Skip to content

Commit 57f6430

Browse files
(DOCS-11283): Document showAuthenticationRestrictions option for roles (#2195) (#2205)
* Add examples to db.getRole() * update getRoles rolesInfo command * add examples for rolesInfo command * add replacement * alphabetize * minimalism * tweaks * fix build warning * add example section lead-ins * wording
1 parent b514dff commit 57f6430

File tree

5 files changed

+455
-110
lines changed

5 files changed

+455
-110
lines changed
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
Optional. Set this field to ``true`` to include :ref:`authentication
2+
restrictions <create-role-auth-restrictions>` in the output.
3+
Authentication restrictions indicate the IP addresses that users with
4+
this role can connect to and from.
5+
6+
By default, this field is ``false``, meaning that the |getRoleMethod|
7+
output does not include authentication restrictions.

source/reference/command/createRole.txt

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,8 @@ Roles
125125

126126
.. include:: /includes/fact-roles-array-contents.rst
127127

128+
.. _create-role-auth-restrictions:
129+
128130
Authentication Restrictions
129131
~~~~~~~~~~~~~~~~~~~~~~~~~~~
130132

source/reference/command/rolesInfo.txt

Lines changed: 181 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,14 @@ rolesInfo
77
.. contents:: On this page
88
:local:
99
:backlinks: none
10-
:depth: 1
10+
:depth: 2
1111
:class: singlecol
1212

1313
Definition
1414
----------
1515

16+
.. |getRoleMethod| replace:: ``rolesInfo``
17+
1618
.. dbcommand:: rolesInfo
1719

1820
Returns inheritance and privilege information for specified roles,
@@ -28,63 +30,54 @@ Definition
2830

2931
{
3032
rolesInfo: { role: <name>, db: <db> },
31-
showPrivileges: <Boolean>,
33+
showAuthenticationRestrictions: <Boolean>,
3234
showBuiltinRoles: <Boolean>,
35+
showPrivileges: <Boolean>,
3336
comment: <any>
3437
}
3538

3639
:dbcommand:`rolesInfo` has the following fields:
3740

3841

39-
.. list-table::
40-
:header-rows: 1
41-
:widths: 20 20 80
42-
43-
* - Field
44-
45-
- Type
46-
47-
- Description
48-
49-
* - ``rolesInfo``
50-
51-
- string, document, array, or integer
52-
53-
- The role(s) to return information about. For the syntax for specifying
54-
roles, see :ref:`rolesinfo-behavior`.
55-
56-
42+
.. list-table::
43+
:header-rows: 1
44+
:widths: 20 20 80
45+
46+
* - Field
47+
- Type
48+
- Description
49+
50+
* - ``rolesInfo``
51+
- string, document, array, or integer
52+
- The role(s) to return information about. For the syntax for specifying
53+
roles, see :ref:`rolesinfo-behavior`.
5754

58-
* - ``showPrivileges``
59-
60-
- boolean
61-
62-
- Optional. Set the field to ``true`` to show role privileges, including both privileges
63-
inherited from other roles and privileges defined directly. By default, the
64-
command returns only the roles from which this role inherits privileges and
65-
does not return specific privileges.
66-
67-
68-
69-
* - ``showBuiltinRoles``
70-
71-
- boolean
72-
73-
- Optional. When the ``rolesInfo`` field is set to ``1``, set ``showBuiltinRoles`` to
74-
``true`` to include :ref:`built-in roles <built-in-roles>` in the output.
75-
By default this field is set to ``false``, and the output for ``rolesInfo:
76-
1`` displays only :ref:`user-defined roles <user-defined-roles>`.
77-
78-
79-
80-
* - ``comment``
81-
82-
- any
83-
84-
- .. include:: /includes/extracts/comment-content.rst
55+
* - ``showAuthenticationRestrictions``
56+
- boolean
57+
- .. include:: /includes/fact-show-auth-restrictions-description.rst
58+
59+
* - ``showBuiltinRoles``
60+
- boolean
61+
- Optional. When the ``rolesInfo`` field is set to ``1``, set
62+
``showBuiltinRoles`` to ``true`` to include :ref:`built-in roles
63+
<built-in-roles>` in the output. By default, this field is set to
64+
``false``, and the output for ``rolesInfo: 1`` displays only
65+
:ref:`user-defined roles <user-defined-roles>`.
8566

86-
.. versionadded:: 4.4
87-
67+
* - ``showPrivileges``
68+
- boolean
69+
- Optional. Set the field to ``true`` to show role privileges,
70+
including both privileges inherited from other roles and
71+
privileges defined directly. By default, the command returns only
72+
the roles from which this role inherits privileges and does not
73+
return specific privileges.
74+
75+
