With access control enabled, users are required to identify themselves. You have to grant a user one or more . A role grants a user to perform certain on MongoDB
Each application and user of a MongoDB system should map to a distinct user. This principle of access isolation facilitates access revocation and ongoing user maintenance. To ensure a system of , only grant the minimal set of privileges required to a user.
Prerequisites
To be able to create users, you need to:
For routine user creation, you must possess the following permissions:
To create a new user in a database, you must have the on that
To grant roles to a user, you must have the on the role's database.
The and built-in roles provide and actions on their respective resources.
Procedure
Note
The following procedure uses authentication. For additional information on other authentication mechanisms, see
1
Using , connect to your primary or, in a sharded cluster, connect to your and authenticate as a user administrator or a user with the Connect and authenticate
2
Create additional users for your deployment
Note
The following step uses authentication. For additional information on other authentication mechanisms, see
After authenticating as the user administrator, use the method to create additional users. You can assign any built-in roles or user-defined roles to the users.
The following operation adds a user myTester to the
db.foo.insertOne( { x: 1, y: 1 } ) |
db.foo.insertOne( { x: 1, y: 1 } ) |
use reporting |
db.createUser( |
{ |
user: "reportsUser", |
pwd: passwordPrompt(), // or cleartext password |
roles: [ |
{ role: "read", db: "reporting" }, |
{ role: "read", db: "products" }, |
{ role: "read", db: "sales" }, |
{ role: "readWrite", db: "accounts" } |
] |
} |
) |
use test |
db.createUser( |
{ |
user: "myTester", |
pwd: passwordPrompt(), // or cleartext password |
roles: [ { role: "readWrite", db: "test" }, |
{ role: "read", db: "reporting" } ] |
} |
) |
Tip
The method prompts you to enter the password. You can also specify your password directly as a string. We recommend to use the method to avoid the password being visible on your screen and potentially leaking the password to your shell history.
The database where you create the user (in this example,
db.foo.insertOne( { x: 1, y: 1 } ) |
After creating the additional users, exit
3
Connect to the instance and authenticate as myTester
Important
It is not possible to switch between users in the same session. Authenticating as a different user means the session has the privileges of both authenticated users. To switch between users exit and relaunch
After exiting as
use $external |
db.createUser( |
{ |
user: "reportingapp@EXAMPLE.NET", |
roles: [ |
{ role: "read", db: "records" } |
] |
} |
) |
4
As the user myTester, you have privileges to perform read and write operations in the Insert a document as myTester
9 database (as well as perform read operations in the db.foo.insertOne( { x: 1, y: 1 } )
3 database). Once authenticated as myTester, insert a document into a collection in the use reporting db.createUser( { user: "reportsUser", pwd: passwordPrompt(), // or cleartext password roles: [ { role: "read", db: "reporting" }, { role: "read", db: "products" }, { role: "read", db: "sales" }, { role: "readWrite", db: "accounts" } ] } )
9 database. For example, you can perform the following insert operation in the db.foo.insertOne( { x: 1, y: 1 } )
9 database:db.foo.insertOne( { x: 1, y: 1 } )
db.foo.insertOne( { x: 1, y: 1 } ) |
Tip
See also:
Manage Users and Roles
Additional Examples
Username/Password Authentication
The following operation creates a user in the
use reporting |
db.createUser( |
{ |
user: "reportsUser", |
pwd: passwordPrompt(), // or cleartext password |
roles: [ |
{ role: "read", db: "reporting" }, |
{ role: "read", db: "products" }, |
{ role: "read", db: "sales" }, |
{ role: "readWrite", db: "accounts" } |
] |
} |
) |
Tip
The method prompts you to enter the password. You can also specify your password directly as a string. We recommend to use the method to avoid the password being visible on your screen and potentially leaking the password to your shell history.
use reporting |
db.createUser( |
{ |
user: "reportsUser", |
pwd: passwordPrompt(), // or cleartext password |
roles: [ |
{ role: "read", db: "reporting" }, |
{ role: "read", db: "products" }, |
{ role: "read", db: "sales" }, |
{ role: "readWrite", db: "accounts" } |
] |
} |
) |
Kerberos Authentication
Users that authenticate to MongoDB using an external authentication mechanism, such as Kerberos, must be created in the
use $external |
db.createUser( |
{ |
user: "reporting", |
roles: [ |
{ role: "read", db: "records" } |
] |
} |
) |
To use with
use $external |
db.createUser( |
{ |
user: "reporting", |
roles: [ |
{ role: "read", db: "records" } |
] |
} |
) |
For Kerberos authentication, you must add the Kerberos principal as the username. You do not need to specify a password.
The following operation adds the Kerberos principal
use $external |
db.createUser( |
{ |
user: "reporting", |
roles: [ |
{ role: "read", db: "records" } |
] |
} |
) |
use $external |
db.createUser( |
{ |
user: "reporting", |
roles: [ |
{ role: "read", db: "records" } |
] |
} |
) |
use $external |
db.createUser( |
{ |
user: "reportingapp@EXAMPLE.NET", |
roles: [ |
{ role: "read", db: "records" } |
] |
} |
) |
Tip
See also:
For more information about setting up x.509 Client Certificate authentication for your MongoDB deployment, see the following tutorials: