db.updateUser()¶

~~On this page~~本页内容

~~Definition~~定义
~~Behavior~~行为
Required Access
~~Example~~示例

Definition定义¶

db.updateUser(username, update, writeConcern)¶

~~Updates the user’s profile on the database on which you run the method.~~ 在运行该方法的数据库上更新用户的配置文件。~~An update to a field completely replaces the previous field’s values.~~ 对字段的更新会完全替换上一个字段的值。~~This includes updates to the user’s roles array.~~这包括对用户roles数组的更新。

Warning

~~When you update the roles array, you completely replace the previous array’s values.~~ 更新roles数组时，将完全替换上一个数组的值。~~To add or remove roles without replacing all the user’s existing roles, use the db.grantRolesToUser() or db.revokeRolesFromUser() methods.~~要在不替换所有用户现有角色的情况下添加或删除角色，请使用db.grantRolesToUser()或db.revokeRolesFromUser()方法。

~~The db.updateUser() method uses the following syntax:~~db.updateUser()方法使用以下语法：

Tip

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongo shell的4.2版开始，您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用，以提示输入密码，而不是直接在方法/命令调用中指定密码。~~However, you can still specify the password directly as you would with earlier versions of the mongo shell.~~但是，您仍然可以像使用早期版本的mongo shell一样直接指定密码。

db.updateUser(
   "<username>",
   {
     customData : { <any information> },
     roles : [
       { role: "<role>", db: "<database>" } | "<role>",
       ...
     ],
     pwd: passwordPrompt(),      // Or  "<cleartext password>"
     authenticationRestrictions: [
        {
          clientSource: ["<IP>" | "<CIDR range>", ...],
          serverAddress: ["<IP>", | "<CIDR range>", ...]
        },
        ...
     ],
     mechanisms: [ "<SCRAM-SHA-1|SCRAM-SHA-256>", ... ],
     passwordDigestor: "<server|client>"
   },
   writeConcern: { <write concern> }
)

~~The db.updateUser() method has the following arguments.~~db.updateUser()方法具有以下参数。

~~Parameter~~参数	~~Type~~类型	~~Description~~描述
`username`	string	~~The name of the user to update.~~要更新的用户的名称。
`update`	document	~~A document containing the replacement data for the user.~~ 包含用户替换数据的文档。~~This data completely replaces the corresponding data for the user.~~此数据完全替换用户的相应数据。
`writeConcern`	document	~~Optional.~~可选。~~The level of write concern for the update operation.~~ 更新操作的写入关注级别。~~The `writeConcern` document takes the same fields as the `getLastError` command.~~`writeConcern`文档采用与`getLastError`命令相同的字段。

~~The update document specifies the fields to update and their new values.~~ update文档指定要更新的字段及其新值。~~All fields in the update document are optional, but must include at least one field.~~update文档中的所有字段都是可选的，但必须至少包含一个字段。

~~The update document has the following fields:~~update文档包含以下字段：

~~Field~~字段	~~Type~~类型	~~Description~~描述
`customData`	document	~~Optional.~~可选。~~Any arbitrary information.~~任何武断的信息。
`roles`	array	~~Optional.~~可选。~~The roles granted to the user.~~ 授予用户的角色。~~An update to the `roles` array overrides the previous array’s values.~~对`roles`数组的更新会覆盖上一个数组的值。
`pwd`	string	~~Optional.~~可选。~~The user’s password. The value can be either:~~用户的密码。该值可以是： ~~the user’s password in cleartext string, or~~明文字符串形式的用户密码，或 `passwordPrompt()` ~~to prompt for the user’s password.~~提示输入用户密码。 Tip Starting in version 4.2 of the `mongo` shell, you can use the `passwordPrompt()` method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从`mongo` shell的4.2版开始，您可以将`passwordPrompt()`方法与各种用户身份验证/管理方法/命令结合使用，以提示输入密码，而不是直接在方法/命令调用中指定密码。~~However, you can still specify the password directly as you would with earlier versions of the `mongo` shell.~~但是，您仍然可以像使用早期版本的mongo shell一样直接指定密码。
`authenticationRestrictions`	array	~~Optional.~~可选。~~The authentication restrictions the server enforces upon the user.~~ 服务器对用户实施的身份验证限制。~~Specifies a list of IP addresses and CIDR ranges from which the user is allowed to connect to the server or from which the server can accept users.~~指定允许用户连接到服务器或服务器可以接受用户的IP地址和CIDR范围的列表。 ~~New in version 3.6.~~版本3.6中的新功能。
`mechanisms`	array	~~Optional.~~可选。~~The specific SCRAM mechanism or mechanisms for the user credentials.~~ 用户凭证的特定紧急停堆机制。~~If `authenticationMechanisms` is specified, you can only specify a subset of the `authenticationMechanisms`.~~如果指定了`authenticationMechanisms`，则只能指定`authenticationMechanisms`的子集。 If updating the mechanisms field without the password, you can only specify a subset of the user’s current mechanisms, and only the existing user credentials for the specified mechanism or mechanisms are retained.如果在不使用密码的情况下更新“机制”字段，则只能指定用户当前机制的子集，并且仅保留指定机制的现有用户凭据。 ~~If updating the password along with the mechanisms, new set of credentials are stored for the user.~~如果同时更新密码和机制，将为用户存储一组新的凭据。 Valid values are: `"SCRAM-SHA-1"` ~~Uses the `SHA-1` hashing function.~~使用`SHA-1`哈希函数。 `"SCRAM-SHA-256"` ~~Uses the `SHA-256` hashing function.~~使用`SHA-256`哈希函数。 ~~Requires featureCompatibilityVersion set to `4.0`.~~需要将`featureCompatibilityVersion`设置为`4.0`。 ~~Requires passwordDigestor to be `server`.~~需要将`passwordDigestor`设置为`server`。 ~~New in version 4.0.~~版本4.0中的新功能。
`passwordDigestor`	string	~~Optional.~~可选。~~Indicates whether the server or the client digests the password.~~指示服务器或客户端是解析密码。 Available values are: `"server"` (Default) ~~The server receives undigested password from the client and digests the password.~~服务器从客户端接收未消化的密码，并消化密码 `"client"` (Not compatible with `SCRAM-SHA-256`) ~~The client digests the password and passes the digested password to the server.~~客户端解析密码并将解析后的密码传递给服务器。 ~~Changed in version 4.0.~~在版本4.0中更改。~~The default value is `"server"`.~~ 默认值为`"server"`。~~In earlier versions, the default value is `"client"`.~~在早期版本中，默认值为`"client"`。

