@@ -583,6 +583,205 @@ description: |
583583 To manage database users directly through the |mongod| or |mongos|, set to ``true``.
584584
585585program : _shared
586+ name : spec.security.roles
587+ type : array
588+ optional : true
589+ directive : setting
590+ description : |
591+
592+ Array that defines :manual:`User-defined roles
593+ </manual/core/security-user-defined-roles/>` that give you
594+ fine-grained access control over your MongoDB deployment.
595+
596+ To enable user-defined roles, the
597+ :setting:`spec.security.authentication.enabled` must be ``true``.
598+
599+ .. example::
600+
601+ In this example, a user-defined role named ``customRole`` allows
602+ users assigned this role to:
603+
604+ - Insert documents into the ``cats`` collection in the ``pets``
605+ database, and
606+ - Find and insert documents into the ``dogs`` collection in the
607+ ``pets`` database.
608+
609+ .. literalinclude:: /includes/code-examples/yaml-files/example-custom-role.yaml
610+ :language: yaml
611+ :linenos:
612+ :emphasize-lines: 15-34
613+
614+
615+ program : _shared
616+ name : spec.security.roles.role
617+ type : string
618+ directive : setting
619+ optional : true
620+ description : |
621+
622+ Name of the user-defined role.
623+
624+
625+ program : _shared
626+ name : spec.security.roles.db
627+ type : string
628+ directive : setting
629+ optional : true
630+ description : |
631+
632+ The database in which you want to store the user-defined role.
633+
634+ .. example::
635+
636+ ``admin``
637+
638+
639+ program : _shared
640+ name : spec.security.roles.authenticationRestrictions
641+ type : array
642+ directive : setting
643+ optional : true
644+ description : |
645+ Array that defines the IP address from which and to which users
646+ assigned this :setting:`spec.security.roles.role` can
647+ connect.
648+
649+
650+ program : _shared
651+ name : spec.security.roles.authenticationRestrictions.clientSource
652+ type : array
653+ directive : setting
654+ optional : true
655+ description : |
656+
657+ Array of IP addresses or CIDR blocks from which users assigned this
658+ :setting:`spec.security.roles.role` can connect.
659+
660+ MongoDB servers reject connection requests from users with this role
661+ if the requests come from a client that is not present in this array.
662+
663+
664+ program : _shared
665+ name : spec.security.roles.authenticationRestrictions.serverAddress
666+ type : array
667+ directive : setting
668+ optional : true
669+ description : |
670+
671+ Array of IP addresses or CIDR blocks to which users assigned this
672+ :setting:`spec.security.roles.role` can connect.
673+
674+ Users *can not* connect to this MongoDB deployment if they possess
675+ this role and they sent the connection request to a server that is not
676+ present in this array.
677+
678+ MongoDB servers reject connection requests from users with this role
679+ if the client requests to connect to a server that is not present in
680+ this array.
681+
682+
683+ program : _shared
684+ name : spec.security.roles.privileges
685+ type : array
686+ directive : setting
687+ optional : true
688+ description : |
689+
690+ Array that describes the privileges that users granted this role
691+ possess.
692+
693+
694+ program : _shared
695+ name : spec.security.roles.privileges.actions
696+ type : array
697+ directive : setting
698+ optional : true
699+ description : |
700+
701+ List of actions that users granted this role can perform. For a list
702+ of accepted values, see :manual:`Privilege Actions
703+ </reference/privilege-actions/#database-management-actions>` in the
704+ MongoDB Manual for the MongoDB versions you deploy with the
705+ |k8s-op-short|.
706+
707+
708+ program : _shared
709+ name : spec.security.roles.privileges.resource
710+ type : collection
711+ directive : setting
712+ optional : true
713+ description : |
714+
715+ Resources for which the privilege
716+ :setting:`~spec.security.roles.privileges.actions`
717+ apply.
718+
719+ This collection must include either:
720+
721+ - The
722+ :setting:`spec.security.roles.privileges.resource.database`
723+ and
724+ :setting:`spec.security.roles.privileges.resource.collection`
725+ settings, or
726+ - The
727+ :setting:`spec.security.roles.privileges.resource.cluster`
728+ setting with a value of ``true``.
729+
730+
731+ program : _shared
732+ name : spec.security.roles.privileges.resource.database
733+ type : string
734+ directive : setting
735+ optional : true
736+ description : |
737+
738+ Database for which the privilege
739+ :setting:`~spec.security.roles.privileges.actions`
740+ apply.
741+
742+ If you provide a value for this setting, you must also provide a value
743+ for
744+ :setting:`spec.security.roles.privileges.resource.collection`.
745+
746+
747+ program : _shared
748+ name : spec.security.roles.privileges.resource.collection
749+ type : string
750+ directive : setting
751+ optional : true
752+ description : |
753+
754+ Collection in the
755+ :setting:`~spec.security.roles.privileges.resource.database`
756+ for which the privilege
757+ :setting:`~spec.security.roles.privileges.actions`
758+ apply.
759+
760+ If you provide a value for this setting, you must also provide a value
761+ for
762+ :setting:`spec.security.roles.privileges.resource.database`.
763+
764+
765+ program : _shared
766+ name : spec.security.roles.privileges.resource.cluster
767+ type : boolean
768+ directive : setting
769+ optional : true
770+ default : false
771+ description : |
772+
773+ Flag that indicates that the privilege
774+ :setting:`~spec.security.roles.privileges.actions`
775+ apply to all databases and collections in the MongoDB deployment. If
776+ omitted, defaults to ``false``.
777+
778+ If set to true, do not provide values for
779+ :setting:`spec.security.roles.privileges.resource.database`
780+ and
781+ :setting:`spec.security.roles.privileges.resource.collection`.
782+
783+
784+ program : _shared
586785name : spec.security.authentication.ldap
587786type : collection
588787directive : setting
0 commit comments