Built-in Roles
| 角色分类 | 具体角色 |
|---|---|
| Database User Roles | read,read-write(every database have) |
| Database Administration Roles¶ | dbAdmin, dbOwner , userAdmin (every database have) |
| Cluster Administration Roles | clusterAdmin,clusterManager,hostManager (admin database have) |
| Backup and Restoration Roles | backup,restore (admin database hava) |
| All-Database Roles | The following roles are available on the admin database and provide privileges which apply to all databases except local and config: readAnyDatabase,readWriteAnyDatabase,userAdminAnyDatabase,dbAdminAnyDatabase (admin database have) |
| Superuser Roles: | root (Several roles provide either indirect or direct system-wide superuser access) (admin database have) |
| Internal Role | __system¶ (system have) |
根据上面的这张表尝试理解下面语句的含义
A role can inherit privileges from other roles in its database. A role created on the admin database can inherit privileges from roles in any database.
A role can inherit privileges from other roles in its database: 一个角色 能够继承 创建角色时所在数据库的权限; 根据上图发现: read,readWrite,abAdmin,dbOwner,userAdmin...... 这些角色是每个数据库都有的.而像 clusterAdmin,clusterManager,backup, readAnyDatabase,readWriteAnyDatabase ....等角色 都是 admin这个数据库所独有的,在其他数据库中没有; 所以我们说当一个角色在 所在的库中被创建时 就继承了该库所具有的角色
A role created on the admin database can inherit privileges from roles in any database: 因为every databave :也包含 admin这个数据库;也就是说 像 read,read-write,dbAdmin,dbOwner,userAdmin.....等等这些角色 也在 admin数据库中
MongoDB provides the built-in database user and database administration roles on every database. MongoDB provides all other built-in roles only on the admin database.
database user roles 和 database administration roles 这两类 built-in 是每个数据库都有,但是 所有的其他 buildt-in roles 基本都分配到 admin数据库中, 当创建角色的时候需要当前数据库有没有对应的 roles 可以被继承
A role can include one or more existing roles in its definition, in which case the role inherits all the privileges of the included roles.
这句是说:一个角色在定义的时候可以包含其他的角色,那么从这个角度出发我们认为 我们定义的这个角色就继承了它定义时所包含的角色的权限(一种组合的方式)
super roles
The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:
dbOwner role, when scoped to the admin database
userAdmin role, when scoped to the admin database
userAdminAnyDatabase role
The root role provides full privileges on all resources
//当在admin中定义的用户拥有dbOwner角色时;这个用户可以 assign any user any privilege on any database
//当在admin中定义的用户拥有userAdmin角色时;这个用户可以 assign any user any privilege on any database
//当用户拥有userAdminAnyDatabase角色时;这个用户可以 assign any user any privilege on any database
//root用户更是无敌了
If there is a problem, please contact me in time. Thank you.