Roles角色¶

~~In the roles field, you can specify both built-in roles and user-defined roles.~~在roles字段中，可以指定内置角色和用户定义角色。

~~To specify a role that exists in the same database where db.updateUser() runs, you can either specify the role with the name of the role:~~要指定运行db.updateUser()的同一数据库中存在的角色，可以使用该角色的名称指定该角色：

"readWrite"

~~Or you can specify the role with a document, as in:~~也可以通过文档指定角色，如中所示：

{ role: "<role>", db: "<database>" }

~~To specify a role that exists in a different database, specify the role with a document.~~要指定存在于其他数据库中的角色，请使用文档指定该角色。

Authentication Restrictions身份验证限制¶

~~New in version 3.6.~~版本3.6中的新功能。

~~The authenticationRestrictions document can contain only the following fields.~~ authenticationRestrictions文档只能包含以下字段。~~The server throws an error if the authenticationRestrictions document contains an unrecognized field:~~如果authenticationRestrictions文档包含无法识别的字段，服务器将抛出错误：

~~Field Name~~字段名	~~Value~~值	~~Description~~描述
`clientSource`	~~Array of IP addresses and/or CIDR ranges~~IP地址和/或CIDR范围数组	~~If present, when authenticating a user, the server verifies that the client’s IP address is either in the given list or belongs to a CIDR range in the list.~~ 如果存在，在对用户进行身份验证时，服务器会验证客户端的IP地址是否在给定列表中，或者是否属于列表中的CIDR范围。~~If the client’s IP address is not present, the server does not authenticate the user.~~如果客户端的IP地址不存在，则服务器不会对用户进行身份验证。
`serverAddress`	~~Array of IP addresses and/or CIDR ranges~~IP地址和/或CIDR范围数组	~~A list of IP addresses or CIDR ranges to which the client can connect.~~ 客户端可以连接到的IP地址或CIDR范围的列表。~~If present, the server will verify that the client’s connection was accepted via an IP address in the given list.~~ 如果存在，服务器将验证客户端的连接是否通过给定列表中的IP地址被接受。~~If the connection was accepted via an unrecognized IP address, the server does not authenticate the user.~~如果通过无法识别的IP地址接受连接，则服务器不会对用户进行身份验证。

Important

~~If a user inherits multiple roles with incompatible authentication restrictions, that user becomes unusable.~~如果用户继承了多个身份验证限制不兼容的角色，则该用户将无法使用。

For example, if a user inherits one role in which the clientSource field is ["198.51.100.0"] and another role in which the clientSource field is ["203.0.113.0"] the server is unable to authenticate the user.例如，如果用户继承了clientSource字段为["198.51.100.0"]的一个角色和clientSource字段为["203.0.113.0"]的另一个角色，则服务器无法对该用户进行身份验证。

~~For more information on authentication in MongoDB, see Authentication.~~有关MongoDB中身份验证的更多信息，请参阅身份验证。

The db.updateUser() method wraps the updateUser command.

