Users用户¶

~~On this page~~本页内容

~~User Management Interface~~用户管理界面
~~Authentication Database~~身份验证数据库
~~Authenticate a User~~验证用户身份
~~Centralized User Data~~集中式用户数据
~~Sharded Cluster Users~~分片群集用户
~~Localhost Exception~~本地主机异常

~~To authenticate a client in MongoDB, you must add a corresponding user to MongoDB.~~要在MongoDB中验证客户端，必须向MongoDB添加相应的用户。

User Management Interface用户管理界面¶

~~To add a user, MongoDB provides the db.createUser() method.~~为了添加用户，MongoDB提供db.createUser()方法。~~When adding a user, you can assign roles to the user in order to grant privileges.~~添加用户时，可以为该用户分配角色以授予权限。

Note

~~The first user created in the database should be a user administrator who has the privileges to manage other users.~~在数据库中创建的第一个用户应该是具有管理其他用户权限的用户管理员。~~See Enable Access Control.~~请参见启用访问控制。

~~You can also update existing users, such as to change password and grant or revoke roles.~~您还可以更新现有用户，例如更改密码和授予或撤消角色。~~For a full list of user management methods, see User Management.~~有关用户管理方法的完整列表，请参阅用户管理。

~~A user is uniquely identified by the user’s name and associated authentication database.~~用户由用户名和关联的身份验证数据库唯一标识。~~Starting in MongoDB 4.0.9, a users managed by MongoDB are assigned a unique userId.~~从MongoDB 4.0.9开始，一个由MongoDB管理的用户被分配一个唯一的userId。[1]

~~See also~~另请参阅

~~Add Users~~添加用户

Authentication Database身份验证数据库¶

~~When adding a user, you create the user in a specific database.~~添加用户时，将在特定数据库中创建该用户。~~This database is the authentication database for the user.~~此数据库是用户的身份验证数据库。

~~A user can have privileges across different databases; that is, a user’s privileges are not limited to their authentication database.~~用户可以拥有跨不同数据库的权限；也就是说，用户的权限不限于其身份验证数据库。~~By assigning to the user roles in other databases, a user created in one database can have permissions to act on other databases.~~通过分配给其他数据库中的用户角色，在一个数据库中创建的用户可以拥有对其他数据库执行操作的权限。~~For more information on roles, see Role-Based Access Control.~~有关角色的详细信息，请参阅基于角色的访问控制。

~~The user’s name and authentication database serve as a unique identifier for that user.~~用户名和身份验证数据库用作该用户的唯一标识符。[1] ~~That is, if two users have the same name but are created in different databases, they are two separate users.~~也就是说，如果两个用户具有相同的名称，但在不同的数据库中创建，则它们是两个独立的用户。If you intend to have a single user with permissions on multiple databases, create a single user with roles in the applicable databases instead of creating the user multiple times in different databases.如果要让一个用户对多个数据库具有权限，请在适用的数据库中创建一个具有角色的用户，而不是在不同的数据库中多次创建该用户。

[1]

(1, 2)

~~Starting in version 4.0.9, MongoDB associates a user with a unique userId upon creation in MongoDB.~~从版本4.0.9开始，MongoDB在MongoDB中创建用户时将用户与唯一的userId相关联。

~~LDAP managed users created on the LDAP server do not have an associated document in the system.users collection, and hence, do not have a userId field associated with them.~~在LDAP服务器上创建的LDAP托管用户在system.users集合中没有关联的文档，因此，没有与LDAP托管用户相关联的userId字段。

Authenticate a User验证用户身份¶

~~To authenticate as a user, you must provide a username, password, and the authentication database associated with that user.~~要作为用户进行身份验证，必须提供用户名、密码以及与该用户关联的身份验证数据库。

~~To authenticate using the mongo shell, either:~~要使用mongo shell进行身份验证，请执行以下任一操作：

~~Use the mongo command-line authentication options (--username, --password, and --authenticationDatabase) when connecting to the mongod or mongos instance, or~~连接到mongod或mongos实例时，请使用mongo命令行身份验证选项（--username、--password和--authenticationDatabase），或者
~~Connect first to the mongod or mongos instance, and then run the authenticate command or the db.auth() method against the authentication database.~~首先连接到mongod或mongos实例，然后针对身份验证数据库运行authenticate命令或db.auth()方法。

~~Important~~重要

~~Authenticating multiple times as different users does not drop the credentials of previously-authenticated users.~~多次作为不同的用户进行身份验证不会删除以前经过身份验证的用户的凭据。~~This may lead to a connection having more permissions than intended by the user, and causes operations within a logical session to raise an error.~~这可能导致连接的权限超过用户的预期权限，并导致逻辑会话中的操作引发错误。

