Creating a Database Account Using Commands

Precautions

• When creating a database account for a specified instance, you are advised to enable SSL to improve data security.
• If the existing DDS instances are of version 3.2, you cannot create database accounts for them. You can only change the password of the administrator account rwuser.
• When creating a database account, configure passwordDigestor:"server". For details, see the official document.

Prerequisites

A DDS instance has been connected. For details, see "Connecting to an Instance over a Public Network" and "Connecting to an Instance over a Private Network" in Document Database Service Getting Started.

Account Description

• When a DDS instance is created, users root, monitor, and backup are automatically created. These accounts belong to the Huawei Cloud DB instance management platform and cannot be operated or used. Attempting to delete, rename, change the passwords, or change privileges for these accounts will result in errors.
• You can change the password of the database administrator rwuser and any accounts you create.
• The default user rwuser and users created by rwuser have limited permissions on system databases admin and config. They have all required permissions on the databases and tables created under them.
• Generally, a MongoDB user is created in a specified authentication database. When connecting to a database, use --authenticationDatabase to specify the corresponding authentication database.
• In a DDS instance, the default authentication database of user rwuser is admin.
• If you enter incorrect passwords for five consecutive times, the account will be locked for 10s.

Setting Password Strength for Database Accounts

• The administrator password must meet the following password policy:
  • Contains 8 to 32 characters.
  • Must be a combination of uppercase letters, lowercase letters, digits, and special characters: ~!@#%^*-_=+?()$
• The database user created on the client must meet the following password policy:
  • Contains 8 to 32 characters.
  • Must be a combination of uppercase letters, lowercase letters, digits, and special characters: ~@#%-_!*+=^?

When you create a DB instance or set a password, DDS automatically checks your password strength. If the password does not meet the complexity requirements, change the password as prompted.

Creating an Account

1. Run the following command to select the admin database:

   use admin

2. Run the following command to create a database account (user1 as an example):

   db.createUser({user: "user1", pwd: "****", passwordDigestor:"server", roles:[{role: "root", db: "admin"}]})

   • server indicates the password encrypted on the server. It has a fixed value and does not need to be changed.
   • ****: indicates the example new password. The password must be 8 to 32 characters in length and contain uppercase letters, lowercase letters, digits, and special characters, such as ~@#%-_!*+=^?
   • roles restricts the rights of the account. If an empty array is specified, the account does not have any permission.

3. Check the result:

   The account is successfully created if the following information is displayed:

   Successfully added user: {
           "user" : "user1",
           "passwordDigestor" : "server",
           "roles" : [
                   {
                           "role" : "root",
                           "db" : "admin"
                   }
           ]
   }

Changing a Password

1. Run the following command to select the admin database:

   use admin

2. Uses user user1 as an example. Run the following command to change its password:

   db.updateUser("user1", {passwordDigestor:"server",pwd:"newPasswd12#"})

   • server indicates the password encrypted on the server. It has a fixed value and does not need to be changed.
   • newPasswd12#: indicates the example new password. The password must be 8 to 32 characters in length and contain uppercase letters, lowercase letters, digits, and special characters, such as ~@#%-_!*+=^?
   • If the password contains any of the special characters @/%?# and is used in the MongoDB URL, escape the special characters in the URL and replace them with hexadecimal URL codes (ASCII codes).

3. Check the setting result. The password is successfully changed if the following information is displayed:
   • Cluster

     mongos>

   • Replica set

     replica:PRIMARY>

   • Single node

     replica:PRIMARY>

Connecting to an Instance Using the Created Account

After a database account is created, it can be used to connect to the database. The operation details are as follows:

• Connecting to a Cluster Instance Using Mongo Shell (Private Network)
• Connecting to a Cluster Instance Using Mongo Shell (Public Network)
• Connecting to a Replica Set Instance Using Mongo Shell (Private Network)
• Connecting to a Replica Set Instance Using Mongo Shell (Public Network)
• Connecting to a Single Node Instance Using Mongo Shell (Private Network)
• Connecting to a Single Node Instance Using Mongo Shell (Public Network)