With access control enabled, users are required to identify themselves. You have to grant a user one or more roles. A role grants a user privileges to perform certain actions on MongoDB resources.启用访问控制后,用户需要进行身份验证。您必须为用户授予一个或多个角色。角色授予用户在MongoDB资源上执行某些操作的权限。
Each application and user of a MongoDB system should map to a distinct user. This principle of access isolation facilitates access revocation and ongoing user maintenance. To ensure a system of least privilege, only grant the minimal set of privileges required to a user.MongoDB系统的每个应用程序和用户都应该映射到一个不同的用户。这种访问隔离原则便于访问撤销和持续的用户维护。为了确保系统具有最小权限,只授予用户所需的最小权限集。
The user information on this page applies to self-managed deployments hosted in all of the following environments unless specified otherwise:除非另有说明,否则此页面上的用户信息适用于在以下所有环境中托管的自我管理部署:
- MongoDB Enterprise
: The subscription-based, self-managed version of MongoDB:MongoDB的基于订阅的自我管理版本 - MongoDB Community
: The source-available, free-to-use, and self-managed version of MongoDB:MongoDB的源代码可用、免费使用和自我管理版本
MongoDB Atlas Compatibility兼容性
The following limitations apply only to deployments hosted in MongoDB Atlas. If any of these limits present a problem for your organization, contact Atlas support.以下限制仅适用于MongoDB Atlas中托管的部署。如果这些限制中的任何一个给组织带来了问题,请联系Atlas支持。
You must use the Atlas CLI, Atlas Administration API, Atlas UI, or a supported integration to add, modify, or delete database users on MongoDB Atlas clusters. Otherwise, MongoDB Atlas rolls back any user modifications.您必须使用Atlas CLI、Atlas Administration API、Atlas UI或支持的集成来添加、修改或删除MongoDB Atlas集群上的数据库用户。否则,MongoDB Atlas会回滚任何用户修改。To add users in MongoDB Atlas, see Add Database Users in the MongoDB Atlas documentation.要在MongoDB Atlas中添加用户,请参阅MongoDB Atlas文档中的添加数据库用户。The available MongoDB Atlas built-in roles and specific privileges support a subset of MongoDB commands.可用的MongoDB Atlas内置角色和特定权限支持MongoDB命令的一个子集。See Unsupported Commands in M10+ Clusters for more information.有关更多信息,请参阅M10+集群中不支持的命令。MongoDB Atlas supports a maximum of 100 database users per MongoDB Atlas project. If you require more than 100 database users on a project, contact Atlas support.MongoDB Atlas支持每个MongoDB Atlas项目最多100个数据库用户。如果一个项目需要100个以上的数据库用户,请联系Atlas支持。
Prerequisites先决条件
To be able to create users, you need to:为了能够创建用户,您需要:
For routine user creation, you must possess the following permissions:对于常规用户创建,您必须拥有以下权限:
To create a new user in a database, you must have the要在数据库中创建新用户,您必须对该数据库资源执行createUseraction on that database resource.createUser操作。To grant roles to a user, you must have the若要向用户授予角色,您必须对角色的数据库执行grantRoleaction on the role's database.grantRole操作。
The userAdmin and userAdminAnyDatabase built-in roles provide createUser and grantRole actions on their respective resources.userAdmin和userAdminAnyDatabase内置角色在各自的资源上提供createUser和grantRole操作。
Steps步骤
Note
The following procedures use SCRAM authentication. For additional information on other authentication mechanisms, see Additional Examples.以下程序使用SCRAM身份验证。有关其他身份验证机制的更多信息,请参阅其他示例。
To configure database users for your self-managed MongoDB Enterprise or MongoDB Community deployment, follow these steps:要为自主管理MongoDB Enterprise或MongoDB Community部署配置数据库用户,请执行以下步骤:
Connect and authenticate连接并验证
Using 使用mongosh, connect to your primary mongod or, in a sharded cluster, connect to your mongos and authenticate as a user administrator or a user with the required privileges:mongosh,连接到主mongod,或者在分片集群中,连接到mongos并作为用户管理员或具有所需权限的用户进行身份验证:
Authenticate during Connection连接期间进行身份验证
