Help Center/ Document Database Service/ User Guide/ Database Usage/ Creating a Database Account Using Commands
Updated on 2023-03-15 GMT+08:00

Creating a Database Account Using Commands

When you create a DDS instance, the system automatically creates the default account rwuser. You can use the default account rwuser to create other database accounts based on service requirements. Then, you can use the default account rwuser or other created accounts to perform operations on data in the database, such as databases, tables, and indexes.

Precautions

  • When creating a database account for a specified instance, you are advised to enable SSL to improve data security.
  • If the existing DDS instances are of version 3.2, you cannot create database accounts for them. You can only change the password of the administrator account rwuser.
  • When creating a database account, configure passwordDigestor:"server". For details, see the official document.

Prerequisites

A DDS instance has been connected. For details, see "Connecting to an Instance over a Public Network" and "Connecting to an Instance over a Private Network" in Document Database Service Getting Started.

Account Description

  • When a DDS instance is created, users root, monitor, and backup are automatically created. These accounts belong to the Huawei Cloud DB instance management platform and cannot be operated or used. Attempting to delete, rename, change the passwords, or change privileges for these accounts will result in errors.
  • You can change the password of the database administrator rwuser and any accounts you create.
  • The default user rwuser and users created by rwuser have limited permissions on system databases admin and config. They have all required permissions on the databases and tables created under them.
  • Generally, a MongoDB user is created in a specified authentication database. When connecting to a database, use --authenticationDatabase to specify the corresponding authentication database.
  • In a DDS instance, the default authentication database of user rwuser is admin.

Setting Password Strength for Database Accounts

  • The administrator password must meet the following password policy:
    • Contains 8 to 32 characters.
    • Must be a combination of uppercase letters, lowercase letters, digits, and special characters: ~!@#%^*-_=+?
  • The database user created on the client must meet the following password policy:
    • Contains 8 to 32 characters.
    • Must be a combination of uppercase letters, lowercase letters, digits, and special characters: ~@#%-_!*+=^?

When you create a DB instance or set a password, DDS automatically checks your password strength. If the password does not meet the complexity requirements, change the password as prompted.

Creating an Account

  1. Run the following command to select the admin database:

    use admin

  2. Run the following command to create a database account (user1 as an example):

    db.createUser({user: "user1", pwd: "****", passwordDigestor:"server", roles:[{role: "root", db: "admin"}]})

    • server is the password encrypted on the server.
    • ****: indicates the example new password. The password must be 8 to 32 characters in length and contain uppercase letters, lowercase letters, digits, and special characters, such as ~@#%-_!*+=^?
    • roles restricts the rights of the account. If an empty array is specified, the account does not have any permission.

  3. Check the result:

    The account is successfully created if the following information is displayed:

    Successfully added user: {
            "user" : "user1",
            "passwordDigestor" : "server",
            "roles" : [
                    {
                            "role" : "root",
                            "db" : "admin"
                    }
            ]
    }

Changing a Password

  1. Run the following command to select the admin database:

    use admin

  2. Uses user user1 as an example. Run the following command to change its password:

    db.updateUser("user1", {passwordDigestor:"server",pwd:"newPasswd12#"})

    • server: indicates that the password is encrypted on the server.
    • newPasswd12#: indicates the example new password. The password must be 8 to 32 characters in length and contain uppercase letters, lowercase letters, digits, and special characters, such as ~@#%-_!*+=^?
    • If the password contains any of the special characters @/%?# and is used in the MongoDB URL, escape the special characters in the URL and replace them with hexadecimal URL codes (ASCII codes).

  3. Check the setting result. The password is successfully changed if the following information is displayed:

    • Cluster
      mongos>
    • Replica set
      replica:PRIMARY>
    • Single node
      replica:PRIMARY>

Connecting to an Instance Using the Created Account

After a database account is created, it can be used to connect to the database. The operation details are as follows: