db.updateUser()

~~On this page~~本页内容

~~Definition~~定义
~~Behavior~~行为
~~Required Access~~所需访问权限
~~Example~~实例

Definition定义

db.updateUser( username, update, writeConcern )

~~Updates the user's profile on the database on which you run the method.~~ 在运行该方法的数据库上更新用户的配置文件。~~An update to a field completely replaces the previous field's values. This includes updates to the user's roles array.~~字段的更新将完全替换上一个字段的值。这包括对用户roles数组的更新。

Warning

~~When you update the roles array, you completely replace the previous array's values.~~ 更新roles数组时，将完全替换上一个数组的值。~~To add or remove roles without replacing all the user's existing roles, use the db.grantRolesToUser() or db.revokeRolesFromUser() methods.~~要添加或删除角色而不替换用户的所有现有角色，请使用db.grantRolesToUser()或db.revokeRolesFromUser()方法。

~~The db.updateUser() method uses the following syntax:~~db.updateUser()方法使用以下语法：

Tip

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. 从mongoshell的4.2版本开始，您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码，而不是直接在方法/命令调用中指定密码。~~However, you can still specify the password directly as you would with earlier versions of the mongo shell.~~但是，您仍然可以像使用早期版本的mongoshell一样直接指定密码。

db.updateUser(
   "<username>",
   {
     customData : { <any information> },
     roles : [
       { role: "<role>", db: "<database>" } | "<role>",
       ...
     ],
     pwd: passwordPrompt(),      // Or  "<cleartext password>"
     authenticationRestrictions: [
        {
          clientSource: ["<IP>" | "<CIDR range>", ...],
          serverAddress: ["<IP>", | "<CIDR range>", ...]
        },
        ...
     ],
     mechanisms: [ "<SCRAM-SHA-1|SCRAM-SHA-256>", ... ],
     passwordDigestor: "<server|client>"
   },
   writeConcern: { <write concern> }
)

~~The db.updateUser() method has the following arguments.~~db.updateUser()方法具有以下参数。

~~Parameter~~参数	~~Type~~类型	~~Description~~描述
`username`	string	~~The name of the user to update.~~要更新的用户的名称。
`update`	document	~~A document containing the replacement data for the user.~~ 包含用户替换数据的文档。~~This data completely replaces the corresponding data for the user.~~该数据完全替换了用户的相应数据。
`writeConcern`	document	~~Optional.~~可选的。~~The level of write concern for the operation.~~ 操作的写入关注级别。~~See Write Concern Specification.~~ 请参阅写入关注规范。

~~The update document specifies the fields to update and their new values. All fields in the update document are optional, but must include at least one field.~~update文档指定要更新的字段及其新值。update文档中的所有字段都是可选的，但必须至少包含一个字段。

~~The update document has the following fields:~~update文档包含以下字段：

~~Field~~字段	~~Type~~类型	~~Description~~描述
`customData`	document	~~Optional.~~可选的。~~Any arbitrary information.~~任何任意信息。
`roles`	array	~~Optional.~~可选的。~~The roles granted to the user.~~ 授予用户的角色。~~An update to the `roles` array overrides the previous array's values.~~对`roles`数组的更新将覆盖上一个数组的值。
`pwd`	string	~~Optional.~~可选的。~~The user's password. The value can be either:~~ 用户的密码。该值可以是： ~~the user's password in cleartext string, or~~明文字符串中的用户密码，或 `passwordPrompt()` ~~to prompt for the user's password.~~以提示输入用户的密码。 Tip Starting in version 4.2 of the `mongo` shell, you can use the `passwordPrompt()` method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call. However, you can still specify the password directly as you would with earlier versions of the `mongo` shell. 从`mongo`shell的4.2版本开始，您可以将`passwordPrompt()`方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码，而不是直接在方法/命令调用中指定密码。但是，您仍然可以像使用早期版本的`mongo`shell一样直接指定密码。
`authenticationRestrictions`	array	~~Optional.~~可选的。~~The authentication restrictions the server enforces upon the user.~~ 服务器对用户强制执行的身份验证限制。~~Specifies a list of IP addresses and CIDR ranges from which the user is allowed to connect to the server or from which the server can accept users.~~指定允许用户连接到服务器或服务器可以接受用户的IP地址和CIDR范围的列表。
`mechanisms`	array	~~Optional.~~可选的。~~The specific SCRAM mechanism or mechanisms for the user credentials.~~ 用户凭据的特定SCRAM机制。~~If `authenticationMechanisms` is specified, you can only specify a subset of the `authenticationMechanisms`.~~如果指定了`authenticationMechanisms`，则只能指定`authenticationMechanisms`的子集。 If updating the mechanisms field without the password, you can only specify a subset of the user's current mechanisms, and only the existing user credentials for the specified mechanism or mechanisms are retained.如果在没有密码的情况下更新机制字段，则只能指定用户当前机制的子集，并且只保留指定机制的现有用户凭据。 ~~If updating the password along with the mechanisms, new set of credentials are stored for the user.~~如果将密码与机制一起更新，则会为用户存储一组新的凭据。 ~~Valid values are:~~ 有效值为： `"SCRAM-SHA-1"` ~~Uses the `SHA-1` hashing function.~~使用`SHA-1`哈希函数。 `"SCRAM-SHA-256"` ~~Uses the `SHA-256` hashing function.~~使用`SHA-256`哈希函数。 ~~Requires featureCompatibilityVersion set to `4.0`.~~需要将`featureCompatibilityVersion`设置为`4.0`。 ~~Requires passwordDigestor to be `server`.~~要求密码Digestor为`server`。
`passwordDigestor`	string	~~Optional.~~可选的。~~Indicates whether the server or the client digests the password.~~指示服务器还是客户端对密码进行摘要处理。 ~~Available values are:~~ 可用值为： `"server"` (Default) ~~The server receives undigested password from the client and digests the password.~~服务器从客户端接收未消化的密码，并对密码进行消化。 `"client"` ~~(Not compatible with `SCRAM-SHA-256`)~~（与`SCRAM-SHA-256`不兼容） ~~The client digests the password and passes the digested password to the server.~~客户端对密码进行摘要处理，并将摘要处理后的密码传递给服务器。

