Create a User创建一个用户

On this page本页内容

With access control enabled, users are required to identify themselves. 启用访问控制后,用户需要识别自己的身份。You have to grant a user one or more roles. 您必须向用户授予一个或多个角色A role grants a user privileges to perform certain actions on MongoDB resources.角色授予用户在MongoDB资源上执行某些操作权限

Each application and user of a MongoDB system should map to a distinct user. MongoDB系统的每个应用程序和用户都应该映射到不同的用户。This principle of access isolation facilitates access revocation and ongoing user maintenance. 这种访问隔离原则有助于访问撤销和持续的用户维护。To ensure a system of least privilege, only grant the minimal set of privileges required to a user.为了确保系统具有最低权限,只授予用户所需的最低权限集。

Prerequisites先决条件

To be able to create users, you need to:要创建用户,您需要:

For routine user creation, you must possess the following permissions:对于常规用户创建,您必须拥有以下权限:

The userAdmin and userAdminAnyDatabase built-in roles provide createUser and grantRole actions on their respective resources.userAdminuserAdminAnyDatabase内置角色在各自的资源上提供createUsergrantRole操作。

Procedure程序

Note注意

The following procedure uses SCRAM authentication. 以下程序使用SCRAM认证。For additional information on other authentication mechanisms, see Additional Examples.有关其他身份验证机制的更多信息,请参阅其他示例

1

Connect and authenticate连接并验证

Using mongosh, connect to your primary mongod or, in a sharded cluster, connect to your mongos and authenticate as a user administrator or a user with the required privileges:使用mongosh,连接到您的主mongod,或者在分片集群中,连接到mongos,并作为用户管理员或具有所需权限的用户进行身份验证:

Start mongosh with the -u <username>, -p, and the --authenticationDatabase <database> command line options:使用-u <username>-p--authenticationDatabase <database>命令行选项启动mongosh

mongosh --port 27017  --authenticationDatabase \
    "admin" -u "myUserAdmin" -p

Enter your password when prompted.提示时输入密码。

Using mongosh, connect to your database deployment:使用mongosh连接到您的数据库部署:

mongosh --port 27017

In mongosh, switch to the authentication database (in this case, admin), and use the db.auth(<username>, <pwd>) method to authenticate:mongosh中,切换到身份验证数据库(在本例中为admin),并使用db.auth(<username>, <pwd>)方法进行身份验证:

use admin
db.auth("myUserAdmin", passwordPrompt()) // or cleartext password
Tip提示

The passwordPrompt() method prompts you to enter the password. passwordPrompt()方法会提示您输入密码。You can also specify your password directly as a string. We recommend to use the passwordPrompt() method to avoid the password being visible on your screen and potentially leaking the password to your shell history.您也可以直接将密码指定为字符串。我们建议使用passwordPrompt()方法,以避免密码在屏幕上可见,并可能将密码泄露到shell历史记录中。

Enter the password when prompted.提示时输入密码。

2

Create additional users for your deployment为部署创建其他用户

Note注意

The following step uses SCRAM authentication. 以下步骤使用SCRAM身份验证。For additional information on other authentication mechanisms, see Additional Examples.有关其他身份验证机制的更多信息,请参阅其他示例

After authenticating as the user administrator, use the db.createUser() method to create additional users. 作为用户管理员进行身份验证后,使用db.createUser()方法创建其他用户。You can assign any built-in roles or user-defined roles to the users.您可以将任何内置角色用户定义的角色分配给用户。

The following operation adds a user myTester to the test database who has the readWrite role in the test database as well as the read role in the reporting database.以下操作将用户myTester添加到test数据库,该用户在test数据库中具有readWrite角色,在报告数据库中具有读取角色。

use test
db.createUser(
  {
    user: "myTester",
    pwd:  passwordPrompt(),   // or cleartext password
    roles: [ { role: "readWrite", db: "test" },
             { role: "read", db: "reporting" } ]
  }
)
Tip提示

The passwordPrompt() method prompts you to enter the password. passwordPrompt()方法会提示您输入密码。You can also specify your password directly as a string. We recommend to use the passwordPrompt() method to avoid the password being visible on your screen and potentially leaking the password to your shell history.您也可以直接将密码指定为字符串。我们建议使用passwordPrompt()方法,以避免密码在屏幕上可见,并可能将密码泄露到shell历史记录中。

