createUser

~~On this page~~本页内容

~~Definition~~定义
~~Syntax~~语法
~~Behavior~~行为
~~Required Access~~所需访问权限
~~Example~~实例

Definition定义

createUser: ~~Creates a new user on the database where you run the command.~~ 在运行命令的数据库上创建新用户。~~The createUser command returns a duplicate user error if the user exists.~~如果用户存在，createUser命令将返回一个重复的用户错误。

Tip

~~In mongosh, this command can also be run through the db.createUser() helper method.~~在mongosh中，这个命令也可以通过db.createUser()助手方法运行。

~~Helper methods are convenient for mongosh users, but they may not return the same level of information as database commands.~~ 助手方法对mongosh用户来说很方便，但它们可能不会返回与数据库命令相同级别的信息。 ~~In cases where the convenience is not needed or the additional return fields are required, use the database command.~~如果不需要方便，或者需要额外的返回字段，请使用数据库命令。

Syntax语法

~~The command has the following syntax:~~该命令具有以下语法：

Tip

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版本开始，您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码，而不是直接在方法/命令调用中指定密码。~~However, you can still specify the password directly as you would with earlier versions of the mongo shell.~~但是，您仍然可以像使用早期版本的mongoshell一样直接指定密码。

db.runCommand(
   {
     createUser: "<name>",
     pwd: passwordPrompt(),      // Or  "<cleartext password>"
     customData: { <any information> },
     roles: [
       { role: "<role>", db: "<database>" } | "<role>",
       ...
     ],
     writeConcern: { <write concern> },
     authenticationRestrictions: [
        { clientSource: [ "<IP|CIDR range>", ... ], serverAddress: [ "<IP|CIDR range>", ... ] },
        ...
     ],
     mechanisms: [ "<scram-mechanism>", ... ],  //Available starting in MongoDB 4.0
     digestPassword: <boolean>,
     comment: <any>
   }
)

