Docs Menu
Docs Home
/
MongoDB Manual
/ / /

Users in Self-Managed Deployments

On this page

  • User Management
  • LDAP Managed Users
  • Authentication Database
  • Centralized User Data
  • Sharded Cluster Users
  • Shard Local Users

To authenticate a client in MongoDB, you must add a corresponding user to MongoDB.

You can add a user with the db.createUser() method using mongosh. The first user you create must have privileges to create other users. The userAdmin or userAdminAnyDatabase role both confer the privilege to create other users.

Tip

See also:

You can grant a user privileges by assinging roles to the user when you create the user. You can also grant or revoke roles, as well as update passwords, by updating existing users. For a full list of user management methods, see User Management.

A user is uniquely identified by the user's name and associated authentication database. MongoDB associates a user with a unique userId upon creation in MongoDB.

LDAP managed users created on an LDAP server do not have an associated document in the system.users collection, and therefore don't have a userId field associated with them.

When you add a user, you create the user in a specific database. The database you create the user in is the authentication database for the user.

However, a user's privileges are not limited to their authentication database. Therefore, a user can have privileges across different databases. For more information on roles, see Role-Based Access Control in Self-Managed Deployments.

A user's name and authentication database serve as a unique identifier for that user. MongoDB associates a user with a unique userId upon creation in MongoDB. However, LDAP managed users created on an LDAP server do not have an associated document in the system.users collection, and therefore don't have a userId field associated with them.

If two users have the same name but are created in different databases, they are two separate users. If you want to have a single user with permissions on multiple databases, create a single user with a role for each applicable database.

For users created in MongoDB, MongoDB stores all user information, including name, password, and the user's authentication database, in the system.users collection in the admin database.

Do not modify this collection directly. To manage users, use the designated user management commands.

To create users for a sharded cluster, connect to a mongos instance and add the users. To authenticate as a user created on a mongos instance, you must authenticate through a mongos instance.

In sharded clusters, MongoDB stores user configuration data in the admin database of the config servers.

Some maintenance operations, such as cleanupOrphaned, compact, or rs.reconfig(), require direct connections to specific shards in a sharded cluster. To perform these operations, you must connect directly to the shard and authenticate as a shard local administrative user.

To create a shard local administrative user, connect directly to the primary of the shard and create the user. For instructions on how to create a shard local user administrator see the Deploy Self-Managed Sharded Cluster with Keyfile Authentication tutorial.

MongoDB stores shard local users in the admin database of the shard itself. These shard local users are independent from the users added to the sharded cluster through a mongos. Shard local users are local to the shard and are inaccessible by mongos.

Direct connections to a shard should only be used for shard-specific maintenance and configuration or for targeted analytics workloads. In general, clients should connect to the sharded cluster through the mongos.

Back

Localhost Exception