Database Reference
In-Depth Information
Now, let's say we want to create that same test user on the
bar
database. We can run the following command
(as a user with userAdmin permissions on that database, of course) to create our
test
user that will use the
foo
database's definition for its password:
>use bar
> db.system.users.insert{ user: "test", roles: ["read"], userSource: "foo"}
Notice that this user is granted only the read-only permission “read.” This is because the access granted to the test
user on bar are still based on this bar users credentials. We are simply sourcing the rest of the details we need (namely
the password) from the
foo
database. By using delegated credentials, you can create a single place from which to
update the username and password for all of your users.
Changing a User's Credentials
It's easy to change a user's access rights or password. You do this by executing the
addUser()
function again, which
causes MongoDB to update the existing user record. Technically, you can use any normal data-manipulation
command to change a user's record; however, only the
addUser()
function can create the password field.
Regardless, you can see how
addUser()
works by listing its contents:
$mongo
>use admin
> db.addUser
function () {
if (arguments.length == 0) {
throw Error("No arguments provided to addUser");
}
if (typeof arguments[0] == "object") {
this._addUser.apply(this, arguments);
} else {
this._addUserV22.apply(this, arguments);
}
}
addUser()
is just a function defined in JavaScript. Knowing how the password is constructed is useful if you want
to create a web form that allows you to add users to the database or you want to import users into the system en masse
from another credential source.
Most
mongo
console functions can be listed in this fashion, enabling you to inspect the details of how they work.
Adding a Read-Only User
The
addUser()
function includes an additional parameter that allows you to create a user who has only read-only
permissions. The MongoDB client will throw an exception if a process authenticated as the newly created user
attempts to do anything that would result in a change to the contents of the database. The following example gives
a user access to the database for status monitoring or reporting purposes:
$mongo
>use admin
switched to db admin
>db.addUser(user : "admin", pwd: "pass", roles: [ "read" ])
1