Roles角色

~~In the roles field, you can specify both built-in roles and user-defined roles.~~在角色字段中，可以指定内置角色和用户定义的角色。

~~To specify a role that exists in the same database where db.updateUser() runs, you can either specify the role with the name of the role:~~要指定运行db.updateUser()的同一数据库中存在的角色，可以使用角色名称指定该角色：

"readWrite"

~~Or you can specify the role with a document, as in:~~或者，您可以使用文档指定角色，如中所示：

{ role: "<role>", db: "<database>" }

~~To specify a role that exists in a different database, specify the role with a document.~~若要指定其他数据库中存在的角色，请使用文档指定该角色。

Authentication Restrictions身份验证限制

~~The authenticationRestrictions document can contain only the following fields.~~ authenticationRestrictions文档只能包含以下字段。~~The server throws an error if the authenticationRestrictions document contains an unrecognized field:~~如果authenticationRestrictions文档包含无法识别的字段，则服务器将引发错误：

~~Field Name~~字段名称	~~Value~~值	~~Description~~描述
`clientSource`	~~Array of IP addresses and/or CIDR ranges~~IP地址和/或CIDR范围数组	~~If present, when authenticating a user, the server verifies that the client's IP address is either in the given list or belongs to a CIDR range in the list.~~ 如果存在，则在对用户进行身份验证时，服务器会验证客户端的IP地址是否在给定列表中或属于列表中的CIDR范围。~~If the client's IP address is not present, the server does not authenticate the user.~~如果客户端的IP地址不存在，则服务器不会对用户进行身份验证。
`serverAddress`	~~Array of IP addresses and/or CIDR ranges~~IP地址和/或CIDR范围数组	~~A list of IP addresses or CIDR ranges to which the client can connect.~~ 客户端可以连接的IP地址或CIDR范围的列表。~~If present, the server will verify that the client's connection was accepted via an IP address in the given list.~~ 如果存在，服务器将验证是否通过给定列表中的IP地址接受了客户端的连接。~~If the connection was accepted via an unrecognized IP address, the server does not authenticate the user.~~如果通过无法识别的IP地址接受连接，则服务器不会对用户进行身份验证。

Important

~~If a user inherits multiple roles with incompatible authentication restrictions, that user becomes unusable.~~如果用户继承了多个具有不兼容身份验证限制的角色，则该用户将变得不可用。

For example, if a user inherits one role in which the clientSource field is ["198.51.100.0"] and another role in which the clientSource field is ["203.0.113.0"] the server is unable to authenticate the user.例如，如果用户继承了一个角色，其中clientSource字段为["198.51.100.0"]，而另一个角色的clientSource字段则为["203.0.113.0"]，则服务器无法对用户进行身份验证。

~~For more information on authentication in MongoDB, see Authentication.~~有关MongoDB中身份验证的更多信息，请参阅身份验证。

~~The db.updateUser() method wraps the updateUser command.~~db.updateUser()方法包装updateUser命令。

