码迷,mamicode.com
首页 > 数据库 > 详细

Database User Roles

时间:2015-09-21 14:17:21      阅读:339      评论:0      收藏:0      [点我收藏+]

标签:

Database User Roles

Every database includes the following client roles:

Database Administration Roles

Every database includes the following database administration roles:

  • dbOwner

  • The database owner can perform any administrative action on the database. This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles.

Cluster Administration Roles

The admin database includes the following roles for administering the whole system rather than just a single database. These roles include but are not limited to replica set and sharded cluster administrative functions.

  • clusterAdmin

  • Provides the greatest cluster-management access. This role combines the privileges granted by theclusterManager, clusterMonitor, and hostManager roles. Additionally, the role provides thedropDatabase action.

Backup and Restoration Roles

The admin database includes the following roles for backing up and restoring data:

All-Database Roles

The admin database provides the following roles that apply to all databases in a mongod instance and are roughly equivalent to their single-database equivalents:

  • readAnyDatabase

  • Provides the same read-only permissions as read, except it applies to all databases in the cluster. The role also provides the listDatabases action on the cluster as a whole.

  • readWriteAnyDatabase

  • Provides the same read and write permissions as readWrite, except it applies to all databases in the cluster. The role also provides the listDatabases action on the cluster as a whole.

  • userAdminAnyDatabase

  • Provides the same access to user administration operations as userAdmin, except it applies to alldatabases in the cluster. The role also provides the following actions on the cluster as a whole:

    The role also provides the following actions on the admin.system.users andadmin.system.roles collections on the admin database, and on legacy system.userscollections from versions of MongoDB prior to 2.6:

    Changed in version 2.6.4: userAdminAnyDatabase added the following permissions on theadmin.system.users and admin.system.roles collections:

    The userAdminAnyDatabase role does not restrict the permissions that a user can grant. As a result,userAdminAnyDatabase users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration. This role is effectively a MongoDB system superuser.

  • dbAdminAnyDatabase

  • Provides the same access to database administration operations as dbAdmin, except it applies to alldatabases in the cluster. The role also provides the listDatabases action on the cluster as a whole.

Superuser Roles

Several roles provide either indirect or direct system-wide superuser access.

The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:

  • dbOwner role, when scoped to the admin database

  • userAdmin role, when scoped to the admin database

  • userAdminAnyDatabase role

The following role provides full privileges on all resources:

  • root

  • Provides access to the operations and all the resources of the readWriteAnyDatabase,dbAdminAnyDatabase, userAdminAnyDatabase and clusterAdmin roles combined.

    root does not include any access to collections that begin with the system. prefix.

    For example, without the ability to insert data directly into the:data:system.users <admin.system.users>and system.roles collections in the admin database. root is not suitable for writing or restoring data that have these collections (e.g. with mongorestore.) To perform these kinds of restore operations, provision users with the restore role.

Internal Role?

  • __system

  • MongoDB assigns this role to user objects that represent cluster members, such as replica set members and mongos instances. The role entitles its holder to take any action against any object in the database.

    Do not assign this role to user objects representing applications or human administrators, other than in exceptional circumstances.

    If you need access to all actions on all resources, for example to run applyOps commands, do not assign this role. Instead, create a user-defined role that grants anyAction on anyResource and ensure that only the users who need access to these operations have this access.

Database User Roles

标签:

原文地址:http://my.oschina.net/imhaha/blog/509092

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!