Change Your Password and Custom Data

Overview

Users with appropriate privileges can change their own passwords andcustom data. Custom data storesoptional user information.

Considerations

To generate a strong password for use in this procedure, you can use theopenssl utility’s rand command. For example, issue opensslrand with the following options to create a base64-encoded string of 48pseudo-random bytes:

  1. openssl rand -base64 48

Prerequisites

To modify your own password and custom data, you must have privilegesthat grant changeOwnPassword andchangeOwnCustomDataactions respectively on the user’s database.

Connect as a user with privileges to manage users and roles.

Connect to the mongod or mongos with privilegesto manage users and roles, such as a user withuserAdminAnyDatabase role. The following procedure uses themyUserAdmin created in Enable Access Control.

  1. mongo --port 27017 -u myUserAdmin -p  --authenticationDatabase 'admin'

If you do not specify the password to the -pcommand-line option, the mongo shell prompts for thepassword.

Create a role with appropriate privileges.

In the admin database, create a newrole with changeOwnPassword andchangeOwnCustomData.

  1. use admin
  2. db.createRole(
  3.    { role: "changeOwnPasswordCustomDataRole",
  4.      privileges: [
  5.         {
  6.           resource: { db: "", collection: ""},
  7.           actions: [ "changeOwnPassword", "changeOwnCustomData" ]
  8.         }
  9.      ],
  10.      roles: []
  11.    }
  12. )

Add a user with this role.

In the test database, create a new user withthe created "changeOwnPasswordCustomDataRole" role. For example, the followingoperation creates a user with both the built-in role readWrite andthe user-created "changeOwnPasswordCustomDataRole".

Tip

Starting in version 4.2 of the mongo shell, you canuse the passwordPrompt() method in conjunction withvarious user authentication/management methods/commands to promptfor the password instead of specifying the password directly in themethod/command call. However, you can still specify the passworddirectly as you would with earlier versions of themongo shell.

  1. use test
  2. db.createUser(
  3.    {
  4.      user:"user123",
  5.      pwd: passwordPrompt(),  // or cleartext password
  6.      roles:[ "readWrite", { role:"changeOwnPasswordCustomDataRole", db:"admin" } ]
  7.    }
  8. )

To grant an existing user the new role, usedb.grantRolesToUser().

Procedure

Connect with the appropriate privileges.

Connect to the mongod or mongos as a user withappropriate privileges.

For example, the following operation connects to MongoDB asuser123 created in the Prerequisitessection.

  1. mongo --port 27017 -u user123 --authenticationDatabase 'test' -p

If you do not specify the password to the -pcommand-line option, the mongo shell prompts for thepassword.

To check that you have the privileges specified in thePrerequisites section as well as to see userinformation, use the usersInfo command with theshowPrivileges option.

Change your password and custom data.

Use the db.updateUser() method to update the password andcustom data.

For example, the following operation changes the user’s password toKNlZmiaNUp0B and custom data to { title: "Senior Manager" }:

Tip

Starting in version 4.2 of the mongo shell, you canuse the passwordPrompt() method in conjunction withvarious user authentication/management methods/commands to promptfor the password instead of specifying the password directly in themethod/command call. However, you can still specify the passworddirectly as you would with earlier versions of themongo shell.

  1. use test
  2. db.updateUser(
  3.    "user123",
  4.    {
  5.       pwd: passwordPrompt(),  // or cleartext password
  6.       customData: { title: "Senior Manager" }
  7.    }
  8. )

Enter the password when prompted.