Command Fields命令字段

createUser ~~has the following fields:~~具有以下字段：

~~Field~~字段	~~Type~~类型	~~Description~~描述
`createUser`	string	~~The name of the new user.~~新用户的名称。
`pwd`	string	~~The user's password.~~ 用户的密码。~~The `pwd` field is not required if you run `createUser` on the `$external` database to create users who have credentials stored externally to MongoDB.~~如果在`$external`数据库上运行`createUser`来创建具有存储在MongoDB外部的凭据的用户，则不需要`pwd`字段。 ~~The value can be either:~~该值可以是： ~~the user's password in cleartext string, or~~明文字符串中的用户密码，或 `passwordPrompt()` ~~to prompt for the user's password.~~以提示输入用户的密码。 Tip Starting in version 4.2 of the `mongo` shell, you can use the `passwordPrompt()` method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版本开始，您可以将`passwordPrompt()`方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码，而不是直接在方法/命令调用中指定密码。~~However, you can still specify the password directly as you would with earlier versions of the `mongo` shell.~~但是，您仍然可以像使用早期版本的`mongo`shell一样直接指定密码。
`customData`	document	~~Optional.~~可选的。~~Any arbitrary information.~~ 任何任意信息。~~This field can be used to store any data an admin wishes to associate with this particular user. For example, this could be the user's full name or employee id.~~该字段可用于存储管理员希望与该特定用户关联的任何数据。例如，这可能是用户的全名或员工id。
`roles`	array	~~The roles granted to the user.~~ 授予用户的角色。~~Can specify an empty array `[]` to create users without roles.~~可以指定一个空数组`[]`来创建没有角色的用户。
`digestPassword`	boolean	~~Optional.~~可选的。~~Indicates whether the server or the client digests the password.~~指示服务器还是客户端对密码进行摘要处理。 ~~If true, the server receives undigested password from the client and digests the password.~~如果为`true`，则服务器从客户端接收未消化的密码，并对密码进行消化。 ~~If false, the client digests the password and passes the digested password to the server.~~ 如果为`false`，客户端将对密码进行摘要处理，并将摘要处理后的密码传递给服务器。~~Not compatible with `SCRAM-SHA-256`~~ 与`SCRAM-SHA-256`不兼容 ~~Changed in version 4.0.~~4.0版更改。~~The default value is `true`.~~ 默认值为`true`。~~In earlier versions, the default value is `false`.~~ 在早期版本中，默认值为`false`。
`writeConcern`	document	~~Optional.~~可选的。~~The level of write concern for the operation.~~ 操作的写入关注级别。~~See Write Concern Specification.~~ 请参阅写入关注规范。
`authenticationRestrictions`	array	~~Optional.~~可选的。~~The authentication restrictions the server enforces on the created user.~~ 服务器对创建的用户强制执行的身份验证限制。~~Specifies a list of IP addresses and CIDR ranges from which the user is allowed to connect to the server or from which the server can accept users.~~指定允许用户连接到服务器或服务器可以接受用户的IP地址和CIDR范围的列表。
`mechanisms`	array	~~Optional.~~可选的。~~Specify the specific SCRAM mechanism or mechanisms for creating SCRAM user credentials.~~ 指定用于创建SCRAM用户凭据的特定SCRAM机制。~~If `authenticationMechanisms` is specified, you can only specify a subset of the `authenticationMechanisms`.~~如果指定了`authenticationMechanisms`，则只能指定`authenticationMechanisms`的子集。 Valid values are: `"SCRAM-SHA-1"` Uses the `SHA-1` hashing function. `"SCRAM-SHA-256"` Uses the `SHA-256` hashing function. Requires featureCompatibilityVersion set to `4.0`. Requires digestPassword to be `true`. The default for featureCompatibilityVersion is `4.0` is both `SCRAM-SHA-1` and `SCRAM-SHA-256`. The default for featureCompatibilityVersion is `3.6` is `SCRAM-SHA-1`. ~~New in version 4.0.~~ 4.0版新增。
`digestPassword`	boolean	~~Optional.~~可选的。~~Indicates whether the server or the client digests the password.~~指示服务器还是客户端对密码进行摘要处理。 ~~If true, the server receives undigested password from the client and digests the password.~~如果为`true`，则服务器从客户端接收未消化的密码，并对密码进行消化。 ~~If false, the client digests the password and passes the digested password to the server. Not compatible with `SCRAM-SHA-256`~~ 如果为`false`，客户端将对密码进行摘要处理，并将摘要处理后的密码传递给服务器。与`SCRAM-SHA-256`不兼容 ~~Changed in version 4.0.~~4.0版更改。~~The default value is `true`.~~ 默认值为`true`。~~In earlier versions, the default value is `false`.~~ 在早期版本中，默认值为`false`。
`comment`	any	~~Optional.~~可选的。 ~~A user-provided comment to attach to this command. Once set, this comment appears alongside records of this command in the following locations:~~ 要附加到此命令的用户提供的注释。设置后，此注释将与此命令的记录一起显示在以下位置： mongod log messages, in the `attr.command.cursor.comment` field. Database profiler output, in the `command.comment` field. `currentOp` output, in the `command.comment` field. ~~A comment can be any valid BSON type (string, integer, object, array, etc).~~ 注释可以是任何有效的BSON类型（字符串、整数、对象、数组等）。 ~~New in version 4.4.~~ 4.4版新增。

Roles角色

~~In the roles field, you can specify both built-in roles and user-defined roles.~~在roles字段中，可以指定内置角色和用户定义的角色。

~~To specify a role that exists in the same database where createUser runs, you can either specify the role with the name of the role:~~要指定在createUser运行的同一数据库中存在的角色，可以使用角色名称指定该角色：

"readWrite"

~~Or you can specify the role with a document, as in:~~或者，您可以使用文档指定角色，如中所示：

{ role: "<role>", db: "<database>" }

~~To specify a role that exists in a different database, specify the role with a document.~~若要指定其他数据库中存在的角色，请使用文档指定该角色。

Authentication Restrictions身份验证限制

~~The authenticationRestrictions document can contain only the following fields.~~ authenticationRestrictions文档只能包含以下字段。~~The server throws an error if the authenticationRestrictions document contains an unrecognized field:~~如果authenticationRestrictions文档包含无法识别的字段，则服务器将引发错误：

~~Field Name~~字段名称	~~Value~~值	~~Description~~描述
`clientSource`	Array of IP addresses and/or CIDR ranges	~~If present, when authenticating a user, the server verifies that the client's IP address is either in the given list or belongs to a CIDR range in the list.~~ 如果存在，则在对用户进行身份验证时，服务器会验证客户端的IP地址是否在给定列表中或属于列表中的CIDR范围。~~If the client's IP address is not present, the server does not authenticate the user.~~如果客户端的IP地址不存在，则服务器不会对用户进行身份验证。
`serverAddress`	Array of IP addresses and/or CIDR ranges	~~A list of IP addresses or CIDR ranges to which the client can connect.~~ 客户端可以连接的IP地址或CIDR范围的列表。~~If present, the server will verify that the client's connection was accepted via an IP address in the given list.~~ 如果存在，服务器将验证是否通过给定列表中的IP地址接受了客户端的连接。~~If the connection was accepted via an unrecognized IP address, the server does not authenticate the user.~~如果通过无法识别的IP地址接受连接，则服务器不会对用户进行身份验证。

