Change Your Password and Custom Data
On this page
Overview
Users with appropriate privileges can change their own passwords and custom data. Custom data
stores optional user information.
Considerations
To generate a strong password for use in this procedure, you can use the openssl
utility's rand
command. For example, issue openssl rand
with the following options to create a base64-encoded string of 48 pseudo-random bytes:
openssl rand -base64 48
Prerequisites
To modify your own password and custom data, you must have privileges that grant changeOwnPassword
and changeOwnCustomData
actions respectively on the user's database.
Connect as a user with privileges to manage users and roles.
Connect to the mongod
or mongos
with privileges to manage users and roles, such as a user with userAdminAnyDatabase
role. The following procedure uses the myUserAdmin
created in Enable Access Control.
mongosh --port 27017 -u myUserAdmin -p --authenticationDatabase 'admin'
If you do not specify the password to the -p
command-line option, mongosh
prompts for the password.
Create a role with appropriate privileges.
In the admin
database, create
a new role with changeOwnPassword
and changeOwnCustomData
.
use admin db.createRole( { role: "changeOwnPasswordCustomDataRole", privileges: [ { resource: { db: "", collection: ""}, actions: [ "changeOwnPassword", "changeOwnCustomData" ] } ], roles: [] } )
Add a user with this role.
In the test
database, create
a new user with the created "changeOwnPasswordCustomDataRole"
role. For example, the following operation creates a user with both the built-in role readWrite
and the user-created "changeOwnPasswordCustomDataRole"
.
Tip
Starting in version 4.2 of the mongo
shell, you can use the passwordPrompt()
method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo
shell.
use test db.createUser( { user:"user123", pwd: passwordPrompt(), // or cleartext password roles:[ "readWrite", { role:"changeOwnPasswordCustomDataRole", db:"admin" } ] } )
To grant an existing user the new role, use db.grantRolesToUser()
.
Procedure
Connect with the appropriate privileges.
Connect to the mongod
or mongos
as a user with appropriate privileges.
For example, the following operation connects to MongoDB as user123
created in the Prerequisites section.
mongosh --port 27017 -u user123 --authenticationDatabase 'test' -p
If you do not specify the password to the -p
command-line option, mongosh
prompts for the password.
To check that you have the privileges specified in the Prerequisites section as well as to see user information, use the usersInfo
command with the showPrivileges
option.
Change your password and custom data.
Use the db.updateUser()
method to update the password and custom data.
For example, the following operation changes the user's password to KNlZmiaNUp0B
and custom data to { title: "Senior Manager" }
:
Tip
Starting in version 4.2 of the mongo
shell, you can use the passwordPrompt()
method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo
shell.
use test db.updateUser( "user123", { pwd: passwordPrompt(), // or cleartext password customData: { title: "Senior Manager" } } )
Enter the password when prompted.