~~For examples of authenticating using a MongoDB driver, see the driver documentation.~~有关使用MongoDB驱动程序进行身份验证的示例，请参阅驱动程序文档。

Centralized User Data集中式用户数据¶

~~For users created in MongoDB, MongoDB stores all user information, including name, password, and the user's authentication database, in the system.users collection in the admin database.~~对于MongoDB中创建的用户，MongoDB存储了系统中所有的用户信息，包括name、password和用户的认证数据库，存储在admin数据库中的system.users集合中。

~~Do not access this collection directly but instead use the user management commands.~~不要直接访问此集合，而是使用用户管理命令。

Sharded Cluster Users分片群集用户¶

~~To create users for a sharded cluster, connect to the mongos instance and add the users.~~要为分片集群创建用户，请连接到mongos实例并添加用户。~~Clients then authenticate these users through the mongos instances.~~然后，客户机通过mongos实例对这些用户进行身份验证。~~In sharded clusters, MongoDB stores user configuration data in the admin database of the config servers.~~在分片集群中，MongoDB将用户配置数据存储在配置服务器的admin数据库中。

Shard Local Users分片本地用户¶

~~However, some maintenance operations, such as cleanupOrphaned, compact, rs.reconfig(), require direct connections to specific shards in a sharded cluster.~~但是，一些维护操作，如cleanupOrphaned、compact，rs.reconfig()，需要直接连接到分片群集中的特定分片。~~To perform these operations, you must connect directly to the shard and authenticate as a shard local administrative user.~~要执行这些操作，必须直接连接到shard并作为shard local管理用户进行身份验证。

~~To create a shard local administrative user, connect directly to the shard and create the user.~~要创建shard本地管理用户，请直接连接到shard并创建用户。~~MongoDB stores shard local users in the admin database of the shard itself.~~MongoDB将shard本地用户存储在shard本身的admin数据库中。

~~These shard local users are completely independent from the users added to the sharded cluster via mongos.~~这些shard local用户完全独立于通过mongos添加到分片集群的用户。Shard local users are local to the shard and are inaccessible by mongos.Shard local用户是Shard的本地用户，mongos无法访问。

~~Direct connections to a shard should only be for shard-specific maintenance and configuration.~~与shard的直接连接只能用于特定于shard的维护和配置。~~In general, clients should connect to the sharded cluster through the mongos.~~一般来说，客户端应该通过mongos连接到sharded集群。

Localhost Exception本地主机异常¶

~~The localhost exception allows you to enable access control and then create the first user in the system.~~localhost异常允许您启用访问控制，然后在系统中创建第一个用户。~~With the localhost exception, after you enable access control, connect to the localhost interface and create the first user in the admin database.~~对于localhost异常，启用访问控制后，连接到localhost接口并在admin数据库中创建第一个用户。~~The first user must have privileges to create other users, such as a user with the userAdmin or userAdminAnyDatabase role.~~第一个用户必须具有创建其他用户的权限，例如具有userAdmin或userAdminAnyDatabase角色的用户。~~Connections using the localhost exception only have access to create the first user on the admin database.~~使用localhost异常的连接只能在admin数据库上创建第一个用户。

~~~~Changed in version 3.4.~~在版本3.4中更改。MongoDB 3.4 extended the localhost exception to permit execution of the db.createRole() method.~~在版本3.4中更改：MongoDB 3.4扩展了localhost异常以允许执行db.createRole()方法。~~This method allows users authorizing via LDAP to create a role inside of MongoDB that maps to a role defined in LDAP.~~此方法允许通过LDAP授权的用户在MongoDB中创建一个角色，该角色映射到LDAP中定义的角色。~~See LDAP Authorization for more information.~~有关详细信息，请参阅LDAP授权。

~~The localhost exception applies only when there are no users created in the MongoDB instance.~~localhost异常仅在MongoDB实例中没有创建用户时适用。

~~In the case of a sharded cluster, the localhost exception applies to each shard individually as well as to the cluster as a whole.~~在分片集群的情况下，localhost异常应用于每个分片以及整个集群。~~Once you create a sharded cluster and add a user administrator through the mongos instance, you must still prevent unauthorized access to the individual shards.~~创建分片集群并通过mongos实例添加用户管理员后，仍然必须防止未经授权访问各个分片。~~Follow one of the following steps for each shard in your cluster:~~对于集群中的每个碎片，请执行以下步骤之一：

~~Create an administrative user, or~~创建管理用户，或
~~Disable the localhost exception at startup.~~在启动时禁用localhost异常。~~To disable the localhost exception, set the enableLocalhostAuthBypass parameter to 0.~~要禁用localhost异常，请将enableLocalhostAuthBypass参数设置为0。