Users用户
On this page本页内容
To authenticate a client in MongoDB, you must add a corresponding user to MongoDB.要在MongoDB中验证客户端,必须向MongoDB添加相应的用户。
User Management用户管理
You can add a user with the 您可以使用db.createUser() method using mongosh. mongosh通过db.createUser()方法添加用户。The first user you create must have privileges to create other users. 您创建的第一个用户必须具有创建其他用户的权限。The userAdmin or userAdminAnyDatabase role both confer the privilege to create other users.userAdmin或userAdminAnyDatabase角色都授予创建其他用户的权限。
See also: 另请参阅:
You can grant a user privileges by assigning roles to the user when you create the user. 您可以通过在创建用户时为用户分配角色来授予用户权限。You can also grant or revoke roles, as well as update passwords, by updating existing users. 您还可以通过更新现有用户来授予或撤销角色,以及更新密码。For a full list of user management methods, see User Management.有关用户管理方法的完整列表,请参阅用户管理。
See also: 另请参阅:
A user is uniquely identified by the user's name and associated authentication database. 用户由用户名和关联的身份验证数据库唯一标识。MongoDB associates a user with a unique MongoDB在MongoDB中创建时,会将用户与唯一的userId upon creation in MongoDB.userId关联起来。
LDAP Managed UsersLDAP托管用户
LDAP managed users created on an LDAP server do not have an associated document in the system.users collection, and therefore don't have a 在LDAP服务器上创建的LDAP管理用户在userId field associated with them.system.users集合中没有关联的文档,因此没有与其关联的userId字段。
Authentication Database身份验证数据库
When you add a user, you create the user in a specific database. 添加用户时,将在特定数据库中创建该用户。The database you create the user in is the authentication database for the user.您在其中创建用户的数据库是该用户的身份验证数据库。
However, a user's privileges are not limited to their authentication database. 但是,用户的权限并不局限于他们的身份验证数据库。Therefore, a user can have privileges across different databases. For more information on roles, see Role-Based Access Control.因此,用户可以拥有跨不同数据库的权限。有关角色的详细信息,请参阅基于角色的访问控制。
A user's name and authentication database serve as a unique identifier for that user. 用户的名称和身份验证数据库充当该用户的唯一标识符。MongoDB associates a user with a unique MongoDB在MongoDB中创建时,会将用户与唯一的userId关联起来。但是,在LDAP服务器上创建的LDAP管理用户在systemusers集合中没有关联的文档,因此没有与其关联的userId字段。userId upon creation in MongoDB. However, LDAP managed users created on an LDAP server do not have an associated document in the system.users collection, and therefore don't have a userId field associated with them.
If two users have the same name but are created in different databases, they are two separate users. 如果两个用户具有相同的名称,但在不同的数据库中创建,则它们是两个独立的用户。If you want to have a single user with permissions on multiple databases, create a single user with a role for each applicable database.如果要让一个用户对多个数据库具有权限,请为每个适用的数据库创建一个具有角色的用户。
Centralized User Data集中式用户数据
For users created in MongoDB, MongoDB stores all user information, including 对于在MongoDB中创建的用户,MongoDB将所有用户信息(包括name, password, and the user's authentication database, in the system.users collection in the admin database.name、password和用户的身份验证数据库)存储在管理数据库的system.users集合中。
Do not modify this collection directly. 不要直接修改此集合。To manage users, use the designated user management commands.要管理用户,请使用指定的用户管理命令。
Sharded Cluster Users共享群集用户
To create users for a sharded cluster, connect to a 要为分片集群创建用户,请连接到mongos instance and add the users. mongos实例并添加用户。To authenticate as a user created on a 要作为在mongos instance, you must authenticate through a mongos instance.mongos实例上创建的用户进行身份验证,必须通过mongos示例进行身份验证。
In sharded clusters, MongoDB stores user configuration data in the 在分片集群中,MongoDB将用户配置数据存储在admin database of the config servers.config服务器的admin数据库中。
Shard Local Users共享本地用户
Some maintenance operations, such as 一些维护操作,如cleanupOrphaned, compact, or rs.reconfig(), require direct connections to specific shards in a sharded cluster. cleanupOrphaned、compact或rs.reconfig(),需要直接连接到分片集群中的特定分片。To perform these operations, you must connect directly to the shard and authenticate as a shard local administrative user.要执行这些操作,必须直接连接到分片,并作为分片本地管理用户进行身份验证。
To create a shard local administrative user, connect directly to the primary of the shard and create the user. 要创建分片本地管理用户,请直接连接到分片的主用户并创建该用户。For instructions on how to create a shard local user administrator see the Deploy Sharded Cluster with Keyfile Authentication tutorial.有关如何创建分片本地用户管理员的说明,请参阅使用键文件身份验证部署分片集群教程。
MongoDB stores shard local users in the MongoDB将分片本地用户存储在分片本身的admin database of the shard itself. admin数据库中。These shard local users are independent from the users added to the sharded cluster through a 这些分片本地用户独立于通过mongos. mongos添加到分片集群的用户。Shard local users are local to the shard and are inaccessible by 分片本地用户是分片的本地用户,mongos.mongos无法访问。
Direct connections to a shard should only be used for shard-specific maintenance and configuration or for targeted analytics workloads. 与分片的直接连接应仅用于特定于分片的维护和配置,或用于目标分析工作负载。In general, clients should connect to the sharded cluster through the 通常,客户端应该通过mongos.mongos连接到分片集群。