updateUser

~~On this page~~本页内容

~~Definition~~定义
~~Syntax~~语法
~~Command Fields~~命令字段
~~Behavior~~行为
~~Required Access~~所需访问权限
~~Example~~实例

Definition定义

updateUser

~~Updates the user's profile on the database on which you run the command.~~ 在运行命令的数据库上更新用户的配置文件。~~An update to a field completely replaces the previous field's values, including updates to the user's roles and authenticationRestrictions arrays.~~对字段的更新将完全替换上一个字段的值，包括对用户roles和authenticationRestrictions数组的更新。

Tip

~~In mongosh, this command can also be run through the db.changeUserPassword() helper method.~~在mongosh中，这个命令也可以通过db.changeUserPassword()助手方法运行。

~~Helper methods are convenient for mongosh users, but they may not return the same level of information as database commands.~~ 助手方法对mongosh用户来说很方便，但它们可能不会返回与数据库命令相同级别的信息。~~In cases where the convenience is not needed or the additional return fields are required, use the database command.~~如果不需要方便，或者需要额外的返回字段，请使用数据库命令。

Warning

~~When you update the roles array, you completely replace the previous array's values.~~ 更新roles数组时，将完全替换上一个数组的值。~~To add or remove roles without replacing all the user's existing roles, use the grantRolesToUser or revokeRolesFromUser commands.~~要添加或删除角色而不替换用户的所有现有角色，请使用grantRolesToUser或revokeRolesFromUser命令。

~~To update a user, you must specify the updateUser field and at least one other field, other than writeConcern.~~若要更新用户，必须指定updateUser字段和除writeConcern之外的至少一个其他字段。

Syntax语法

~~The command uses the following syntax:~~该命令使用以下语法：

 db.runCommand(
    {
      updateUser: "<username>",
      pwd: passwordPrompt(),      // Or  "<cleartext password>"
      customData: { <any information> },
      roles: [
        { role: "<role>", db: "<database>" } | "<role>",
        ...
      ],
      authenticationRestrictions: [
         {
           clientSource: ["<IP>" | "<CIDR range>", ...],
           serverAddress: ["<IP>", | "<CIDR range>", ...]
         },
         ...
      ],
      mechanisms: [ "<scram-mechanism>", ... ],
      digestPassword: <boolean>,
      writeConcern: { <write concern> },
      comment: <any>
    }
)

Command Fields命令字段

~~The command takes the following fields:~~该命令包含以下字段：

~~Field~~字段	~~Type~~类型	~~Description~~描述
`updateUser`	string	~~The name of the user to update.~~要更新的用户的名称。
`pwd`	string	~~Optional.~~可选的。~~The user's password. The value can be either:~~ 用户的密码。该值可以是： ~~the user's password in cleartext string, or~~明文字符串中的用户密码，或 `passwordPrompt()` ~~to prompt for the user's password.~~以提示输入用户的密码。 Tip Starting in version 4.2 of the `mongo` shell, you can use the `passwordPrompt()` method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. ~~However, you can still specify the password directly as you would with earlier versions of the `mongo` shell.~~但是，您仍然可以像使用早期版本的mongoshell一样直接指定密码。
`customData`	document	~~Optional.~~可选的。~~Any arbitrary information.~~任何任意信息。
`roles`	array	~~Optional.~~可选的。~~The roles granted to the user. An update to the `roles` array overrides the previous array's values.~~授予用户的角色。对`roles`数组的更新将覆盖上一个数组的值。
`writeConcern`	document	~~Optional.~~可选的。The level of write concern for the operation. See Write Concern Specification.
`authenticationRestrictions`	array	~~Optional.~~可选的。The authentication restrictions the server enforces upon the user. Specifies a list of IP addresses and CIDR ranges from which the user is allowed to connect to the server or from which the server can accept users.
`mechanisms`	array	~~Optional.~~可选的。The specific SCRAM mechanism or mechanisms for the user credentials. If `authenticationMechanisms` is specified, you can only specify a subset of the `authenticationMechanisms`. If updating the mechanisms field without the password, you can only specify a subset of the user's current mechanisms, and only the existing user credentials for the specified mechanism or mechanisms are retained.如果在没有密码的情况下更新机制字段，则只能指定用户当前机制的子集，并且只保留指定机制的现有用户凭据。 ~~If updating the password along with the mechanisms, new set of credentials are stored for the user.~~如果将密码与机制一起更新，则会为用户存储一组新的凭据。 ~~Valid values are:~~ 有效值为： `"SCRAM-SHA-1"` Uses the `SHA-1` hashing function. `"SCRAM-SHA-256"` ~~Uses the `SHA-256` hashing function.~~使用`SHA-256`哈希函数。 ~~Requires featureCompatibilityVersion set to `4.0`.~~需要将`featureCompatibilityVersion`设置为`4.0`。 ~~Requires digestPassword to be `true`.~~要求`digestPassword`为`true`。
`digestPassword`	boolean	~~Optional.~~可选的。~~Indicates whether the server or the client digests the password.~~指示服务器还是客户端对密码进行摘要处理。 ~~If `true` (default), the server receives undigested password from the client and digests the password.~~如果为`true`（默认值），服务器将从客户端接收未消化的密码并对密码进行消化。 ~~If `false`, the client digests the password and passes the digested password to the server.~~ 如果为`false`，客户端将对密码进行摘要处理，并将摘要处理后的密码传递给服务器。~~Not compatible with `SCRAM-SHA-256`~~ 与`SCRAM-SHA-256`不兼容
`comment`	any	~~Optional.~~可选的。 ~~A user-provided comment to attach to this command. Once set, this comment appears alongside records of this command in the following locations:~~ 要附加到此命令的用户提供的注释。设置后，此注释将与此命令的记录一起显示在以下位置： mongod log messages, in the `attr.command.cursor.comment` field. Database profiler output, in the `command.comment` field. `currentOp` output, in the `command.comment` field. A comment can be any valid BSON type (string, integer, object, array, etc). ~~New in version 4.4.~~ 4.4版新增。

Roles角色

In the roles field, you can specify both built-in roles and user-defined roles.