Important

~~If a user inherits multiple roles with incompatible authentication restrictions, that user becomes unusable.~~如果用户继承了多个具有不兼容身份验证限制的角色，则该用户将变得不可用。

For example, if a user inherits one role in which the clientSource field is ["198.51.100.0"] and another role in which the clientSource field is ["203.0.113.0"] the server is unable to authenticate the user.例如，如果用户继承了一个角色，其中clientSource字段为["198.51.100.0"]，而另一个角色的clientSource字段则为["203.0.113.0"]，则服务器无法对用户进行身份验证。

~~For more information on authentication in MongoDB, see Authentication.~~有关MongoDB中身份验证的更多信息，请参阅身份验证。

Behavior行为

User ID用户ID

~~Starting in version 4.0.9, MongoDB automatically assigns a unique userId to the user upon creation.~~从4.0.9版本开始，MongoDB会在创建时自动为用户分配一个唯一的userId。

Encryption加密

Warning

~~By default, createUser sends all specified data to the MongoDB instance in cleartext, even if using passwordPrompt().~~ 默认情况下，createUser以明文形式将所有指定的数据发送到MongoDB实例，即使使用passwordPrompt()也是如此。~~Use TLS transport encryption to protect communications between clients and the server, including the password sent by createUser.~~ 使用TLS传输加密来保护客户端和服务器之间的通信，包括createUser发送的密码。~~For instructions on enabling TLS transport encryption, see Configure mongod and mongos for TLS/SSL.~~有关启用TLS传输加密的说明，请参阅为TLS/SSL配置mongod和mongos。

~~MongoDB does not store the password in cleartext. The password is only vulnerable in transit between the client and the server, and only if TLS transport encryption is not enabled.~~MongoDB不以明文形式存储密码。只有在客户端和服务器之间的传输过程中，并且只有在未启用TLS传输加密的情况下，密码才易受攻击。

External Credentials外部凭据

~~Users created on the $external database should have credentials stored externally to MongoDB, as, for example, with MongoDB Enterprise installations that use Kerberos.~~在$external数据库上创建的用户应该具有存储在MongoDB外部的凭据，例如，使用Kerberos的MongoDB Enterprise安装。

~~To use Client Sessions and Causal Consistency Guarantees with $external authentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.~~要对$external身份验证用户（Kerberos、LDAP或x.509用户）使用客户端会话和因果一致性保证，用户名不能大于10k字节。

`local` Database

~~You cannot create users on the local database.~~无法在本地数据库上创建用户。

Username Limits用户名限制

~~Usernames must consist of at least one character and cannot be larger than 7MB.~~用户名必须至少包含一个字符，并且不能大于7MB。

Required Access所需访问权限

~~To create a new user in a database, you must have the createUser action on that database resource.~~要在数据库中创建新用户，必须对该数据库资源执行createUser操作。
~~To grant roles to a user, you must have the grantRole action on the role's database.~~要向用户授予角色，必须对角色的数据库执行grantRole操作。

~~The userAdmin and userAdminAnyDatabase built-in roles provide createUser and grantRole actions on their respective resources.~~userAdmin和userAdminAnyDatabase内置角色在各自的资源上提供createUser和grantRole操作。

Example实例

The following createUser command creates a user accountAdmin01 on the products database. The command gives accountAdmin01 the clusterAdmin and readAnyDatabase roles on the admin database and the readWrite role on the products database:下面的createUser命令在products数据库上创建一个用户accountAdmin01。该命令赋予accountAdmin01在admin数据库上的clusterAdmin和readAnyDatabase角色，以及products数据库上的readWrite角色：

Tip

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the mongo shell.从mongoshell的4.2版本开始，您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码，而不是直接在方法/命令调用中指定密码。但是，您仍然可以像使用早期版本的mongoshell一样直接指定密码。

 db.getSiblingDB("products").runCommand( {
       createUser: "accountAdmin01",
       pwd: passwordPrompt(),
       customData: { employeeId: 12345 },
       roles: [
                { role: "clusterAdmin", db: "admin" },
                { role: "readAnyDatabase", db: "admin" },
                "readWrite"
              ],
       writeConcern: { w: "majority" , wtimeout: 5000 }
} )

← User Management Commands dropAllUsersFromDatabase →