Skip to content

Commit 45f900d

Browse files
steverenkay-kim
steveren
authored and
kay-kim
committed
DOCS-10988: reword all-database roles sections
1 parent 871723d commit 45f900d

File tree

2 files changed

+55
-44
lines changed

2 files changed

+55
-44
lines changed

source/includes/seealso-cluster-manager.rst

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
See also the :authrole:`clusterManager` and
2+
:authrole:`clusterMonitor` roles for access to the ``config`` and
3+
``local`` databases.

source/reference/built-in-roles.txt

Lines changed: 52 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -624,57 +624,61 @@ All-Database Roles
624624

625625
.. versionchanged:: 3.4
626626

627-
The ``admin`` database provides the following roles that apply to but
628-
the ``local`` and ``config`` databases in a :program:`mongod` instance
629-
and are roughly equivalent to their single-database equivalents:
627+
The following roles are available only to users on the ``admin``
628+
database. These roles provide privileges which apply to all
629+
collections except ``system.*`` collections on all databases
630+
except ``local`` and ``config``:
630631

631632
.. authrole:: readAnyDatabase
632633

633-
Provides the same read-only permissions as :authrole:`read`, except
634-
it applies to it applies to all but the ``local`` and ``config``
635-
databases in the cluster. The role also provides the
636-
:authaction:`listDatabases` action on the cluster as a whole.
634+
Provides the same read-only privileges as :authrole:`read` on all
635+
databases except ``local`` and ``config``.
636+
:authrole:`readAnyDatabase` also provides the
637+
:authaction:`listDatabases` privilege action on the cluster.
637638

638639
.. versionchanged:: 3.4
639640

640-
Prior to 3.4, :authrole:`readAnyDatabase` includes ``local`` and
641-
``config`` databases. To provide ``read`` privileges on the
642-
``local`` database, create a user in the ``admin`` database with
643-
:authrole:`read` role in the ``local`` database. See also
644-
:authrole:`clusterManager` and :authrole:`clusterMonitor` role
645-
for access to the ``config`` and ``local`` databases.
641+
:authrole:`readAnyDatabase` no longer
642+
applies to the ``local`` and ``config`` databases. To provide
643+
read privileges on ``local`` and ``config``, create a
644+
user on the ``admin`` database with the :authrole:`read`
645+
role on the ``local`` and ``config`` databases.
646+
647+
.. include:: /includes/seealso-cluster-manager.rst
646648

647649
.. authrole:: readWriteAnyDatabase
648650

649-
Provides the same read and write permissions as
650-
:authrole:`readWrite`, except it applies to all but the ``local``
651-
and ``config`` databases in the cluster. The role also provides the
652-
:authaction:`listDatabases` action on the cluster as a whole.
651+
Provides the same read and write privileges as
652+
:authrole:`readWrite` on all databases except ``local`` and
653+
``config``. :authrole:`readWriteAnyDatabase` also provides the
654+
:authaction:`listDatabases` privilege action on the cluster.
653655

654656
.. versionchanged:: 3.4
655657

656-
Prior to 3.4, :authrole:`readWriteAnyDatabase` includes ``local``
657-
and ``config`` databases. To provide ``readWrite`` privileges on
658-
the ``local`` database, create a user in the ``admin`` database
659-
with :authrole:`readWrite` role in the ``local`` database. See
660-
also :authrole:`clusterManager` and :authrole:`clusterMonitor`
661-
role for access to the ``config`` and ``local`` databases.
658+
:authrole:`readWriteAnyDatabase` no longer
659+
applies to the ``local`` and ``config`` databases. To provide
660+
read and write privileges on ``local`` and ``config``,
661+
create a user on the ``admin`` database with the
662+
:authrole:`readWrite` role on the ``local`` and ``config``
663+
databases.
664+
665+
.. include:: /includes/seealso-cluster-manager.rst
662666

