createUser

~~On this page~~本页内容

~~Definition~~定义
~~Behavior~~行为
~~Required Access~~所需访问权限
~~Example~~示例

Definition定义

createUser

~~Creates a new user on the database where you run the command.~~ 在运行命令的数据库上创建新用户。~~The createUser command returns a duplicate user error if the user exists.~~ 如果用户存在，createUser命令将返回重复的用户错误。~~The createUser command uses the following syntax:~~createUser命令使用以下语法：

~~Tip~~提示

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版开始，您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用，以提示输入密码，而不是直接在方法/命令调用中指定密码。~~However, you can still specify the password directly as you would with earlier versions of the mongo shell.~~但是，您仍然可以像使用早期版本的mongoshell那样直接指定密码。

{
  createUser: "<name>",
  pwd: passwordPrompt(),
      // Or  "<cleartext password>"
  customData: { <any information> },
  roles: [
    { role: "<role>", db: "<database>" } | "<role>",
    ...
  ],
  writeConcern: { <write concern> },
  authenticationRestrictions: [
     { clientSource: [ "<IP|CIDR range>", ... ], serverAddress: [ "<IP|CIDR range>", ... ] },
     ...
  ],
  mechanisms: [ "<scram-mechanism>", ... ],  //Available starting in MongoDB 4.0
  digestPassword: <boolean>,
  comment: <any>
}

createUser ~~has the following fields:~~具有以下字段：

~~Field~~字段	~~Type~~类型	~~Description~~描述
`createUser`	string	~~The name of the new user.~~新用户的名称。
`pwd`	string	~~The user's password.~~ 用户的密码。~~The `pwd` field is not required if you run `createUser` on the `$external` database to create users who have credentials stored externally to MongoDB.~~如果在`$external`数据库上运行`createUser`以创建具有存储在MongoDB外部的凭据的用户，则不需要pwd字段。 ~~The value can be either:~~该值可以是： ~~the user's password in cleartext string, or~~明文字符串中的用户密码，或 `passwordPrompt()` ~~to prompt for the user's password.~~提示输入用户密码。 ~~Tip~~提示 Starting in version 4.2 of the `mongo` shell, you can use the `passwordPrompt()` method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版开始，您可以将`passwordPrompt()`方法与各种用户身份验证/管理方法/命令结合使用，以提示输入密码，而不是直接在方法/命令调用中指定密码。~~However, you can still specify the password directly as you would with earlier versions of the `mongo` shell.~~但是，您仍然可以像使用早期版本的`mongo`shell那样直接指定密码。
`customData`	document	~~Optional.~~ 可选。~~Any arbitrary information.~~ 任何任意信息。~~This field can be used to store any data an admin wishes to associate with this particular user.~~ 此字段可用于存储管理员希望与此特定用户关联的任何数据。~~For example, this could be the user's full name or employee id.~~ 例如，这可以是用户的全名或员工id。
`roles`	array	~~The roles granted to the user.~~ 授予用户的角色。~~Can specify an empty array `[]` to create users without roles.~~ 可以指定空数组`[]`来创建没有角色的用户。
`digestPassword`	boolean	~~Optional.~~ 可选。~~Indicates whether the server or the client digests the password.~~指示服务器还是客户端对密码进行摘要。 ~~If true, the server receives undigested password from the client and digests the password.~~如果为`true`，则服务器从客户端接收未消化的密码并消化密码。 ~~If false, the client digests the password and passes the digested password to the server.~~ 如果为`false`，则客户端对密码进行消化，并将消化后的密码传递给服务器。~~Not compatible with `SCRAM-SHA-256`~~与`SCRAM-SHA-256`不兼容 Changed in version 4.0.在版本4.0中更改。 ~~The default value is `true`.~~ 默认值为`true`。~~In earlier versions, the default value is `false`.~~在早期版本中，默认值为`false`。
`writeConcern`	document	~~Optional.~~ 可选。~~The level of write concern for the operation. See Write Concern Specification.~~有关操作的写入关注级别，请参阅写入关注规范。
`authenticationRestrictions`	array	~~Optional.~~ 可选。~~The authentication restrictions the server enforces on the created user.~~ 服务器对创建的用户实施的身份验证限制。~~Specifies a list of IP addresses and CIDR ranges from which the user is allowed to connect to the server or from which the server can accept users.~~ 指定允许用户连接到服务器或服务器可以接受用户的IP地址和CIDR范围的列表。
`mechanisms`	array	~~Optional.~~ 可选。~~Specify the specific SCRAM mechanism or mechanisms for creating SCRAM user credentials.~~ 指定用于创建SCRAM用户凭据的特定SCRAM机制。~~If `authenticationMechanisms` is specified, you can only specify a subset of the `authenticationMechanisms`.~~如果指定了`authenticationMechanisms`，则只能指定`authenticationMechanisms`的子集。 ~~Valid values are:~~有效值为： `"SCRAM-SHA-1"` ~~Uses the `SHA-1` hashing function.~~使用`SHA-1`哈希函数。 `"SCRAM-SHA-256"` ~~Uses the `SHA-256` hashing function.~~使用`SHA-256`哈希函数。 ~~Requires featureCompatibilityVersion set to `4.0`.~~需要将`featureCompatibilityVersion`设置为`4.0`。 ~~Requires digestPassword to be `true`.~~要求`digitalPassword`为`true`。 ~~The default for featureCompatibilityVersion is `4.0` is both `SCRAM-SHA-1` and `SCRAM-SHA-256`.~~`featureCompatibilityVersion`的默认值为`4.0`，即`SCRAM-SHA-1`和`SCRAM-SHA-256`。 ~~The default for featureCompatibilityVersion is `3.6` is `SCRAM-SHA-1`.~~`featureCompatibilityVersion`的默认值为`3.6`，即`SCRAM-SHA-1`。 New in version 4.0.在版本4.0中新增。
`digestPassword`	boolean	~~Optional.~~ 可选。~~Indicates whether the server or the client digests the password.~~指示服务器还是客户端对密码进行摘要。 ~~If true, the server receives undigested password from the client and digests the password.~~如果为`true`，则服务器从客户端接收未消化的密码并消化密码。 ~~If false, the client digests the password and passes the digested password to the server.~~ 如果为`false`，则客户端对密码进行消化，并将消化后的密码传递给服务器。~~Not compatible with `SCRAM-SHA-256`~~与`SCRAM-SHA-256`不兼容 Changed in version 4.0.在版本4.0中更改。 ~~The default value is `true`.~~ 默认值为`true`。~~In earlier versions, the default value is `false`.~~在早期版本中，默认值为`false`。
`comment`	any	~~Optional.~~ 可选。~~A user-provided comment to attach to this command.~~ 用户提供了附加到此命令的注释。~~Once set, this comment appears alongside records of this command in the following locations:~~设置后，此注释将与此命令的记录一起显示在以下位置： ~~mongod log messages, in the `attr.command.cursor.comment` field.~~`mongod`日志消息，在`attr.command.cursor.comment`字段中。 ~~Database profiler output, in the `command.comment` field.~~数据库探查器输出，在`command.comment`字段中。 ~~`currentOp` output, in the `command.comment` field.~~`currentOp`输出，在`command.comment`字段中。 ~~A comment can be any valid BSON type(string, integer, object, array, etc).~~注释可以是任何有效的BSON类型（字符串、整数、对象、数组等）。 New in version 4.4.在版本4.4中新增。