Start 使用mongosh with the -u <username>, -p, and the --authenticationDatabase <database> command line options:-u <username>、-p和--authenticationDatabase <database>命令行选项启动mongosh:
mongosh --port 27017 --authenticationDatabase \
"admin" -u "myUserAdmin" -pEnter your password when prompted.出现提示时输入密码。
Authenticate after Connection连接后进行身份验证
Using 使用mongosh, connect to your database deployment:mongosh连接到数据库部署:
mongosh --port 27017In 在mongosh, switch to the authentication database (in this case, admin), and use the db.auth(<username>, <pwd>) method to authenticate:mongosh中,切换到身份验证数据库(在本例中为admin),并使用db.auth(<username>, <pwd>)法进行身份验证:
use admin
db.auth("myUserAdmin", passwordPrompt()) // or cleartext passwordTip
The passwordPrompt() method prompts you to enter the password. You can also specify your password directly as a string. We recommend to use the passwordPrompt() method to avoid the password being visible on your screen and potentially leaking the password to your shell history.passwordPrompt()方法提示您输入密码。您也可以直接将密码指定为字符串。我们建议使用passwordPrompt()方法,以避免密码在屏幕上可见,并可能将密码泄露到shell历史记录中。
Enter the password when prompted.出现提示时输入密码。
Create additional users for your deployment为部署创建其他用户
Note
The following step uses SCRAM authentication. For additional information on other authentication mechanisms, see Additional Examples.以下步骤使用SCRAM身份验证。有关其他身份验证机制的更多信息,请参阅其他示例。
After authenticating as the user administrator, use the 以用户管理员身份验证后,使用db.createUser() method to create additional users. db.createUser()方法创建其他用户。You can assign any built-in roles or user-defined roles to the users.您可以为用户分配任何内置角色或用户定义的角色。
The following operation adds a user 以下操作将用户myTester to the test database who has the readWrite role in the test database as well as the read role in the reporting database.myTester添加到test数据库中,该用户在test数据库中具有readWrite角色,在reporting数据库中具有read角色。
use test
db.createUser(
{
user: "myTester",
pwd: passwordPrompt(), // or cleartext password
roles: [ { role: "readWrite", db: "test" },
{ role: "read", db: "reporting" } ]
}
)Tip
The passwordPrompt() method prompts you to enter the password. You can also specify your password directly as a string. We recommend to use the passwordPrompt() method to avoid the password being visible on your screen and potentially leaking the password to your shell history.passwordPrompt()方法提示您输入密码。您也可以直接将密码指定为字符串。我们建议使用passwordPrompt()方法,以避免密码在屏幕上可见,并可能将密码泄露到shell历史记录中。
The database where you create the user (in this example, 创建用户的数据库(在本例中为test) is that user's authentication database. test)是该用户的身份验证数据库。Although the user authenticates to this database, the user can have roles in other databases. The user's authentication database does not limit the user's privileges.虽然用户对此数据库进行了身份验证,但用户可以在其他数据库中拥有角色。用户的身份验证数据库不会限制用户的权限。
After creating the additional users, exit 创建其他用户后,退出mongosh.mongosh。
Connect to the instance and authenticate as myTester连接到实例并以myTester身份进行身份验证
myTesterImportant
It is not possible to switch between users in the same 无法在同一mongosh session. Authenticating as a different user means the session has the privileges of both authenticated users. mongosh会话中的用户之间切换。作为不同用户进行身份验证意味着会话具有两个经过身份验证的用户的权限。To switch between users exit and relaunch 要在用户之间切换,请退出并重新启动mongosh.mongosh。
After exiting 以mongosh as myUserAdmin, reconnect as myTester:myUserAdmin身份退出mongosh后,以myTester身份重新连接:
Authenticate during Connection连接期间进行身份验证
Start 使用mongosh with the -u <username>, -p, and the --authenticationDatabase <database> command line options:-u <username>、-p和--authenticationDatabase <database>命令行选项启动mongosh:
