Add Users添加用户¶

~~On this page~~本页内容

~~Overview~~概览
~~Prerequisites~~先决条件
~~Examples~~示例

Overview概述¶

~~MongoDB employs role-based access control (RBAC) to determine access for users.~~MongoDB采用基于角色的访问控制（RBAC）来确定用户的访问权限。~~A user is granted one or more roles that determine the user’s access or privileges to MongoDB resources and the actions that user can perform.~~向用户授予一个或多个角色，这些角色决定用户对MongoDB资源的访问或权限以及用户可以执行的操作。~~A user should have only the minimal set of privileges required to ensure a system of least privilege.~~用户应该只拥有确保系统具有最低权限所需的最小权限集。

~~Each application and user of a MongoDB system should map to a distinct user.~~MongoDB系统的每个应用程序和用户都应该映射到不同的用户。~~This access isolation facilitates access revocation and ongoing user maintenance.~~这种访问隔离有助于访问撤销和持续的用户维护。

Prerequisites先决条件¶

~~If you have enabled access control for your deployment, you can use the localhost exception to create the first user in the system.~~如果已为部署启用访问控制，则可以使用localhost异常创建系统中的第一个用户。~~This first user must have privileges to create other users.~~此第一个用户必须具有创建其他用户的权限。~~As of MongoDB 3.0, with the localhost exception, you can only create users on the admin database.~~从MongoDB 3.0开始，除了localhost例外，您只能在admin数据库上创建用户。~~Once you create the first user, you must authenticate as that user to add subsequent users.~~创建第一个用户后，必须作为该用户进行身份验证才能添加后续用户。 ~~Enable Access Control provides more detail about adding users when enabling access control for a deployment.~~启用访问控制提供了有关在启用部署访问控制时添加用户的更多详细信息。

~~For routine user creation, you must possess the following permissions:~~对于常规用户创建，您必须拥有以下权限：

~~To create a new user in a database, you must have the createUser action on that database resource.~~要在数据库中创建新用户，必须对该数据库资源执行createUser操作。
~~To grant roles to a user, you must have the grantRole action on the role’s database.~~要将角色授予用户，必须对角色的数据库执行grantRole操作。

~~The userAdmin and userAdminAnyDatabase built-in roles provide createUser and grantRole actions on their respective resources.~~userAdmin和userAdminAnyDatabase内置角色在各自的资源上提供createUser和grantRole操作。

Examples示例¶

~~To create a user in a MongoDB deployment, you connect to the deployment, and then use the db.createUser() method or createUser command to add the user.~~要在MongoDB部署中创建用户，请连接到该部署，然后使用db.createUser()方法或createUser命令来添加用户。

Username/Password Authentication用户名/密码验证¶

~~The following operation creates a user in the reporting database with the specified name, password, and roles.~~以下操作在报表数据库中创建具有指定名称、密码和角色的用户。

Tip

Starting in version 4.2 of the mongo shell, you can use the passwordPrompt() method in conjunction with various user authentication/management methods/commands to prompt for the password instead of specifying the password directly in the method/command call.从mongoshell的4.2版开始，您可以将passwordPrompt()方法与各种用户身份验证/管理方法/命令结合使用来提示输入密码，而不是直接在方法/命令调用中指定密码。~~However, you can still specify the password directly as you would with earlier versions of the mongo shell.~~但是，您仍然可以像使用早期版本的mongoshell一样直接指定密码。

use reporting
db.createUser(
  {
    user: "reportsUser",
    pwd: passwordPrompt(),  // or cleartext password
    roles: [
       { role: "read", db: "reporting" },
       { role: "read", db: "products" },
       { role: "read", db: "sales" },
       { role: "readWrite", db: "accounts" }
    ]
  }
)

~~Enable Access Control provides more details about enforcing authentication for your MongoDB deployment.~~启用访问控制提供了有关为MongoDB部署强制身份验证的更多详细信息。

Kerberos AuthenticationKerberos身份验证¶

Users that will authenticate to MongoDB using an external authentication mechanism, such as Kerberos, must be created in the $external database, which allows mongos or mongod to consult an external source for authentication.将使用外部身份验证机制（如Kerberos）向MongoDB进行身份验证的用户必须在$external数据库中创建，该数据库允许mongos或mongod查询外部源进行身份验证。