Roles角色

~~In the roles field, you can specify both built-in roles and user-defined roles.~~在roles字段中，可以指定内置角色和用户定义角色。

~~To specify a role that exists in the same database where createUser runs, you can either specify the role with the name of the role:~~要指定存在于运行createUser的同一数据库中的角色，可以使用角色名称指定角色：

"readWrite"

~~Or you can specify the role with a document, as in:~~也可以使用文档指定角色，如：

{ role: "<role>", db: "<database>" }

~~To specify a role that exists in a different database, specify the role with a document.~~若要指定存在于其他数据库中的角色，请使用文档指定该角色。

Authentication Restrictions身份验证限制

~~The authenticationRestrictions document can contain only the following fields.~~ authenticationRestrictions文档只能包含以下字段。~~The server throws an error if the authenticationRestrictions document contains an unrecognized field:~~如果authenticationRestrictions文档包含无法识别的字段，服务器将抛出错误：

Field Name	~~Value~~值	~~Description~~描述
`clientSource`	Array of IP addresses and/or CIDR ranges	~~If present, when authenticating a user, the server verifies that the client's IP address is either in the given list or belongs to a CIDR range in the list.~~ 如果存在，在验证用户时，服务器将验证客户端的IP地址是否在给定列表中或是否属于列表中的CIDR范围。~~If the client's IP address is not present, the server does not authenticate the user.~~ 如果客户端的IP地址不存在，则服务器不会对用户进行身份验证。
`serverAddress`	Array of IP addresses and/or CIDR ranges	~~A list of IP addresses or CIDR ranges to which the client can connect.~~ 客户端可以连接到的IP地址或CIDR范围的列表。~~If present, the server will verify that the client's connection was accepted via an IP address in the given list.~~ 如果存在，服务器将验证客户端的连接是否通过给定列表中的IP地址被接受。~~If the connection was accepted via an unrecognized IP address, the server does not authenticate the user.~~ 如果通过无法识别的IP地址接受连接，则服务器不会对用户进行身份验证。