mongosh --port 27017 -u "myTester" \
--authenticationDatabase "test" -pEnter the password for the user when prompted.在提示时输入用户的密码。
Authenticate after Connection连接后进行身份验证
Using 使用mongosh, connect to your database deployment:mongosh连接到数据库部署:
mongosh --port 27017In 在mongosh, switch to the authentication database (in this case, admin), and use the db.auth(<username>, <pwd>) method to authenticate:mongosh中,切换到身份验证数据库(在本例中为admin),并使用db.auth(<username>, <pwd>)方法进行身份验证:
use test
db.auth("myTester", passwordPrompt()) // or cleartext passwordTip
The passwordPrompt() method prompts you to enter the password. passwordPrompt()方法提示您输入密码。You can also specify your password directly as a string. We recommend to use the 您也可以直接将密码指定为字符串。我们建议使用passwordPrompt() method to avoid the password being visible on your screen and potentially leaking the password to your shell history.passwordPrompt()方法,以避免密码在屏幕上可见,并可能将密码泄露到shell历史记录中。
Enter the password for the user when prompted.在提示时输入用户的密码。
Insert a document as myTester以myTester的身份插入文档
myTesterAs the user 作为用户myTester, you have privileges to perform read and write operations in the test database (as well as perform read operations in the reporting database). Once authenticated as myTester, insert a document into a collection in the test database. myTester,您有权在test数据库中执行读写操作(以及在reporting数据库中执行读取操作)。通过myTester身份验证后,将文档插入test数据库中的集合中。For example, you can perform the following insert operation in the 例如,您可以在test database:test数据库中执行以下插入操作:
db.foo.insertOne( { x: 1, y: 1 } )Additional Examples其他示例
Username/Password Authentication用户名/密码验证
The following operation creates a user in the 以下操作将在reporting database with the specified name, password, and roles.reporting数据库中创建具有指定名称、密码和角色的用户。
Tip
The passwordPrompt() method prompts you to enter the password. You can also specify your password directly as a string. We recommend to use the passwordPrompt() method to avoid the password being visible on your screen and potentially leaking the password to your shell history.passwordPrompt()方法提示您输入密码。您也可以直接将密码指定为字符串。我们建议使用passwordPrompt()方法,以避免密码在屏幕上可见,并可能将密码泄露到shell历史记录中。
use reporting
db.createUser(
{
user: "reportsUser",
pwd: passwordPrompt(), // or cleartext password
roles: [
{ role: "read", db: "reporting" },
{ role: "read", db: "products" },
{ role: "read", db: "sales" },
{ role: "readWrite", db: "accounts" }
]
}
)Kerberos AuthenticationKerberos认证
Users that authenticate to MongoDB using an external authentication mechanism, such as Kerberos, must be created in the 使用外部身份验证机制(如Kerberos)向MongoDB进行身份验证的用户必须在$external database, which allows mongos or mongod to consult an external source for authentication.$external数据库中创建,这允许mongos或mongod查询外部源进行身份验证。
To use Client Sessions and Causal Consistency Guarantees with 要对$external authentication users (Kerberos, LDAP, or X.509 users), usernames cannot be greater than 10k bytes.$external身份验证用户(Kerberos、LDAP或X.509用户)使用客户端会话和因果一致性保证,用户名不能大于10k字节。
For Kerberos authentication, you must add the Kerberos principal as the username. You do not need to specify a password.对于Kerberos身份验证,必须将Kerberos主体添加为用户名。您不需要指定密码。
The following operation adds the Kerberos principal 以下操作将添加Kerberos主体reportingapp@EXAMPLE.NET with read-only access to the records database:reportingapp@EXAMPLE.NET具有对records数据库的只读访问权限:
use $external
db.createUser(
{
user: "reportingapp@EXAMPLE.NET",
roles: [
{ role: "read", db: "records" }
]
}
)Tip
