You can use Data Management (DMS) to manage database accounts of ApsaraDB for MongoDB. This topic describes how to use DMS to create and query database accounts.
Prerequisites
- An ApsaraDB for MongoDB instance is created. The methods that you can use to create an instance vary based on the instance architecture. For more information, see the following topics:
- The instance is connected by using DMS. Connection methods vary based on the instance architecture. For more information, see the following topics:
Precautions
Database accounts must be unique within a database.
Create database accounts
- Database accounts created by using DMS are not listed on the Accounts page in the ApsaraDB for MongoDB console.
- A database account belongs to the database in which the account is created.
db.createUser({user: "user_name", pwd: "password", roles:[{role: "role_name", db: "role_database_name"}]})
Parameter | Description | Example |
---|---|---|
user_name |
The name of the database account.
If the name contains specific special characters, they must be percent-encoded. These
special characters include |
test |
password |
The password of the database account. | 123456Aa |
role_name |
The role assigned to the database account.
For more information, see the "Roles of database accounts" section of this topic. |
readAnyDatabase |
role_database_name |
The database in which the role is created.
For example, |
admin |
Example:
db.createUser({user: "test", pwd: "123456Aa", roles:[{role: "readAnyDatabase", db: "admin"}]})
If a value of 1.0
is returned for ok
, the account is created. Otherwise, the account cannot be created.
{
'ok': 1.0,
'operationTime': Timestamp(1655286737,1),
'$clusterTime': {
'clusterTime': Timestamp(1655286737,1),
'signature': {
'hash': BinData(0,"6+urVhsBbHyxgny3S7****"),
'keyId': NumberLong(710604588397****)
}
}
}
Query database accounts
To query all database accounts that belong to an instance, use the following method:
db.getCollection("system.users").find()
{
'_id': "admin.root",
'userId': BinData(3,"b079b4c8-0e34-4e0d-90f9-7574141****"),
'user': "root",
'db': "admin",
'credentials': {
'SCRAM-SHA-1': {
'iterationCount': 10000,
'salt': "eCUjsUnIqvfLYbY****",
'storedKey': "W0t/jpngji+Mffy****",
'serverKey': "sryLTQRiOm9s+EVO1j****"
},
'SCRAM-SHA-256': {
'iterationCount': 15000,
'salt': "scONYL9TYtM0RNKAhzurFxus2sdr****",
'storedKey': "0Byz0qQdafMmaEWhiA304zb9MFOT****",
'serverKey': "1tLLzdk1qmry3zAuVZZZVFZNw0****"
}
},
'roles': [
{
'role': "root",
'db': "admin"
}
]
},
{
'_id': "admin.test",
'userId': BinData(3,"769ea9a1-6224-470e-8162-19a62f****"),
'user': "test",
'db': "admin",
'credentials': {
'SCRAM-SHA-1': {
'iterationCount': 10000,
'salt': "8fyXsIUgs6aQmafh****",
'storedKey': "fJQFoKsl7llXdiU/4v****",
'serverKey': "Tf1zygJ1jti/3/P3UM****"
},
'SCRAM-SHA-256': {
'iterationCount': 15000,
'salt': "wcWRhs9VXEsmNWtd7ZDQinT****",
'storedKey': "A5GiHrQE9/tf70hakRY3U3joho3Grt****",
'serverKey': "ryRAcj6zomYiHJqhA9ObvuYALc3ZZ****"
}
},
'roles': [
{
'role': "readAnyDatabase",
'db': "admin"
}
]
}
To query all database accounts that belong to a specific database, use one of the following methods:
- Method 1: Query accounts on the Account Management page of the DMS console.
- Log on to the DMS console, choose Database instance > Instances Connected in the left-side navigation pane. Then, find the instance to which the database belongs and right-click its ID.
- Select Account Management from the shortcut menu.
- On the Account Management page, select the database for which you want to query accounts from the drop-down
list.
On this page, you can view the User name, Database, Database Permission information and click Edit or Delete to edit or delete the account.
- Method 2: Run a query command in the admin database.