~~Important~~重要

~~If a user inherits multiple roles with incompatible authentication restrictions, that user becomes unusable.~~如果用户继承了具有不兼容身份验证限制的多个角色，则该用户将无法使用。

For example, if a user inherits one role in which the clientSource field is ["198.51.100.0"] and another role in which the clientSource field is ["203.0.113.0"] the server is unable to authenticate the user.例如，如果用户继承了clientSource字段为["198.51.100.0"]的一个角色和clientSource字段是["203.0.113.0"]的另一个角色，则服务器无法对用户进行身份验证。

~~For more information on authentication in MongoDB, see Authentication.~~有关MongoDB中身份验证的更多信息，请参阅身份验证。

Behavior行为

User ID

~~Starting in version 4.0.9, MongoDB automatically assigns a unique userId to the user upon creation.~~从4.0.9版开始，MongoDB在创建时自动为用户分配唯一的userId。

Encryption

~~Warning~~警告

~~By default, createUser sends all specified data to the MongoDB instance in cleartext, even if using passwordPrompt().~~ 默认情况下，createUser将所有指定的数据以明文形式发送到MongoDB实例，即使使用passwordPrompt()也是如此。~~Use TLS transport encryption to protect communications between clients and the server, including the password sent by createUser.~~ 使用TLS传输加密来保护客户端和服务器之间的通信，包括createUser发送的密码。~~For instructions on enabling TLS transport encryption, see Configure mongod and mongos for TLS/SSL.~~有关启用TLS传输加密的说明，请参阅为TLS/SSL配置mongod和mongos。

~~MongoDB does not store the password in cleartext.~~ MongoDB不以明文形式存储密码。~~The password is only vulnerable in transit between the client and the server, and only if TLS transport encryption is not enabled.~~只有在未启用TLS传输加密的情况下，密码才在客户端和服务器之间传输时易受攻击。

External Credentials外部凭据

~~Users created on the $external database should have credentials stored externally to MongoDB, as, for example, with MongoDB Enterprise installations that use Kerberos.~~在$external数据库上创建的用户应具有存储在MongoDB外部的凭据，例如，使用Kerberos的MongoDB Enterprise安装。

~~To use Client Sessions and Causal Consistency Guarantees with $external authentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.~~要对$external身份验证用户（Kerberos、LDAP或x.509用户）使用客户端会话和因果一致性保证，用户名不能超过10k字节。

`local` Database

~~You cannot create users on the local database.~~无法在本地数据库上创建用户。

~~Required Access~~所需访问权限

~~To create a new user in a database, you must have the createUser action on that database resource.~~要在数据库中创建新用户，必须对该数据库资源执行createUser操作。
~~To grant roles to a user, you must have the grantRoleaction on the role's database.~~要向用户授予角色，必须对角色的数据库执行grantRole操作。

~~The userAdmin and userAdminAnyDatabase built-in roles provide createUser and grantRole actions on their respective resources.~~userAdmin和userAdminAnyDatabase内置角色在各自的资源上提供createUser和grantRole操作。

Example示例

~~The following createUser command creates a user accountAdmin01 on the products database.~~ 下面的createUser命令在产品数据库上创建一个用户accountAdmin01。~~The command gives accountAdmin01 the clusterAdmin and readAnyDatabase roles on the admin database and the readWrite role on the products database:~~该命令赋予accountAdmin01 admin数据库上的clusterAdmin和readAnyDatabase角色以及products数据库上的readWrite角色：

~~Tip~~提示

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版开始，您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用，以提示输入密码，而不是直接在方法/命令调用中指定密码。~~However, you can still specify the password directly as you would with earlier versions of the mongo shell.~~但是，您仍然可以像使用早期版本的mongoshell那样直接指定密码。

 db.getSiblingDB("products").runCommand( {
       createUser: "accountAdmin01",
       pwd: passwordPrompt(),
       customData: { employeeId: 12345 },
       roles: [
                { role: "clusterAdmin", db: "admin" },
                { role: "readAnyDatabase", db: "admin" },
                "readWrite"
              ],
       writeConcern: { w: "majority" , wtimeout: 5000 }
} )

← User Management Commands dropAllUsersFromDatabase →

createUser

Definition定义

Roles角色

Authentication Restrictions身份验证限制

Behavior行为

User ID

Encryption

External Credentials外部凭据

local Database

Example示例

`local` Database