我的书签
添加书签
移除书签system.users Collection
The system.users collection in the admin database stores userauthentication and authorization information. To manage data in this collection,MongoDB provides user management commands.
system.users Schema
The documents in the system.users collection have the followingschema:
- {
- _id: <system defined id>,
- userId : <system assigned UUID>, // Starting in MongoDB 4.0.9
- user: "<name>",
- db: "<database>",
- credentials: { <authentication credentials> },
- roles: [
- { role: "<role name>", db: "<database>" },
- ...
- ],
- customData: <custom information>,
- authenticationRestrictions : [ <documents> ] // Starting in MongoDB 4.0
- }
Each system.users document has the following fields:
userId is available for userscreated in MongoDB 4.0.9 and later.
New in version 4.0.9.
admin.system.users.user- The user name. A user exists in the context of a single logicaldatabase (see
admin.system.users.db) but can have access onother databases through roles specified in therolesarray.
admin.system.users.db- The authentication databaseassociated with the user. The user’s privileges are not necessarilylimited to this database. The user can have privileges in additionaldatabases through the
rolesarray.
admin.system.users.credentials- User’s authentication information. For users with externally storedauthentication credentials, such as users that use Kerberosor x.509 certificates for authentication, the
system.usersdocument for that user does not contain thecredentialsfield. ForSCRAM user credentials, the informationincludes the mechanism, iteration count, and authentication parameters.
See also
admin.system.users.roles- An array of roles granted to the user. The array contains bothbuilt-in roles and user-defined role.
A role document has the following syntax:
- { role: "<role name>", db: "<database>" }
A role document has the following fields:
admin.system.users.roles[n].roleThe name of a role. A role can be a built-in role provided by MongoDB or a customuser-defined role.
- The name of the database where role is defined.
When specifying a role using the role management or user management commands, you can specify the role name alone(e.g. "readWrite") if the role that exists on the database on whichthe command is run.
admin.system.users.authenticationRestrictions- An array of authentication restrictions the server enforces for theuser. The array containsa list of IP addresses and CIDR ranges fromwhich the user is allowed to connect to the server or from which theserver can accept users.
New in version 4.0.
Example
Consider the following document in the system.users collection:
- {
- "_id" : "home.Kari",
- "userId" : UUID("ec1eced7-055a-4ca8-8737-60dd02c52793"), // Available starting in MongoDB 4.0.9
- "user" : "Kari",
- "db" : "home",
- "credentials" : {
- "SCRAM-SHA-1" : {
- "iterationCount" : 10000,
- "salt" : "S/xM2yXFosynbCu4GzFDgQ==",
- "storedKey" : "Ist4cgpEd1vTbnRnQLdobgmOsBA=",
- "serverKey" : "e/0DyzS6GPboAA2YNBkGYm87+cg="
- },
- "SCRAM-SHA-256" : {
- "iterationCount" : 15000,
- "salt" : "p1G+fZadAeYAbECN8F/6TMzXGYWBaZ3DtWM0ig==",
- "storedKey" : "LEgLOqZQmkGhd0owm/+6V7VdJUYJcXBhPUvi9z+GBfk=",
- "serverKey" : "JKfnkVv9iXwxyc8JaapKVwLPy6SfnmB8gMb1Pr15T+s="
- }
- },
- "authenticationRestrictions" : [ // Available starting in MongoDB 4.0
- { "clientSource" : [ "69.89.31.226" ], "serverAddress" : [ "172.16.254.1" ] }
- ],
- "customData" : {
- "zipCode" : "64157"
- },
- "roles" : [
- {
- "role" : "read",
- "db" : "home"
- },
- {
- "role" : "readWrite",
- "db" : "test"
- }
- ]
- }
The document shows that a user Kari’s authentication database isthe home database. Kari has the read role in thehome database, the readWrite role in the testdatabase.