- Syntax:
db.getCollection("system.users").find({db: "database_name"})
database_name
indicates the name of the database for which you want to query an account. - Example:
db.getCollection("system.users").find({db: "admin"})
The following result is returned:{ '_id': "admin.root", 'userId': BinData(3,"b079b4c8-0e34-4e0d-90f9-7574141****"), 'user': "root", 'db': "admin", 'credentials': { 'SCRAM-SHA-1': { 'iterationCount': 10000, 'salt': "eCUjsUnIqvfLYbY****", 'storedKey': "W0t/jpngji+Mffy****", 'serverKey': "sryLTQRiOm9s+EVO1j****" }, 'SCRAM-SHA-256': { 'iterationCount': 15000, 'salt': "scONYL9TYtM0RNKAhzurFxus2sdr****", 'storedKey': "0Byz0qQdafMmaEWhiA304zb9MFOT****", 'serverKey': "1tLLzdk1qmry3zAuVZZZVFZNw0****" } }, 'roles': [ { 'role': "root", 'db': "admin" } ] }, { '_id': "admin.test", 'userId': BinData(3,"769ea9a1-6224-470e-8162-19a62f****"), 'user': "test", 'db': "admin", 'credentials': { 'SCRAM-SHA-1': { 'iterationCount': 10000, 'salt': "8fyXsIUgs6aQmafh****", 'storedKey': "fJQFoKsl7llXdiU/4v****", 'serverKey': "Tf1zygJ1jti/3/P3UM****" }, 'SCRAM-SHA-256': { 'iterationCount': 15000, 'salt': "wcWRhs9VXEsmNWtd7ZDQinT****", 'storedKey': "A5GiHrQE9/tf70hakRY3U3joho3Grt****", 'serverKey': "ryRAcj6zomYiHJqhA9ObvuYALc3ZZ****" } }, 'roles': [ { 'role': "readAnyDatabase", 'db': "admin" } ] }
- Syntax:
- Method 3: Run a query command in the database from which you want to query an account.
You can select the database from the database drop-down list on the SQL Console page in the DMS console and run the following command:
show users
Note This command can be used without any changes.The following result is returned:{ 'users': [ { '_id': "admin.root", 'userId': BinData(3,"b079b4c8-0e34-4e0d-90f9-7574141****"), 'user': "root", 'db': "admin", 'roles': [ { 'role': "root", 'db': "admin" } ], 'mechanisms': [ "SCRAM-SHA-1", "SCRAM-SHA-256" ] }, { '_id': "admin.test", 'userId': BinData(3,"769ea9a1-6224-470e-8162-19a62f****"), 'user': "test", 'db': "admin", 'roles': [ { 'role': "readAnyDatabase", 'db': "admin" } ], 'mechanisms': [ "SCRAM-SHA-1", "SCRAM-SHA-256" ] } ], 'ok': 1.0, 'operationTime': Timestamp(1655967385,1), '$clusterTime': { 'clusterTime': Timestamp(1655967385,1), 'signature': { 'hash': BinData(0,"f2gL0FuIITTKp+6Ex+25TFt****"), 'keyId': NumberLong(710604588397****) } } }
To query a single database account that belongs to a specific database, use the following method:
db.getCollection("system.users").find({user: "user_name", db: "database_name"})
user_name
: the name of the database account.database_name
: the name of the database to which the database account belongs.
db.getCollection("system.users").find({user: "test", db: "admin"})
{
'_id': "admin.test",
'userId': BinData(3,"769ea9a1-6224-470e-8162-19a62f****"),
'user': "test",
'db': "admin",
'credentials': {
'SCRAM-SHA-1': {
'iterationCount': 10000,
'salt': "8fyXsIUgs6aQmafh****",
'storedKey': "fJQFoKsl7llXdiU/4v****",
'serverKey': "Tf1zygJ1jti/3/P3UM****"
},
'SCRAM-SHA-256': {
'iterationCount': 15000,
'salt': "wcWRhs9VXEsmNWtd7ZDQinT****",
'storedKey': "A5GiHrQE9/tf70hakRY3U3joho3Grt****",
'serverKey': "ryRAcj6zomYiHJqhA9ObvuYALc3ZZ****"
}
},
'roles': [
{
'role': "readAnyDatabase",
'db': "admin"
}
]
}
Roles of database accounts
Database | Role | Description |
---|---|---|
All databases | readOnly | Grants read-only permissions on the database. |
readWrite | Grants read and write permissions on the database. | |
userAdmin | Allows the user to create accounts and roles in the database. | |
dbAdmin | Allows the user to manage collections in the database. | |
dbOwner | Contains permissions granted by readWrite, userAdmin, and dbAdmin. | |
enableSharding | Allows the user to enable or disable cross-shard distribution of databases in a sharded cluster instance. | |
admin database | readAnyDatabase | Grants read-only permissions on all databases. |
readWriteAnyDatabase | Grants read and write permissions on all databases. | |
userAdminAnyDatabase | Allows the user to create accounts and roles in all databases. | |
dbAdminAnyDatabase | Allows the user to manage collections in all databases. | |
clusterMonitor | Allows the user to run commands that query database performance information. | |
hostManager | Allows the user to run the setParameter, killop, resync, and killCursors commands. For more information, see hostManager. | |
clusterManager | Allows the user to manage nodes. | |
clusterAdmin | Contains permissions granted by clusterMonitor, hostManager, and clusterManager. | |
root | Contains permissions granted by all roles that are available to the admin database, such as readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase, and dbAdminAnyDatabase. |