;
数据库管理角色:dbAdmin,userAdmin,dbOwner
集群管理角色:clusterAdmin、clusterManager、clusterMonitor、hostManager;
备份恢复角色:backup、restore;
全数据库角色:readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase
超级用户角色:root
创建自定义角色
> use tpcc10
switched to db tpcc10
> db.createRole(
... {
... role:"customerInsert",
... privileges:
... [
... {resource:{db:"tpcc10",collection:"customer"},actions:["insert"]}
... ],
... roles:[]
... }
... )
{
"role" : "customerInsert",
"privileges" : [
{
"resource" : {
"db" : "tpcc10",
"collection" : "customer"
},
"actions" : [
"insert"
]
}
],
"roles" : [ ]
}
查询指定自定义角色
> db.getRole("customerInsert",{showPrivileges:true})
{
"role" : "customerInsert",
"db" : "tpcc10",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"db" : "tpcc10",
"collection" : "customer"
},
"actions" : [
"insert"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "tpcc10",
"collection" : "customer"
},
"actions" : [
"insert"
]
}
]
}
查询全部自定义角色
> db.getRoles({showPrivileges:true})
将自定义角色授予用户
> db.grantRolesToUser("test",[{role:"customerInsert",db:"tpcc10"}])
查询用户的权限
> db.getUser("test",{showPrivileges:true})
{
"_id" : "tpcc10.test",
"userId" : UUID("3cec2b29-c547-4254-b848-143fd0f6ae20"),
"user" : "test",
"db" : "tpcc10",
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
],
"roles" : [
{
"role" : "read",
"db" : "tpcc10"
},
{
"role" : "customerInsert",
"db" : "tpcc10"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "tpcc10"
},
{
"role" : "customerInsert",
"db" : "tpcc10"
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "tpcc10",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "tpcc10",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "tpcc10",
"collection" : "customer"
},
"actions" : [
"insert"
]
}
],
"inheritedAuthenticationRestrictions" : [ ]
}
授予自定义角色权限
> db.grantPrivilegesToRole(
... "customerInsert",
... [
... {resource:{db:"tpcc10",collection:"customer"},
... actions:["update"]
... }
... ]
... )
查询用户的权限
> db.getUser("test",{showPrivileges:true})
{
"_id" : "tpcc10.test",
"userId" : UUID("3cec2b29-c547-4254-b848-143fd0f6ae20"),
"user" : "test",
"db" : "tpcc10",
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
],
"roles" : [
{
"role" : "read",
"db" : "tpcc10"
},
{
"role" : "customerInsert",
"db" : "tpcc10"
}
],
"inheritedRoles" : [
{
"role" : "customerInsert",
"db" : "tpcc10"
},
{
"role" : "read",
"db" : "tpcc10"
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "tpcc10",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "tpcc10",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "tpcc10",
"collection" : "customer"
},
"actions" : [
"insert",
"update"
]
}
],
"inheritedAuthenticationRestrictions" : [
[ ]
]
}
撤销自定义角色权限
> db.revokePrivilegesFromRole(
... "customerInsert",
... [
... {resource:{db:"tpcc10",collection:"customer"},
... actions:["update"]
... }
... ]
... )
查询用户的权限
> > db.getUser("test",{showPrivileges:true})
{
"_id" : "tpcc10.test",
"userId" : UUID("3cec2b29-c547-4254-b848-143fd0f6ae20"),
"user" : "test",
"db" : "tpcc10",
"mechanisms" : [
"SCRAM-SHA-1",
"SCRAM-SHA-256"
],
"roles" : [
{
"role" : "read",
"db" : "tpcc10"
},
{
"role" : "customerInsert",
"db" : "tpcc10"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "tpcc10"
},
{
"role" : "customerInsert",
"db" : "tpcc10"
}
],
"inheritedPrivileges" : [
{
"resource" : {
"db" : "tpcc10",
"collection" : ""
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "tpcc10",
"collection" : "system.js"
},
"actions" : [
"changeStream",
"collStats",
"dbHash",
"dbStats",
"find",
"killCursors",
"listCollections",
"listIndexes",
"planCacheRead"
]
},
{
"resource" : {
"db" : "tpcc10",
"collection" : "customer"
},
"actions" : [
"insert"
]
}
],
"inheritedAuthenticationRestrictions" : [
[ ]
]
}
删除指定的自定义角色
db.dropRole("myRole01")
删除全部的自定义角色
db.dropAllRoles()