Behavior行为¶

Replica set复制集¶

~~If run on a replica set, db.updateUser() is executed using majority write concern by default.~~如果在副本集上运行，默认情况下，db.updateUser()将使用majority写入关注点执行。

Encyption百科全书¶

Warning

~~By default, db.updateUser() sends all specified data to the MongoDB instance in cleartext, even if using passwordPrompt().~~ 默认情况下，db.updateUser()将所有指定的数据以明文形式发送到MongoDB实例，即使使用passwordPrompt()。~~Use TLS transport encryption to protect communications between clients and the server, including the password sent by db.updateUser().~~ 使用TLS传输加密来保护客户端和服务器之间的通信，包括db.updateUser()发送的密码。~~For instructions on enabling TLS transport encryption, see Configure mongod and mongos for TLS/SSL.~~有关启用TLS传输加密的说明，请参阅为TLS/SSL配置mongod和mongos。

~~MongoDB does not store the password in cleartext.~~ MongoDB不以明文形式存储密码。~~The password is only vulnerable in transit between the client and the server, and only if TLS transport encryption is not enabled.~~只有在客户端和服务器之间传输时，并且只有在未启用TLS传输加密的情况下，密码才有漏洞。

Required Access所需访问权限¶

~~You must have access that includes the revokeRole action on all databases in order to update a user’s roles array.~~为了更新用户的角色数组，必须对所有数据库具有包括revokeRole操作的访问权限。

~~You must have the grantRole action on a role’s database to add a role to a user.~~要向用户添加角色，必须对角色的数据库执行grantRole操作。

~~To change another user’s pwd or customData field, you must have the changeAnyPassword and changeAnyCustomData actions respectively on that user’s database.~~要更改其他用户的pwd或customData字段，必须在该用户的数据库上分别设置changeAnyPassword和changeAnyCustomData操作。

~~To modify your own password and custom data, you must have privileges that grant changeOwnPassword and changeOwnCustomData actions respectively on the user’s database.~~要修改自己的密码和自定义数据，您必须拥有在用户数据库上分别授予changeOwnPassword和changeOwnCustomData操作的权限。

Example示例¶

~~Given a user appClient01 in the products database with the following user info:~~给定products数据库中的用户appClient01，其用户信息如下：

{
   _id : "products.appClient01",
   userId : UUID("c5d88855-3f1e-46cb-9c8b-269bef957986"), // Starting in MongoDB 4.0.9
   user : "appClient01",
   db : "products",
   customData : { empID : "12345", badge : "9156" },
   roles : [
       {
         role : "readWrite",
         db : "products"
       },
       {
         role : "read",
         db : "inventory"
       }
   ],
   mechanisms : [         // Starting in MongoDB 4.0
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
   ],
   authenticationRestrictions : [ {
      clientSource: ["69.89.31.226"],
      serverAddress: ["172.16.254.1"]
   } ]
}

~~The following db.updateUser() method completely replaces the user’s customData and roles data:~~以下db.updateUser()方法完全替换用户的customData和roles数据：

use products
db.updateUser( "appClient01",
{
   customData : { employeeId : "0x3039" },
   roles : [
      { role : "read", db : "assets"  }
   ]
} )

~~The user appClient01 in the products database now has the following user information:~~products数据库中的用户appClient01现在具有以下用户信息：

{
   _id : "products.appClient01",
   userId : UUID("c5d88855-3f1e-46cb-9c8b-269bef957986"), // Starting in MongoDB 4.0.9
   user : "appClient01",
   db : "products",
   customData : { employeeId : "0x3039" },
   roles : [
       {
         role : "read",
         db : "assets"
       }
   ],
   mechanisms : [           // Starting in MongoDB 4.0
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
   ],
   authenticationRestrictions : [ {
      clientSource: ["69.89.31.226"],
      serverAddress: ["172.16.254.1"]
   } ]
}

Update User to Use `SCRAM-SHA-256` Credentials Only更新用户以仅使用`SCRAM-SHA-256`凭据¶

Note

~~To use SCRAM-SHA-256, the featureCompatibilityVersion must be set to 4.0.~~ 要使用SCRAM-SHA-256，featureCompatibilityVersion必须设置为4.0。~~For more information on featureCompatibilityVersion, see View FeatureCompatibilityVersion and setFeatureCompatibilityVersion.~~有关featureCompatibilityVersion的更多信息，请参阅查看featureCompatibilityVersion和setFeatureCompatibilityVersion。

~~The following operation updates a user who currently have both SCRAM-SHA-256 and SCRAM-SHA-1 credentials to have only SCRAM-SHA-256 credentials.~~以下操作将当前同时拥有SCRAM-SHA-256和SCRAM-SHA-1凭据的用户更新为仅拥有SCRAM-SHA-256凭据。