* - ``comment``
76+
- any
77+
- .. include:: /includes/extracts/comment-content.rst
78+
79+
.. versionadded:: 4.4
80+
8881
.. _rolesinfo-behavior:
8982

9083
Behavior
@@ -202,6 +195,21 @@ Output
202195
Examples
203196
--------
204197

198+
The examples in this section show how to use the ``rolesInfo`` command
199+
to:
200+
201+
- :ref:`rolesInfo-example-single-role`
202+
203+
- :ref:`rolesInfo-example-multiple-roles`
204+
205+
- :ref:`rolesInfo-example-user-defined-roles`
206+
207+
- :ref:`rolesInfo-example-user-defined-and-built-in-roles`
208+
209+
- :ref:`rolesInfo-example-auth-restrictions`
210+
211+
.. _rolesInfo-example-single-role:
212+
205213
View Information for a Single Role
206214
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
207215

@@ -239,8 +247,10 @@ for the role ``associate`` defined on the ``products`` database:
239247
}
240248
)
241249

242-
View Information for Several Roles
243-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
250+
.. _rolesInfo-example-multiple-roles:
251+
252+
View Information for Multiple Roles
253+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
244254

245255
The following command returns information for two roles on two different
246256
databases:
@@ -270,6 +280,8 @@ The following returns *both* the role inheritance and the privileges:
270280
}
271281
)
272282

283+
.. _rolesInfo-example-user-defined-roles:
284+
273285
View All User-Defined Roles for a Database
274286
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
275287

@@ -286,6 +298,49 @@ privileges:
286298
}
287299
)
288300

301+
Example output (shortened for readability):
302+
303+
.. code-block:: javascript
304+
:copyable: false
305+
306+
{
307+
roles: [
308+
{
309+
_id: 'products.associate',
310+
role: 'associate',
311+
db: 'products',
312+
privileges: [
313+
{
314+
resource: { db: 'products', collection: '' },
315+
actions: [ 'bypassDocumentValidation' ]
316+
}
317+
],
318+
roles: [ { role: 'readWrite', db: 'products' } ],
319+
isBuiltin: false,
320+
inheritedRoles: [ { role: 'readWrite', db: 'products' } ],
321+
inheritedPrivileges: [
322+
{
323+
resource: { db: 'products', collection: '' },
324+
actions: [ 'bypassDocumentValidation' ]
325+
},
326+
{
327+
resource: { db: 'products', collection: '' },
328+
actions: [
329+
'changeStream',
330+
'collStats',
331+
'compactStructuredEncryptionData',
332+
...
333+
]
334+
},
335+
...
336+
]
337+
}
338+
],
339+
ok: 1
340+
}
341+
342+
.. _rolesInfo-example-user-defined-and-built-in-roles:
343+
289344
View All User-Defined and Built-In Roles for a Database
290345
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
291346

@@ -300,3 +355,78 @@ runs, including both built-in and user-defined roles:
300355
showBuiltinRoles: true
301356
}
302357
)
358+
359+
Example output (shortened for readability):
360+
361+
.. code-block:: javascript
362+
:copyable: false
363+
364+
{
365+
roles: [
366+
{
367+
role: 'enableSharding',
368+
db: 'products',
369+
isBuiltin: true,
370+
roles: [],
371+
inheritedRoles: []
372+
},
373+
{
374+
role: 'userAdmin',
375+
db: 'products',
376+
isBuiltin: true,
377+
roles: [],
378+
inheritedRoles: []
379+
},
380+
{
381+
role: 'read',
382+
db: 'products',
383+
isBuiltin: true,
384+
roles: [],
385+
inheritedRoles: []
386+
},
387+
...
388+
],
389+
ok: 1
390+
}
391+
392+
.. _rolesInfo-example-auth-restrictions:
393+
394+
View Authentication Restrictions for Roles
395+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
396+
397+
The following operation returns all user-defined roles on the
398+
``products`` database and includes authentication restrictions:
399+
400+
.. code-block:: javascript
401+
402+
db.runCommand(
403+
{
404+
rolesInfo: 1,
405+
showAuthenticationRestrictions: true
406+
}
407+
)
408+
409+
Example output:
410+
411+
.. code-block:: javascript
412+
:copyable: false
413+
414+
{
415+
roles: [
416+
{
417+
_id: 'products.associate',
418+
role: 'associate',
419+
db: 'products',
420+
roles: [ { role: 'readWrite', db: 'products' } ],
421+
authenticationRestrictions: [
422+
[ { clientSource: [ '198.51.100.0' ] } ]
423+
],
424+
isBuiltin: false,
425+
inheritedRoles: [ { role: 'readWrite', db: 'products' } ],
426+
inheritedAuthenticationRestrictions: [
427+
[ { clientSource: [ '198.51.100.0' ] } ]
428+
]
429+
}
430+
],
431+
ok: 1
432+
}

0 commit comments

Comments
 (0)