The database where you create the user (in this example, test) is that user's authentication database. 创建用户的数据库(在本例中为test)是该用户的身份验证数据库Although the user authenticates to this database, the user can have roles in other databases. 尽管用户对此数据库进行身份验证,但用户可以在其他数据库中具有角色。The user's authentication database does not limit the user's privileges.用户的身份验证数据库不会限制用户的权限。

After creating the additional users, exit mongosh.创建完附加用户后,退出mongosh

3

Connect to the instance and authenticate as myTester连接到实例并作为myTester进行身份验证

Important重要

It is not possible to switch between users in the same mongosh session. 不可能在同一个mongosh会话中的用户之间切换。Authenticating as a different user means the session has the privileges of both authenticated users. 以不同用户身份进行身份验证意味着会话具有两个已验证用户的权限。To switch between users exit and relaunch mongosh.在用户退出和重新启动mongosh之间切换。

After exiting mongosh as myUserAdmin, reconnect as myTester:myUserAdmin身份退出mongosh后,以myTester身份重新连接:

Start mongosh with the -u <username>, -p, and the --authenticationDatabase <database> command line options:使用-u <username>-p--authenticationDatabase <database>命令行选项启动mongosh

mongosh --port 27017 -u "myTester" \
    --authenticationDatabase "test" -p

Enter the password for the user when prompted.出现提示时,输入用户的密码。

Using mongosh, connect to your database deployment:使用mongosh连接到您的数据库部署:

mongosh --port 27017

In mongosh, switch to the authentication database (in this case, admin), and use the db.auth(<username>, <pwd>) method to authenticate:mongosh中,切换到身份验证数据库(在本例中为admin),并使用db.auth(<username>, <pwd>)方法进行身份验证:

use test
db.auth("myTester", passwordPrompt())  // or cleartext password
Tip提示

The passwordPrompt() method prompts you to enter the password. passwordPrompt()方法会提示您输入密码。You can also specify your password directly as a string. 您也可以直接将密码指定为字符串。We recommend to use the passwordPrompt() method to avoid the password being visible on your screen and potentially leaking the password to your shell history.我们建议使用passwordPrompt()方法,以避免密码在屏幕上可见,并可能将密码泄露到shell历史记录中。

Enter the password for the user when prompted.出现提示时,输入用户的密码。

4

Insert a document as myTestermyTester的身份插入文档

As the user myTester, you have privileges to perform read and write operations in the test database (as well as perform read operations in the reporting database). 作为用户myTester,您有权在test数据库中执行读和写操作(以及在reporting数据库中执行读取操作)。Once authenticated as myTester, insert a document into a collection in the test database. 通过myTester身份验证后,将文档插入test数据库中的集合中。For example, you can perform the following insert operation in the test database:例如,您可以在test数据库中执行以下插入操作:

db.foo.insertOne( { x: 1, y: 1 } )
Tip提示
See also: 参阅:

Additional Examples更多示例

Username/Password Authentication用户名/密码验证

The following operation creates a user in the reporting database with the specified name, password, and roles.以下操作在reporting数据库中创建一个具有指定名称、密码和角色的用户。

Tip提示

The passwordPrompt() method prompts you to enter the password. passwordPrompt()方法会提示您输入密码。You can also specify your password directly as a string. We recommend to use the passwordPrompt() method to avoid the password being visible on your screen and potentially leaking the password to your shell history.您也可以直接将密码指定为字符串。我们建议使用passwordPrompt()方法,以避免密码在屏幕上可见,并可能将密码泄露到shell历史记录中。

use reporting
db.createUser(
  {
    user: "reportsUser",
    pwd: passwordPrompt(),  // or cleartext password
    roles: [
       { role: "read", db: "reporting" },
       { role: "read", db: "products" },
       { role: "read", db: "sales" },
       { role: "readWrite", db: "accounts" }
    ]
  }
)

Kerberos AuthenticationKerberos身份验证

Users that authenticate to MongoDB using an external authentication mechanism, such as Kerberos, must be created in the $external database, which allows mongos or mongod to consult an external source for authentication.必须在$external数据库中创建使用外部身份验证机制(如Kerberos)对MongoDB进行身份验证的用户,该数据库允许mongosmongod咨询外部源进行身份验证。

