Docs Menu
Docs Home
/
MongoDB Manual
/
Self-Managed Deployments
/
Security
/
Authentication

Users in Self-Managed Deployments

On this page

  • User Management
  • LDAP Managed Users
  • Authentication Database
  • Centralized User Data
  • Sharded Cluster Users
  • Shard Local Users

To authenticate a client in MongoDB, you must add a corresponding user to MongoDB.

User Management

You can add a user with the db.createUser() method using mongosh. The first user you create must have privileges to create other users. The userAdmin or userAdminAnyDatabase role both confer the privilege to create other users.

Tip

See also:

Create a User on Self-Managed Deployments

You can grant a user privileges by assigning roles to the user when you create the user. You can also grant or revoke roles, as well as update passwords, by updating existing users. For a full list of user management methods, see User Management.

Tip

See also:

Manage Users and Roles on Self-Managed Deployments

A user is uniquely identified by the user's name and associated authentication database. MongoDB associates a user with a unique userId upon creation in MongoDB.

LDAP Managed Users

LDAP managed users created on an LDAP server do not have an associated document in the system.users collection, and therefore don't have a userId field associated with them.

Authentication Database

When you add a user, you create the user in a specific database. The database you create the user in is the authentication database for the user.

However, a user's privileges are not limited to their authentication database. Therefore, a user can have privileges across different databases. For more information on roles, see Role-Based Access Control in Self-Managed Deployments.

A user's name and authentication database serve as a unique identifier for that user. MongoDB associates a user with a unique userId upon creation in MongoDB. However, LDAP managed users created on an LDAP server do not have an associated document in the system.users collection, and therefore don't have a userId field associated with them.

If two users have the same name but are created in different databases, they are two separate users. If you want to have a single user with permissions on multiple databases, create a single user with a role for each applicable database.

Centralized User Data

For users created in MongoDB, MongoDB stores all user information, including name, password, and the user's authentication database, in the system.users collection in the admin database.

Do not modify this collection directly. To manage users, use the designated user management commands.

Sharded Cluster Users

To create users for a sharded cluster, connect to a mongos instance and add the users. To authenticate as a user created on a mongos instance, you must authenticate through a mongos instance.

In sharded clusters, MongoDB stores user configuration data in the admin database of the config servers.

Shard Local Users

Some maintenance operations, such as cleanupOrphaned, compact, or rs.reconfig(), require direct connections to specific shards in a sharded cluster. To perform these operations, you must connect directly to the shard and authenticate as a shard local administrative user.

To create a shard local administrative user, connect directly to the primary of the shard and create the user. For instructions on how to create a shard local user administrator see the Deploy Self-Managed Sharded Cluster with Keyfile Authentication tutorial.

MongoDB stores shard local users in the admin database of the shard itself. These shard local users are independent from the users added to the sharded cluster through a mongos. Shard local users are local to the shard and are inaccessible by mongos.

Direct connections to a shard should only be used for shard-specific maintenance and configuration or for targeted analytics workloads. In general, clients should connect to the sharded cluster through the mongos.

Back

Localhost Exception

Next

Create