To specify a role that exists in the same database where updateUser runs, you can either specify the role with the name of the role:

"readWrite"

~~Or you can specify the role with a document, as in:~~或者，您可以使用文档指定角色，如中所示：

{ role: "<role>", db: "<database>" }

~~To specify a role that exists in a different database, specify the role with a document.~~若要指定其他数据库中存在的角色，请使用文档指定该角色。

Authentication Restrictions身份验证限制

~~The authenticationRestrictions document can contain only the following fields. The server throws an error if the authenticationRestrictions document contains an unrecognized field:~~authenticationRestrictions文档只能包含以下字段。如果authenticationRestrictions文档包含无法识别的字段，则服务器将引发错误：

~~Field Name~~字段名称	~~Value~~值	~~Description~~描述
`clientSource`	Array of IP addresses and/or CIDR ranges	If present, when authenticating a user, the server verifies that the client's IP address is either in the given list or belongs to a CIDR range in the list. If the client's IP address is not present, the server does not authenticate the user.如果存在，则在对用户进行身份验证时，服务器会验证客户端的IP地址是否在给定列表中或属于列表中的CIDR范围。如果客户端的IP地址不存在，则服务器不会对用户进行身份验证。
`serverAddress`	Array of IP addresses and/or CIDR ranges	~~A list of IP addresses or CIDR ranges to which the client can connect.~~ 客户端可以连接的IP地址或CIDR范围的列表。If present, the server will verify that the client's connection was accepted via an IP address in the given list. If the connection was accepted via an unrecognized IP address, the server does not authenticate the user.如果存在，服务器将验证是否通过给定列表中的IP地址接受了客户端的连接。如果通过无法识别的IP地址接受连接，则服务器不会对用户进行身份验证。

Important

~~If a user inherits multiple roles with incompatible authentication restrictions, that user becomes unusable.~~如果用户继承了多个具有不兼容身份验证限制的角色，则该用户将变得不可用。

For example, if a user inherits one role in which the clientSource field is ["198.51.100.0"] and another role in which the clientSource field is ["203.0.113.0"] the server is unable to authenticate the user.例如，如果用户继承了一个角色，其中clientSource字段为["198.51.100.0"]，而另一个角色的clientSource字段则为["203.0.113.0"]，则服务器无法对用户进行身份验证。

~~For more information on authentication in MongoDB, see Authentication.~~有关MongoDB中身份验证的更多信息，请参阅身份验证。

Behavior行为

Warning

By default, updateUser sends all specified data to the MongoDB instance in cleartext, even if using passwordPrompt(). Use TLS transport encryption to protect communications between clients and the server, including the password sent by updateUser. For instructions on enabling TLS transport encryption, see Configure mongod and mongos for TLS/SSL.

~~MongoDB does not store the password in cleartext. The password is only vulnerable in transit between the client and the server, and only if TLS transport encryption is not enabled.~~MongoDB不以明文形式存储密码。只有在客户端和服务器之间的传输过程中，并且只有在未启用TLS传输加密的情况下，密码才易受攻击。

Required Access所需访问权限

You must have access that includes the revokeRole action on all databases in order to update a user's roles array.

You must have the grantRole action on a role's database to add a role to a user.

To change another user's pwd or customData field, you must have the changePassword and changeCustomData actions respectively on that user's database.

To modify your own password and custom data, you must have privileges that grant changeOwnPassword and changeOwnCustomData actions respectively on the user's database.

Example实例

Given a user appClient01 in the products database with the following user info:

{
   "_id" : "products.appClient01",
   "userId" : UUID("c5d88855-3f1e-46cb-9c8b-269bef957986"),
   "user" : "appClient01",
   "db" : "products",
   "customData" : { "empID" : "12345", "badge" : "9156" },
   "roles" : [
       { "role" : "readWrite",
         "db" : "products"
       },
       { "role" : "read",
         "db" : "inventory"
       }
   ],
   "mechanisms" : [
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
   ]
}

The following updateUser command completely replaces the user's customData and roles data:

use products
db.runCommand( {
   updateUser : "appClient01",
   customData : { employeeId : "0x3039" },
   roles : [ { role : "read", db : "assets" } ]
} )

The user appClient01 in the products database now has the following user information:

{
   "_id" : "products.appClient01",
   "userId" : UUID("c5d88855-3f1e-46cb-9c8b-269bef957986"),
   "user" : "appClient01",
   "db" : "products",
   "customData" : { "employeeId" : "0x3039" },
   "roles" : [
       { "role" : "read",
         "db" : "assets"
       }
   ],
   "mechanisms" : [
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
   ]

}

← revokeRolesFromUser usersInfo →