db.updateUser()

~~On this page~~本页内容

~~Definition~~定义
~~Behavior~~行为
~~Required Access~~所需访问权限
~~Example~~示例

Definition定义

db.updateUser( username, update, writeConcern )

~~Updates the user's profile on the database on which you run the method.~~ 更新运行该方法的数据库上的用户配置文件。~~An update to a field completely replaces the previous field's values.~~ 字段的更新将完全替换上一个字段的值。~~This includes updates to the user's roles array.~~这包括对roles角色数组的更新。

~~Warning~~警告

~~When you update the roles array, you completely replace the previous array's values.~~ 更新roles数组时，将完全替换上一个数组的值。~~To add or remove roles without replacing all the user's existing roles, use the db.grantRolesToUser() or db.revokeRolesFromUser() methods.~~要添加或删除角色而不替换用户的所有现有角色，请使用db.grantRolesToUser()或db.revokeRolesFromUser()方法。

~~The db.updateUser() method uses the following syntax:~~db.updateUser()方法使用以下语法：

~~Tip~~提示

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版开始，您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用，提示输入密码，而不是直接在方法/命令调用中指定密码。~~However, you can still specify the password directly as you would with earlier versions of the mongo shell.~~但是，您仍然可以像使用早期版本的mongoshell那样直接指定密码。

db.updateUser(
   "<username>",
   {
     customData : { <any information> },
     roles : [
       { role: "<role>", db: "<database>" } | "<role>",
       ...
     ],
     pwd: passwordPrompt(),
      // Or  "<cleartext password>"
     authenticationRestrictions: [
        {
          clientSource: ["<IP>" | "<CIDR range>", ...],
          serverAddress: ["<IP>", | "<CIDR range>", ...]
        },
        ...
     ],
     mechanisms: [ "<SCRAM-SHA-1|SCRAM-SHA-256>", ... ],
     passwordDigestor: "<server|client>"
   },
   writeConcern: { <write concern> }
)

~~The db.updateUser() method has the following arguments.~~db.updateUser()方法有以下参数。

~~Parameter~~参数	~~Type~~类型	~~Description~~描述
`username`	string	~~The name of the user to update.~~要更新的用户的名称。
`update`	document	~~A document containing the replacement data for the user.~~ 包含用户替换数据的文档。~~This data completely replaces the corresponding data for the user.~~此数据完全替换用户的相应数据。
`writeConcern`	document	~~Optional.~~ 可选。~~The level of write concern for the operation.~~ 操作的写入关注级别。~~See Write Concern Specification.~~请参阅写入关注规范。

~~The update document specifies the fields to update and their new values.~~ update文档指定要更新的字段及其新值。~~All fields in the update document are optional, but must include at least one field.~~update文档中的所有字段都是可选的，但必须至少包含一个字段。

~~The update document has the following fields:~~update文档包含以下字段：

~~Field~~字段	~~Type~~类型	~~Description~~描述
`customData`	document	~~Optional.~~ 可选。~~Any arbitrary information.~~任何任意信息。
`roles`	array	~~Optional.~~ 可选。~~The roles granted to the user.~~ 授予用户的角色。~~An update to the `roles` array overrides the previous array's values.~~`roles`数组的更新将覆盖上一个数组的值。
`pwd`	string	~~Optional.~~ 可选。~~The user's password.~~ 用户的密码。~~The value can be either:~~该值可以是： ~~the user's password in cleartext string, or~~明文字符串形式的用户密码，或 `passwordPrompt()` ~~to prompt for the user's password.~~提示输入用户密码。 ~~Tip~~提示 Starting in version 4.2 of the `mongo` shell, you can use the `passwordPrompt()` method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版开始，您可以将`passwordPrompt()`方法与各种用户身份验证/管理方法/命令结合使用，提示输入密码，而不是直接在方法/命令调用中指定密码。~~However, you can still specify the password directly as you would with earlier versions of the `mongo` shell.~~但是，您仍然可以像使用早期版本的mongoshell那样直接指定密码。
`authenticationRestrictions`	array	~~Optional.~~ 可选。~~The authentication restrictions the server enforces upon the user.~~ 服务器对用户实施的身份验证限制。~~Specifies a list of IP addresses and CIDR ranges from which the user is allowed to connect to the server or from which the server can accept users.~~指定允许用户连接到服务器或服务器可以接受用户的IP地址和CIDR范围的列表。
`mechanisms`	array	~~Optional.~~ 可选。~~The specific SCRAM mechanism or mechanisms for the user credentials.~~ 用户凭证的特定SCRAM机制。~~If `authenticationMechanisms` is specified, you can only specify a subset of the `authenticationMechanisms`.~~如果指定了`authenticationMechanisms`，则只能指定`authenticationMechanisms`的子集。 If updating the mechanisms field without the password, you can only specify a subset of the user's current mechanisms, and only the existing user credentials for the specified mechanism or mechanisms are retained.如果在不使用密码的情况下更新机制字段，则只能指定用户当前机制的子集，并且仅保留指定机制的现有用户凭据。 ~~If updating the password along with the mechanisms, new set of credentials are stored for the user.~~如果随机制一起更新密码，则会为用户存储一组新的凭据。 ~~Valid values are:~~有效值为： `"SCRAM-SHA-1"` ~~Uses the `SHA-1` hashing function.~~使用`SHA-1`哈希函数。 `"SCRAM-SHA-256"` ~~Uses the `SHA-256` hashing function.~~使用`SHA-256`哈希函数。 ~~Requires featureCompatibilityVersion set to `4.0`.~~需要将`featureCompatibilityVersion`设置为`4.0`。 ~~Requires passwordDigestor to be `server`.~~需要passwordDigest作为`server`。 New in version 4.0.在版本4.0中新增。
`passwordDigestor`	string	~~Optional.~~ 可选。~~Indicates whether the server or the client digests the password.~~指示服务器还是客户端摘要密码。 Available values are: `"server"` (Default) ~~The server receives undigested password from the client and digests the password.~~服务器从客户端接收未消化的密码并消化密码。 `"client"` ~~(Not compatible with `SCRAM-SHA-256`)~~（与`SCRAM-SHA-256`不兼容） ~~The client digests the password and passes the digested password to the server.~~客户端对密码进行摘要，并将摘要后的密码传递给服务器。 Changed in version 4.0.在版本4.0中更改。 ~~The default value is `"server"`.~~ 默认值为`"server"`。~~In earlier versions, the default value is `"client"`.~~在早期版本中，默认值为`"client"`。