~~Changed in version 3.6.3:To use sessions with $external authentication users (i.e. Kerberos, LDAP, x.509 users), the usernames cannot be greater than 10k bytes.~~在版本3.6.3中进行了更改：要与$external身份验证用户（即Kerberos、LDAP、x.509用户）使用会话，用户名不能大于10k字节。

~~For Kerberos authentication, you must add the Kerberos principal as the username.~~对于Kerberos身份验证，必须添加Kerberos主体作为用户名。~~You do not need to specify a password.~~您不需要指定密码。

~~The following operation adds the Kerberos principal reportingapp@EXAMPLE.NET with read-only access to the records database.~~下面的操作添加Kerberos主体reportingapp@EXAMPLE.NET，以只读方式访问records数据库。

use $external
db.createUser(
    {
      user: "reportingapp@EXAMPLE.NET",
      roles: [
         { role: "read", db: "records" }
      ]
    }
)

Configure MongoDB with Kerberos Authentication on Linux and Configure MongoDB with Kerberos Authentication on Windows provide more details about setting up Kerberos authentication for your MongoDB deployment.在Linux上使用Kerberos身份验证配置MongoDB，和在Windows上使用Kerberos身份验证配置MongoDB提供了有关为MongoDB部署设置Kerberos身份验证的更多详细信息。

LDAP Authentication身份验证¶

Users that will authenticate to MongoDB using an external authentication mechanism, such as LDAP, must be created in the $external database, which allows mongos or mongod to consult an external source for authentication.使用外部认证机制(如LDAP)对MongoDB进行认证的用户必须在$external数据库中创建，这允许mongos或mongod查询外部源进行认证。

~~For LDAP authentication, you must specify a username. You do not need to specify the password, as that is handled by the LDAP service.~~对于LDAP身份验证，必须指定用户名。您不需要指定密码，因为这是由LDAP服务处理的。

~~The following operation adds the reporting user with read-only access to the records database.~~以下操作添加了对records数据库具有只读访问权限的reporting用户。

use $external
db.createUser(
    {
      user: "reporting",
      roles: [
         { role: "read", db: "records" }
      ]
    }
)

~~Authenticate Using SASL and LDAP with ActiveDirectory and Authenticate Using SASL and LDAP with OpenLDAP provide more detail about using authenticating using LDAP.~~通过ActiveDirectory使用SASL和LDAP进行身份验证，以及通过OpenLDAP使用SASL和LDAP进行身份验证，提供了有关使用LDAP进行身份验证的更多详细信息。

x.509 Client Certificate Authenticationx.509客户端证书身份验证¶

Users that will authenticate to MongoDB using an external authentication mechanism, such as x.509 Client Certificate Authentication, must be created in the $external database, which allows mongos or mongod to consult an external source for authentication.使用外部认证机制对MongoDB进行认证的用户，例如x.509客户端证书认证，必须在$external数据库中创建，这允许mongos或mongod查询外部源进行认证。

~~For x.509 Client Certificate authentication, you must add the value of the subject from the client certificate as a MongoDB user.~~对于x.509客户端证书身份验证，必须以MongoDB用户的身份从客户端证书中添加subject的值。~~Each unique x.509 client certificate corresponds to a single MongoDB user.~~每个唯一的x.509客户端证书对应于一个MongoDB用户。~~You do not need to specify a password.~~您不需要指定密码。

~~The following operation adds the client certificate subject CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry user with read-only access to the records database.~~下面的操作添加客户端证书主题CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry用户，以只读方式访问records数据库。

use $external
db.createUser(
    {
      user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry",
      roles: [
         { role: "read", db: "records" }
      ]
    }
)

~~Use x.509 Certificates to Authenticate Clients provides details about setting up x.509 Client Certificate authentication for your MongoDB deployment.~~使用x.509证书验证客户端提供了有关为MongoDB部署设置x.509客户端证书身份验证的详细信息。