For more information about setting up Kerberos authentication for your MongoDB deployment, see the following tutorials:有关为MongoDB部署设置Kerberos身份验证的更多信息,请参阅以下教程:
LDAP AuthenticationLDAP身份验证
Note
Starting in MongoDB 8.0, LDAP authentication and authorization is deprecated. LDAP is available and will continue to operate without changes throughout the lifetime of MongoDB 8. LDAP will be removed in a future major release.从MongoDB 8.0开始,LDAP身份验证和授权被弃用。LDAP是可用的,并将在MongoDB 8的整个生命周期内继续运行而不做任何更改。LDAP将在未来的主要版本中删除。
For details, see LDAP Deprecation.有关详细信息,请参阅LDAP弃用。
Users that authenticate to MongoDB using an external authentication mechanism, such as LDAP, must be created in the 使用外部身份验证机制(如LDAP)向MongoDB进行身份验证的用户必须在$external database, which allows mongos or mongod to consult an external source for authentication.$external数据库中创建,这允许mongos或mongod查询外部来源进行身份验证。
To use Client Sessions and Causal Consistency Guarantees with 要对$external authentication users (Kerberos, LDAP, or X.509 users), usernames cannot be greater than 10k bytes.$external身份验证用户(Kerberos、LDAP或X.509用户)使用客户端会话和因果一致性保证,用户名不能大于10k字节。
For LDAP authentication, you must specify a username. You do not need to specify the password, as that is handled by the LDAP service.对于LDAP身份验证,您必须指定一个用户名。您不需要指定密码,因为这是由LDAP服务处理的。
The following operation adds the 以下操作将为reporting user with read-only access to the records database:reporting用户添加对记录数据库的只读访问权限:
use $external
db.createUser(
{
user: "reporting",
roles: [
{ role: "read", db: "records" }
]
}
)Tip
For more information about setting up LDAP authentication for your MongoDB deployment, see the following tutorials:有关为MongoDB部署设置LDAP身份验证的更多信息,请参阅以下教程:
X.509 Client Certificate AuthenticationX.509客户端证书身份验证
Users that authenticate to MongoDB using an external authentication mechanism, such as X.509 Client Certificate Authentication, must be created in the 必须在$external database, which allows mongos or mongod to consult an external source for authentication.$external数据库中创建使用外部身份验证机制(如X.509客户端证书身份验证)向MongoDB进行身份验证的用户,这允许mongos或mongod查询外部源进行身份验证。
To use Client Sessions and Causal Consistency Guarantees with 要对$external authentication users (Kerberos, LDAP, or X.509 users), usernames cannot be greater than 10k bytes.$external身份验证用户(Kerberos、LDAP或X.509用户)使用客户端会话和因果一致性保证,用户名不能大于10k字节。
For X.509 Client Certificate authentication, you must add the value of the 对于X.509客户端证书身份验证,您必须将客户端证书中的主题值添加为MongoDB用户。每个唯一的X.509客户端证书对应一个MongoDB用户。您不需要指定密码。subject from the client certificate as a MongoDB user. Each unique X.509 client certificate corresponds to a single MongoDB user. You do not need to specify a password.
The following operation adds the client certificate subject 以下操作将添加客户端证书主题CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry user with read-only access to the records database.CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry用户,该用户对records数据库具有只读访问权限。
use $external
db.createUser(
{
user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry",
roles: [
{ role: "read", db: "records" }
]
}
)Tip
For more information about setting up X.509 Client Certificate authentication for your MongoDB deployment, see the following tutorials:有关为MongoDB部署设置X.509客户端证书身份验证的更多信息,请参阅以下教程:
Next Steps后续步骤
To manage users, assign roles, and create custom roles for your self-managed MongoDB Enterprise or MongoDB Community deployment, see Manage Users and Roles on Self-Managed Deployments.要管理用户、分配角色并为自我管理MongoDB Enterprise或MongoDB Community部署创建自定义角色,请参阅在自我管理部署上管理用户和角色。