OPTIONS

Add a User to a Database

Changed in version 2.6.

Overview

Each application and user of a MongoDB system should map to a distinct application or administrator. This access isolation facilitates access revocation and ongoing user maintenance. At the same time users should have only the minimal set of privileges required to ensure a system of least privilege.

To create a user, you must define the user’s credentials and assign that user roles. Credentials verify the user’s identity to a database, and roles determine the user’s access to database resources and operations.

For an overview of credentials and roles in MongoDB see Security Introduction.

Considerations

For users that authenticate using external mechanisms, [1] you do not need to provide credentials when creating users.

For all users, select the roles that have the exact required privileges. If the correct roles do not exist, create roles.

You can create a user without assigning roles, choosing instead to assign the roles later. To do so, create the user with an empty roles array.

When adding a user to multiple databases, use unique username-and-password combinations for each database, see Password Hashing Insecurity for more information.

[1]Configure MongoDB with Kerberos Authentication on Linux, Authenticate Using SASL and LDAP with OpenLDAP, Authenticate Using SASL and LDAP with ActiveDirectory, and x.509 certificates provide external authentication mechanisms.

Prerequisites

To create a user on a system that uses authentication, you must authenticate as a user administrator. If you have not yet created a user administrator, do so as described in Create a User Administrator.

You must have the createUser action on a database to create a new user on that database.

You must have the grantRole action on a role’s database to grant the role to another user.

If you have the userAdmin or userAdminAnyDatabase role, or if you are authenticated using the localhost exception, you have those actions.

Procedures

1

Connect to MongoDB with the appropriate privileges.

Connect to the mongod or mongos with the privileges required in the Prerequisites section.

The following example operation connects to MongoDB as an authenticated user named manager:

mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
2

Verify your privileges.

Use the usersInfo command with the showPrivileges option.

The following example operation checks privileges for a user connected as manager:

db.runCommand(
  {
    usersInfo:"manager",
    showPrivileges:true
  }
)

The resulting users document displays the privileges granted to manager.

3

Create the new user.

Create the user in the database to which the user will belong. Pass a well formed user document to the db.createUser() method.

The following operation creates a user in the reporting database with the specified name, password, and roles.

use reporting
db.createUser(
    {
      user: "reportsUser",
      pwd: "12345678",
      roles: [
         { role: "read", db: "reporting" },
         { role: "read", db: "products" },
         { role: "read", db: "sales" }
      ]
    }
)

To authenticate the reportsUser, you must authenticate the user in the reporting database.