Behavior行为

Replica set副本集

~~If run on a replica set, db.updateUser() is executed using "majority" write concern by default.~~如果在副本集上运行，db.updateUser()在默认情况下使用"majority"写入关注执行。

Encyption

Warning

~~By default, db.updateUser() sends all specified data to the MongoDB instance in cleartext, even if using passwordPrompt().~~ 默认情况下，db.updateUser()以明文形式将所有指定的数据发送到MongoDB实例，即使使用passwordPrompt()也是如此。~~Use TLS transport encryption to protect communications between clients and the server, including the password sent by db.updateUser().~~ 使用TLS传输加密来保护客户端和服务器之间的通信，包括db.updateUser()发送的密码。~~For instructions on enabling TLS transport encryption, see Configure mongod and mongos for TLS/SSL.~~有关启用TLS传输加密的说明，请参阅为TLS/SSL配置mongod和mongos。

~~MongoDB does not store the password in cleartext. The password is only vulnerable in transit between the client and the server, and only if TLS transport encryption is not enabled.~~MongoDB不以明文形式存储密码。只有在客户端和服务器之间的传输过程中，并且只有在未启用TLS传输加密的情况下，密码才易受攻击。

Required Access所需访问权限

~~You must have access that includes the revokeRole action on all databases in order to update a user's roles array.~~您必须对所有数据库具有包括revokeRole 操作的访问权限，才能更新用户的roles数组。

~~You must have the grantRole action on a role's database to add a role to a user.~~必须对角色的数据库执行grantRole 操作才能向用户添加角色。

~~To change another user's pwd or customData field, you must have the changePassword and changeCustomData actions respectively on that user's database.~~要更改另一个用户的pwd或customData字段，必须对该用户的数据库分别执行changePassword操作和changeCustomData操作。

~~To modify your own password and custom data, you must have privileges that grant changeOwnPassword and changeOwnCustomData actions respectively on the user's database.~~要修改您自己的密码和自定义数据，您必须具有在用户数据库上分别授予changeOwnPassword和changeOwnCustomData 操作的权限。

Example实例

~~Given a user appClient01 in the products database with the following user info:~~给定products数据库中具有以下用户信息的用户appClient01：

{
   _id : "products.appClient01",
   userId : UUID("c5d88855-3f1e-46cb-9c8b-269bef957986"),
   user : "appClient01",
   db : "products",
   customData : { empID : "12345", badge : "9156" },
   roles : [
       {
         role : "readWrite",
         db : "products"
       },
       {
         role : "read",
         db : "inventory"
       }
   ],
   mechanisms : [
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
   ],
   authenticationRestrictions : [ {
      clientSource: ["69.89.31.226"],
      serverAddress: ["172.16.254.1"]
   } ]
}

~~The following db.updateUser() method completely replaces the user's customData and roles data:~~以下db.updateUser()方法完全替换了用户的customData和roles数据：

use products
db.updateUser( "appClient01",
{
   customData : { employeeId : "0x3039" },
   roles : [
      { role : "read", db : "assets"  }
   ]
} )

~~The user appClient01 in the products database now has the following user information:~~products数据库中的用户appClient01现在具有以下用户信息：

{
   _id : "products.appClient01",
   userId : UUID("c5d88855-3f1e-46cb-9c8b-269bef957986"),
   user : "appClient01",
   db : "products",
   customData : { employeeId : "0x3039" },
   roles : [
       {
         role : "read",
         db : "assets"
       }
   ],
   mechanisms : [
      "SCRAM-SHA-1",
      "SCRAM-SHA-256"
   ],
   authenticationRestrictions : [ {
      clientSource: ["69.89.31.226"],
      serverAddress: ["172.16.254.1"]
   } ]
}

Update User to Use `SCRAM-SHA-256` Credentials Only更新用户以仅使用`SCRAM-SHA-256`凭据

Note

To use SCRAM-SHA-256, the featureCompatibilityVersion must be set to 4.0. For more information on featureCompatibilityVersion, see Get FeatureCompatibilityVersion and setFeatureCompatibilityVersion.若要使用SCRAM-SHA-256，featureCompatibilityVersion必须设置为4.0。有关featureCompaibilityVersion的详细信息，请参阅Get FeatureCompatibilityVersion和setFeatureCompatibilityVersion。

~~The following operation updates a user who currently have both SCRAM-SHA-256 and SCRAM-SHA-1 credentials to have only SCRAM-SHA-256 credentials.~~以下操作将当前同时具有SCRAM-SHA-256和SCRAM-SHA-1凭据的用户更新为仅具有SCRAM-SHA-256凭据。