Roles角色

~~In the roles field, you can specify both built-in roles and user-defined roles.~~在roles字段中，可以指定内置角色和用户定义的角色。

~~To specify a role that exists in the same database where db.updateUser() runs, you can either specify the role with the name of the role:~~要指定存在于运行db.updateUser()的同一数据库中的角色，可以使用角色名称指定该角色：

"readWrite"

~~Or you can specify the role with a document, as in:~~也可以使用文档指定角色，如：

{ role: "<role>", db: "<database>" }

~~To specify a role that exists in a different database, specify the role with a document.~~要指定存在于其他数据库中的角色，请使用文档指定该角色。

Authentication Restrictions身份验证限制

~~The authenticationRestrictions document can contain only the following fields.~~ authenticationRestrictions文档只能包含以下字段。~~The server throws an error if the authenticationRestrictions document contains an unrecognized field:~~如果authenticationRestrictions文档包含无法识别的字段，则服务器会引发错误：

Field Name	~~Value~~值	~~Description~~描述
`clientSource`	~~Array of IP addresses and/or CIDR ranges~~IP地址和/或CIDR范围数组	~~If present, when authenticating a user, the server verifies that the client's IP address is either in the given list or belongs to a CIDR range in the list.~~ 如果存在，则在对用户进行身份验证时，服务器会验证客户端的IP地址是否在给定列表中或是否属于列表中的CIDR范围。~~If the client's IP address is not present, the server does not authenticate the user.~~如果客户端的IP地址不存在，则服务器不会对用户进行身份验证。
`serverAddress`	~~Array of IP addresses and/or CIDR ranges~~IP地址和/或CIDR范围数组	~~A list of IP addresses or CIDR ranges to which the client can connect.~~ 客户端可以连接到的IP地址或CIDR范围的列表。~~If present, the server will verify that the client's connection was accepted via an IP address in the given list.~~ 如果存在，服务器将验证客户端的连接是否通过给定列表中的IP地址被接受。~~If the connection was accepted via an unrecognized IP address, the server does not authenticate the user.~~如果通过无法识别的IP地址接受连接，则服务器不会对用户进行身份验证。

~~Important~~重要

~~If a user inherits multiple roles with incompatible authentication restrictions, that user becomes unusable.~~如果用户继承了具有不兼容身份验证限制的多个角色，则该用户将不可用。

For example, if a user inherits one role in which the clientSource field is ["198.51.100.0"] and another role in which the clientSource field is ["203.0.113.0"] the server is unable to authenticate the user.例如，如果一个用户继承了clientSource字段为["198.51.100.0"]的一个角色和clientSource字段为["203.0.113.0"]的另一个角色，则服务器无法对该用户进行身份验证。

~~For more information on authentication in MongoDB, see Authentication.~~有关MongoDB中身份验证的更多信息，请参阅身份验证。

~~The db.updateUser() method wraps the updateUser command.~~db.updateUser()方法包装updateUser命令。

Behavior行为

Replica set副本集

~~If run on a replica set, db.updateUser() is executed using "majority" write concern by default.~~如果在副本集上运行，db.updateUser()在默认情况下使用"majority"写入关注点执行。

Encyption

~~Warning~~警告

~~By default, db.updateUser() sends all specified data to the MongoDB instance in cleartext, even if using passwordPrompt().~~ 默认情况下，db.updateUser()将所有指定的数据以明文形式发送到MongoDB实例，即使使用passwordPrompt()。~~Use TLS transport encryption to protect communications between clients and the server, including the password sent by db.updateUser().~~ 使用TLS传输加密保护客户端和服务器之间的通信，包括db.updateUser()发送的密码。~~For instructions on enabling TLS transport encryption, see Configure mongod and mongos for TLS/SSL.~~有关启用TLS传输加密的说明，请参阅为TLS/SSL配置mongod和mongos。

~~MongoDB does not store the password in cleartext.~~ MongoDB不以明文形式存储密码。~~The password is only vulnerable in transit between the client and the server, and only if TLS transport encryption is not enabled.~~只有在客户端和服务器之间的传输过程中，并且只有在未启用TLS传输加密时，密码才会受到攻击。

Required Access所需访问权限

~~You must have access that includes the revokeRoleaction on all databases in order to update a user's roles array.~~为了更新用户的角色数组，您必须具有包括所有数据库上的revokeRole操作的访问权限。

~~You must have the grantRole action on a role's database to add a role to a user.~~必须对角色的数据库执行grantRole操作才能向用户添加角色。

~~To change another user's pwd or customData field, you must have the changePassword and changeCustomDataactions respectively on that user's database.~~要更改另一个用户的pwd或customData字段，必须在该用户的数据库上分别具有changePassword和changeCustomData操作。

~~To modify your own password and custom data, you must have privileges that grant changeOwnPassword and changeOwnCustomData actions respectively on the user's database.~~要修改您自己的密码和自定义数据，您必须具有分别对用户数据库授予changeOwnPassword和changeOwnCustomData操作的权限。

Example示例

~~Given a user appClient01 in the products database with the following user info:~~在products数据库中为用户appClient01指定以下用户信息：

{
   _id : "products.appClient01",
   userId : UUID("c5d88855-3f1e-46cb-9c8b-269bef957986"), // Starting in MongoDB 4.0.9
   user : "appClient01",
   db : "products",
   customData : { empID : "12345", badge : "9156" },
   roles : [
       {
         role : "readWrite",
         db : "products"
       },
       {
         role : "read",
         db : "inventory"
       }
   ],
   mechanisms : [
         // Starting in MongoDB 4.0
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
   ],
   authenticationRestrictions : [ {
      clientSource: ["69.89.31.226"],
      serverAddress: ["172.16.254.1"]
   } ]
}

~~The following db.updateUser() method completely replaces the user's customData and roles data:~~以下db.updateUser()方法完全替换用户的customData和roles数据：

use products
db.updateUser( "appClient01",
{
   customData : { employeeId : "0x3039" },
   roles : [
      { role : "read", db : "assets"  }
   ]
} )

~~The user appClient01 in the products database now has the following user information:~~products数据库中的用户appClient01现在具有以下用户信息：

{
   _id : "products.appClient01",
   userId : UUID("c5d88855-3f1e-46cb-9c8b-269bef957986"), // Starting in MongoDB 4.0.9
   user : "appClient01",
   db : "products",
   customData : { employeeId : "0x3039" },
   roles : [
       {
         role : "read",
         db : "assets"
       }
   ],
   mechanisms : [
           // Starting in MongoDB 4.0
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
   ],
   authenticationRestrictions : [ {
      clientSource: ["69.89.31.226"],
      serverAddress: ["172.16.254.1"]
   } ]
}

Update User to Use `SCRAM-SHA-256` Credentials Only更新用户以仅使用`SCRAM-SHA-256`凭据

~~Note~~注意

~~To use SCRAM-SHA-256, the featureCompatibilityVersion must be set to 4.0.~~ 要使用SCRAM-SHA-256，功能兼容性版本必须设置为4.0。~~For more information on featureCompatibilityVersion, see View FeatureCompatibilityVersion and setFeatureCompatibilityVersion.~~有关featureCompatibilityVersion的更多信息，请参阅查看FeatureCompatibilityVersion和setFeatureCompatibilityVersion。

~~The following operation updates a user who currently have both SCRAM-SHA-256 and SCRAM-SHA-1 credentials to have only SCRAM-SHA-256 credentials.~~以下操作将当前同时拥有SCRAM-SHA-256和SCRAM-SHA-1凭据的用户更新为仅具有SCRAM-SHA-256凭据。