663667
.. authrole:: userAdminAnyDatabase
664668

665669
Provides the same access to user administration operations as
666-
:authrole:`userAdmin`, except it applies to all but the ``local``
667-
and ``config`` databases in the cluster. The role also provides the
668-
following actions on the cluster as a whole:
670+
:authrole:`userAdmin` on all databases except ``local`` and
671+
``config``. :authrole:`userAdminAnyDatabase` also provides the
672+
following privilege actions on the cluster:
669673

670674
- :authaction:`authSchemaUpgrade`
671675
- :authaction:`invalidateUserCache`
672676
- :authaction:`listDatabases`
673677

674-
The role also provides the following actions on the
675-
:data:`admin.system.users` and :data:`admin.system.roles` collections on
676-
the ``admin`` database, and on legacy ``system.users`` collections from
677-
versions of MongoDB prior to 2.6:
678+
The role also provides the following privilege actions on the
679+
:data:`system.users` and :data:`system.roles`
680+
collections on the ``admin`` database, and on legacy
681+
``system.users`` collections from versions of MongoDB prior to 2.6:
678682

679683
- :authaction:`collStats`
680684
- :authaction:`dbHash`
@@ -684,14 +688,14 @@ and are roughly equivalent to their single-database equivalents:
684688
- :authaction:`planCacheRead`
685689

686690
.. versionchanged:: 2.6.4
687-
:authrole:`userAdminAnyDatabase` added the following permissions
688-
on the :data:`admin.system.users` and
691+
:authrole:`userAdminAnyDatabase` added the following privilege
692+
actions on the :data:`admin.system.users` and
689693
:data:`admin.system.roles` collections:
690694

691695
- :authaction:`createIndex`
692696
- :authaction:`dropIndex`
693697

694-
The :authrole:`userAdminAnyDatabase` role does not restrict the permissions
698+
The :authrole:`userAdminAnyDatabase` role does not restrict the privileges
695699
that a user can grant. As a result, :authrole:`userAdminAnyDatabase` users
696700
can grant themselves privileges in excess of their current
697701
privileges and even can grant themselves *all privileges*, even though the
@@ -700,24 +704,28 @@ and are roughly equivalent to their single-database equivalents:
700704

701705
.. versionchanged:: 3.4
702706

703-
Prior to 3.4, :authrole:`userAdminAnyDatabase` includes ``local``
704-
and ``config`` databases.
707+
:authrole:`userAdminAnyDatabase` no longer
708+
applies to the ``local`` and ``config`` databases.
705709

710+
.. include:: /includes/seealso-cluster-manager.rst
711+
706712
.. authrole:: dbAdminAnyDatabase
707713

708714
Provides the same access to database administration operations as
709-
:authrole:`dbAdmin`, except it applies to all but the ``local`` and
710-
``config`` databases in the cluster. The role also provides the
711-
:authaction:`listDatabases` action on the cluster as a whole.
715+
:authrole:`dbAdmin` on all databases except ``local`` and
716+
``config``. :authrole:`dbAdminAnyDatabase` also provides the
717+
:authaction:`listDatabases` privilege action on the cluster.
712718

713719
.. versionchanged:: 3.4
714720

715-
Prior to 3.4, :authrole:`dbAdminAnyDatabase` includes ``local``
716-
and ``config`` databases. To provide ``dbAdmin`` privileges on
717-
the ``local`` database, create a user in the ``admin`` database
718-
with :authrole:`dbAdmin` role in the ``local`` database. See also
719-
:authrole:`clusterManager` and :authrole:`clusterMonitor` role
720-
for access to the ``config`` and ``local`` databases.
721+
:authrole:`dbAdminAnyDatabase` no longer
722+
applies to the ``local`` and ``config`` databases.
723+
To provide ``dbAdmin`` privileges on ``local`` and ``config``,
724+
create a user on the ``admin`` database with the
725+
:authrole:`dbAdmin` role on the ``local`` and ``config``
726+
databases.
727+
728+
.. include:: /includes/seealso-cluster-manager.rst
721729

722730
.. _superuser:
723731

0 commit comments

Comments
 (0)