整理了一下mongodb常用的几个内建角色,
role | read | readWrite (every) | dbAdmin | userAdmin | dbOwner | backup | restore |
changeCustomData | √ | √ | |||||
changePassword | √ | √ | |||||
createRole | √ | √ | |||||
createUser | √ | √ | |||||
dropRole | √ | √ | |||||
dropUser | √ | √ | |||||
grantRole | √ | √ | |||||
revokeRole | √ | √ | |||||
viewRole | √ | √ | |||||
viewUser | √ | √ | |||||
collStats | √ | √ | √ | √ | |||
collMod | √ | √ | √ | ||||
compact | √ | √ | |||||
convertToCapped | √ | √ | √ | ||||
createCollection | √ | √ | √ | √ | |||
createIndex | √ | √ | √ | √ | |||
dbHash | √ | √ | √ | √ | |||
dbStats | √ | √ | √ | √ | |||
dropCollection | √ | √ | √ | √ | |||
dropDatabase | √ | √ | |||||
dropIndex | √ | √ | √ | ||||
emptycapped | √ | √ | |||||
enableProfiler | √ | √ | |||||
find | √ | √ | √ | √ | |||
insert | √ | √ | √ | √ | |||
indexStats | √ | √ | |||||
killCursors | √ | √ | √ | √ | |||
reIndex | √ | √ | |||||
remove | √ | √ | √ | ||||
renameCollectionSameDB | √ | √ | √ | ||||
repairDatabase | √ | √ | |||||
storageDetails | √ | √ | |||||
update | √ | √ | √ | √ | |||
validate | √ | √ |
mongodb还有几个角色readAnyDatabase、readWriteAnyDatabase、userAdminAnyDatabase、dbAdminAnyDatabase,这几个角色和上面的read、readWrite、userAdmin、dbAdmin很相似,不同点是这四个角色是针对所有库的。例如拥有{ role: "read", db: "test" },该用户只能对test库有读权限,但如果有{ role: "readAnyDatabase", db: "admin" },则该用户对所有库都有读权限。
参考: