How to List All Users in the Mongo Shell
- Authenticate a User
- List All Users in the Mongo Shell
-
db.getUser()Method in MongoDB -
db.getUsers()Method in MongoDB
In this MongoDB article, you will learn how to authenticate a user, list all users in the Mongo shell, and use the db.getUser() and db getUsers() methods.
Authenticate a User
To authenticate as a user, the user must provide a username, password, and the authentication database associated with that user. Therefore, it is impossible to switch between users in the same mongosh session.
Authenticating as a different user means that the session has the privileges of both authenticated users. You can exit and relaunch mongosh to switch between the users.
Using mongosh, you can either Authenticate during Connection or Authenticate after Connection.
Authenticate During Connection
Start mongosh with the -u, -p, and the --authenticationDatabase command-line options.
mongosh --port 27017 --authenticationDatabase \
"admin" -u "myUserAdmin" -p
Enter your password when prompted.
Authenticate After Connection
Using mongosh connects to the mongod or mongos instance.
mongosh --port 27017
In mongosh, switch to the authentication database (in this case, admin), and use the db.auth(,) method or the authenticate command to authenticate against the authentication database.
use admin
db.auth("myUserAdmin", passwordPrompt()) // or cleartext password
The passwordPrompt() method prompts the user to enter the password. The user can also specify their password directly as a string.
You are recommended to use the passwordPrompt() method to avoid the password visible on your screen and potentially leaking the password to your shell history. Instead, enter the password when prompted.
List All Users in the Mongo Shell
To list all the users, you can use mongosh to query the system.users collection.
use admin
db.system.users.find()
You must not modify the system.users collection directly. To manage the users, you can use the designated user management commands.
For example, to list all the users of a sharded cluster created through a mongos, connect to a mongos and run the next command. MongoDB stores users created through a mongos in the admin database of the config servers.
To list all shards, the local users can directly connect to the respective shard and run the next command. MongoDB is used to store shard local users in the admin database of the shard itself.
These shard local users are independent of those added to the sharded cluster through a mongos. Shard local users are restricted to the shard and unavailable to mongos.
db.getUser() Method in MongoDB
This method has the following syntax.
db.getUser(username, args)
This method will return the user information for a specified user. The user can run this method on the user’s database.
You must exist on the database on which the method is running. The db.getUser() method consists of the following parameters.
db.getUser( "<username>", {
showCredentials: <Boolean>,
showPrivileges: <Boolean>,
showAuthenticationRestrictions: <Boolean>,
filter: <document>
} )
| Parameter | Type | Description |
|---|---|---|
username |
string | The user’s name for which to retrieve information. |
args |
document | Optional. A document specifying additional arguments. |
The args document supports the following fields.
| Field | Type | Description |
|---|---|---|
showCredentials |
Boolean | This is an optional field. Set this field to true to display the user’s password hash. By default, this field is false. |
showPrivileges |
Boolean | This is an optional field. Set this field to true to see the user’s full privileges, including the expanded information. By default, this field is false. If you view all users, you cannot specify this field. |
showAuthenticationRestrictions |
Boolean | This is an optional field. Set this field to true to show the user’s authentication restrictions. By default, this field is false. If you view all users, you cannot specify this field. |
filter |
document | This is an optional field. This document specifies $match stage conditions to return information for users that matches the filter conditions. |
db.getUser() method is wrapped in the usersInfo command.
The user must have the viewUser action on the other user’s database for viewing another user’s information. Users have access to their data.
Example:
The following operations will return information about an example appClient user in an accounts database.
use accounts
db.getUser("appClient")
The output for the example above is given below.
{
_id: 'accounts.appClient',
userId: UUID("1c2fc1bf-c4dc-4a22-8b04-3971349ce0dc"),
user: 'appClient',
db: 'accounts',
roles: [],
mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
}
db.getUsers() Method in MongoDB
This method has the following syntax.
db.getUsers(<options>)
This method will return the information for all the users in the database. db.getUsers() method is wrapped in the usersInfo: 1 command.
The db.getUsers() method takes the following options.
db.getUsers( {
showCredentials: <Boolean>,
filter: <document>
} )
| Field | Type | Description |
|---|---|---|
showCredentials |
Boolean | This is an optional field. You can set the field to true to display the user’s password hash. By default, this field is false. |
filter |
document | This is an optional field. This document specifies $match stage conditions to return information for users that matches the filter conditions. |
The user must have the viewUser action on the other user’s database to view another user’s information. Users can view their information.
Example:
View all users for a given database that matches the specified filter.
The db.getUsers() method can accept a filter document to return information for users that matches the filter condition. To view all users for the current database who have SCRAM-SHA-256 credentials.
db.getUsers({ filter: { mechanisms: "SCRAM-SHA-256" } })
While viewing all users, you can specify the showCredentials option but not the showPrivileges or the showAuthenticationRestrictions option.
So with the help of this MongoDB article, you have learned how to authenticate a user, list all users in the Mongo shell, and use the db.getUser() and db.getUsers() methods.