To use Client Sessions and Causal Consistency Guarantees with $external authentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.要对$external身份验证用户(Kerberos、LDAP或x.509用户)使用客户端会话和因果一致性保证,用户名不能超过10k字节。

For Kerberos authentication, you must add the Kerberos principal as the username. 对于Kerberos身份验证,必须添加Kerberos主体作为用户名。You do not need to specify a password.您不需要指定密码。

The following operation adds the Kerberos principal reportingapp@EXAMPLE.NET with read-only access to the records database:下面的操作添加Kerberos主体reportingapp@EXAMPLE.NET以只读方式访问records数据库:

use $external
db.createUser(
    {
      user: "reportingapp@EXAMPLE.NET",
      roles: [
         { role: "read", db: "records" }
      ]
    }
)
Tip提示
See also: 参阅:

For more information about setting up Kerberos authentication for your MongoDB deployment, see the following tutorials:有关为MongoDB部署设置Kerberos身份验证的更多信息,请参阅以下教程:

LDAP Authentication身份验证

Users that authenticate to MongoDB using an external authentication mechanism, such as LDAP, must be created in the $external database, which allows mongos or mongod to consult an external source for authentication.必须在$external数据库中创建使用外部身份验证机制(如LDAP)对MongoDB进行身份验证的用户,该数据库允许mongosmongod咨询外部源进行身份验证。

To use Client Sessions and Causal Consistency Guarantees with $external authentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.要对$external身份验证用户(Kerberos、LDAP或x.509用户)使用客户端会话和因果一致性保证,用户名不能超过10k字节。

For LDAP authentication, you must specify a username. 对于LDAP身份验证,必须指定用户名。You do not need to specify the password, as that is handled by the LDAP service.您不需要指定密码,因为这是由LDAP服务处理的。

The following operation adds the reporting user with read-only access to the records database:以下操作添加了对records数据库具有只读访问权限的reporting用户:

use $external
db.createUser(
    {
      user: "reporting",
      roles: [
         { role: "read", db: "records" }
      ]
    }
)
Tip提示
See also: 参阅:

For more information about setting up LDAP authentication for your MongoDB deployment, see the following tutorials:有关为MongoDB部署设置LDAP身份验证的更多信息,请参阅以下教程:

x.509 Client Certificate Authentication客户端证书身份验证

Users that authenticate to MongoDB using an external authentication mechanism, such as x.509 Client Certificate Authentication, must be created in the $external database, which allows mongos or mongod to consult an external source for authentication.使用外部身份验证机制(如x.509客户端证书身份验证)对MongoDB进行身份验证的用户必须在$external数据库中创建,这允许mongosmongod咨询外部来源进行身份验证。

To use Client Sessions and Causal Consistency Guarantees with $external authentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.要对$external身份验证用户(Kerberos、LDAP或x.509用户)使用客户端会话和因果一致性保证,用户名不能大于10k字节。

For x.509 Client Certificate authentication, you must add the value of the subject from the client certificate as a MongoDB user. 对于x.509客户端证书身份验证,您必须以MongoDB用户的身份从客户端证书中添加subject的值。Each unique x.509 client certificate corresponds to a single MongoDB user. 每个唯一的x.509客户端证书对应于一个MongoDB用户。You do not need to specify a password.您不需要指定密码。

The following operation adds the client certificate subject CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry user with read-only access to the records database.以下操作添加了客户端证书使用者CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry用户,这些用户对records数据库具有只读访问权限。

use $external
db.createUser(
    {
      user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry",
      roles: [
         { role: "read", db: "records" }
      ]
    }
)
Tip提示
See also: 参阅:

For more information about setting up x.509 Client Certificate authentication for your MongoDB deployment, see the following tutorials:有关为MongoDB部署设置x.509客户端证书身份验证的更多信息,请参阅以下教程:

Next Steps下一步

To manage users, assign roles, and create custom roles, see Manage Users and Roles.要管理用户、分配角色和创建自定义角色,请参阅管理用户和角色

←  UsersAuthenticate a User →