MongoDB has defined a number of built-in roles , while also providing user- defined roles to meet the diverse needs of users.
Frustration user-defined roles has a brief introduction to it, but to be familiar with how to create a role, you need to understand the following concepts:
-(database) operations (Privilege actions)
-(database) resources (Resource)
-scope
-Permissions (privileges)
-Permission Inheritance (inherited privileges)
-
The above concept can refer to the following frustration:
role-based Access Control
Privilege Actions
Resource Document
The following words in the official text are solitary thought to be the focus:
1.When Adding a role, you create the role in a specific database.
When you add a role, you add the role to a database .
2.MongoDB uses the combination of the database and the role name to uniquely define a role.
MongoDB uses database and role names as unique identities for roles.
3.MongoDB stores all role information in the System.roles collection in the admin database.
MongoDB stores all role information in a collection named System.roles under the Admin database .
4.A MongoDB privilege comprises A resource and the permitted actions.
A MONGODB permission contains the operations allowed on a resource, that is, what you can do with a resource .
5.a user-defined role scoped for a non-admin database VS. user-defined roles scoped for the admin database
Customizing roles on non-admin databases customizing roles on the admin database
The above two roles of the solitary translation may not be accurate, ask the reader to provide advice, the latter useful more ability-create, update, inheritance and so on.
How do I create a character?
The focus of this article. What's more accurate is how to create a role for a database ? Use db.createrole ()!
The specific use of frustration db.createrole () is given in this paper:
Db.createrole (role, Writeconcern)
The parameter role is required , defines the roles name and its permission definitions, the parameter writeconcern is optional , is not familiar with its usage and meaning , please refer to frustration write Concern.
Specification of the role parameter (document) given in frustration Db.createrole ():
which
Role is the character name;
Privileges a list of permissions (actions on a resource);
Roles a list of permissions on a database for some roles that need to be inherited;
Authenticationrestrictions is the authentication limit that the server enforces for the role, and options, such as the connection request for only certain IP addresses that have users of that role (very useful!). )。
Of course, please refer to frustration db.createrole () and other official texts for specific details.
Question: What characters can I use for a role name? Can I use the dot number (.) And so on? Is it possible to use Chinese? Length limit? Plus the length limit after the database name (unique identification)? How many roles can be created per database? What about the entire server? What about the whole replica set? What about the larger scale?
Hint: This article relates to a single example MongoDB server, and does not involve replica set, cluster and other large-scale role management, but also need to continue dig (after the project used to dig is not too late, the recent can be considered familiar with replica Set of related operations).
Tip: Before you create a role, verify that the current user has the power to Createrole, Grantrole, Setauthenticationrestriction, and so on on the target resource. Otherwise, the creation fails.
Here is an example in frustration Db.createrole () (JavaScript format?). ):
1 Use admin2 Db.createrole (3 {4Role"Myclusterwideadmin",5 privileges: [6{resource: {cluster:true}, Actions: ["Addshard" ] },7{resource: {db:"config", collection:""}, Actions: ["Find","Update","Insert","Remove" ] },8{resource: {db:"Users", collection:"Userscollection"}, Actions: ["Update","Insert","Remove" ] },9{resource: {db:"", collection:""}, Actions: ["Find" ] }Ten ], One roles: [ A{role:"read"Db:"Admin" } - ] - }, the{w:"Majority", wtimeout:5000 } -)
For more examples , refer to frustration manage Users and Roles (see this in the afternoon).
Tip: The example is really important ! Can accelerate the learning process and efficiency! Save time (LIFE)!
"Role Management"
Yes, in addition to creating roles, MongoDB allows you to modify roles, update roles, delete roles, and more, in the official MONGO Shell Methods-role Management for more information:
Postscript
How do I create a role for a different size MongoDB app? What is the strategy?
Do the relevant security operations in MongoDB, how much security can be guaranteed?
Vaguely remember, the database file will be locked, what should I do? Improve the security of your operating system, network, etc.?
MongoDB source code vulnerability, how to find and solve the first time? Ensure data security and ensure the stability of MongoDB-based applications?
Well, there's a lot more to do.
Of course, the content of knowledge is many, ordinary programmers, senior programmers, architects need to know something different, need to step-by IS!
If you are proficient in MongoDB, just be a MONGODB administrator!
The road is long ~
Once the role creation is successful, you can consider establishing a role-based user.
MongoDB Security: Creating Roles (user-defined Roles)