xuemingqiang/mongo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
87393ce9bcfe06f8aa93b856474fb77bfb3a5267
mongo/debian/mongo.1
A. Jesse Jiryu Davis 1b130329e1 SERVER-63108 Rename Versioned API to Stable API
2022-02-07 19:37:24 +00:00

1862 lines
52 KiB
Groff
Raw Blame History

.TH mongo 1
.SH LEGACY MONGO SHELL
The \fBmongo\f1 shell has been deprecated in MongoDB v5.0. The
replacement is \fBmongosh\f1\f1\&.
.PP
Older \fBmongo\f1 shell documentation is included with the
corresponding documentation for that \fBMongoDB\f1 release.
.PP
\fIQuick Links to prior versions\f1
.RS
.IP \(bu 2
mongo shell v4.4 (https://docs.mongodb.com/v4.4/mongo/)
.IP \(bu 2
mongo shell v4.2 (https://docs.mongodb.com/v4.2/mongo/)
.IP \(bu 2
mongo shell v4.0 (https://docs.mongodb.com/v4.0/mongo/)
.RE
.PP
See \fBComparison of the mongo\f1 Shell and mongosh\f1\f1 for more information.
.SH DESCRIPTION
.PP
\fBmongo\f1\f1 is an interactive JavaScript shell interface to
MongoDB, which provides a powerful interface for system
administrators as well as a way for developers to test queries and
operations directly with the database. \fBmongo\f1\f1 also provides
a fully functional JavaScript environment for use with a MongoDB.
.PP
The \fBmongo\f1\f1 shell is included as part of the \fBMongoDB
server installation\f1\&. If you have already installed the
server, the \fBmongo\f1\f1 shell is installed to the same location
as the server binary.
.PP
Alternatively, if you would like to download the \fBmongo\f1\f1
shell separately from the MongoDB Server, you can install the shell as
a standalone package by following these steps:
.RS
.IP \(bu 2
Access the Download Center for your Edition of MongoDB:
.RS
.IP \(bu 4
MongoDB Community Download Center (https://www.mongodb.com/try/download/community?tck=docs_server)
.IP \(bu 4
MongoDB Enterprise Download Center (https://www.mongodb.com/try/download/enterprise?tck=docs_server)
.RE
.IP \(bu 2
Select your preferred Version and Platform
from the dropdowns.
.IP \(bu 2
Select the Package to download according to your
platform:
.RS
.IP \(bu 4
.RS
.IP \(bu 6
Platform
.IP \(bu 6
Download Package
.RE
.IP \(bu 4
.RS
.IP \(bu 6
Windows
.IP \(bu 6
Select the \fBzip\f1 package to download an archive which
includes the \fBmongo\f1\f1 shell.
.RE
.IP \(bu 4
.RS
.IP \(bu 6
macOS
.IP \(bu 6
Select the \fBtgz\f1 package to download an archive which
includes the \fBmongo\f1\f1 shell.
.RE
.IP \(bu 4
.RS
.IP \(bu 6
Linux
.IP \(bu 6
Select the \fBtgz\f1 package to download the
\fBmongo\f1\f1 shell.
.RE
.RE
.IP \(bu 2
Copy the \fBmongo\f1\f1 shell from the archive to a location on
your filesystem.
.RE
.PP
For additional installation guidance specific to your platform, or to
install the \fBmongo\f1\f1 shell as part of a MongoDB Server
installation, see the \fBinstallation guide for your platform\f1\&.
.RS
.IP \(bu 2
Starting in MongoDB 4.2 (and 4.0.13), the \fBmongo\f1\f1 shell displays a
warning message when connected to non\-genuine MongoDB instances as
these instances may behave differently from the official MongoDB
instances; e.g. missing or incomplete features, different feature
behaviors, etc.
.IP \(bu 2
Starting in version 4.0, \fBmongo\f1\f1 disables support for TLS 1.0
encryption on systems where TLS 1.1+ is available. For
more details, see \fBDisable TLS 1.0\f1\&.
.RE
.SH SYNTAX
.RS
.IP \(bu 2
You can run \fBmongo\f1\f1 shell without any command\-line
options use the default settings:
.IP
.EX
mongo
.EE
.IP \(bu 2
You can run \fBmongo\f1\f1 shell with a \fBconnection string\f1 that specifies the host and port and
other connection options. For example, the following includes the
\fBtls\f1\f1:
.IP
.EX
mongo "mongodb://mongodb0.example.com:27017/testdb?tls=true"
.EE
.IP
The \fBtls\f1\f1 option is available starting in MongoDB 4.2. In
earlier version, use the \fBssl\f1\f1 option.
.IP
To connect \fBmongo\f1\f1 shell to a replica set, you can
specify in the \fBconnection string\f1 the replica set members and name:
.IP
.EX
mongo "mongodb://mongodb0.example.com.local:27017,mongodb1.example.com.local:27017,mongodb2.example.com.local:27017/?replicaSet=replA"
.EE
.IP
For more information on the connection string options, see
\fBConnection String URI Format\f1\&.
.IP \(bu 2
You can run \fBmongo\f1\f1 shell with various command\-line
options. For example:
.IP
.EX
mongo \-\-host mongodb0.example.com:27017 [additional options]
mongo \-\-host mongodb0.example.com \-\-port 27017 [additional options]
.EE
.IP
For more information on the options available, see \fBOptions\f1\&.
.RE
.SH OPTIONS
.RS
.IP \(bu 2
MongoDB deprecates the SSL options and instead adds new
corresponding TLS options.
.RE
.SS CORE OPTIONS
.PP
\fBmongo \-\-shell\f1
.RS
.PP
Enables the shell interface. If you invoke the \fBmongo\f1\f1 command
and specify a JavaScript file as an argument, or use \fB\-\-eval\f1\f1 to
specify JavaScript on the command line, the \fB\-\-shell\f1\f1 option
provides the user with a shell prompt after the file finishes executing.
.RE
.PP
\fBmongo \-\-nodb\f1
.RS
.PP
Prevents the shell from connecting to any database instances. Later, to
connect to a database within the shell, see
\fBOpening New Connections\f1\&.
.RE
.PP
\fBmongo \-\-norc\f1
.RS
.PP
Prevents the shell from sourcing and evaluating ~/.mongorc.js on
start up.
.RE
.PP
\fBmongo \-\-quiet\f1
.RS
.PP
Silences output from the shell during the connection process.
.RE
.PP
\fBmongo \-\-port\f1
.RS
.PP
Specifies the port where the \fBmongod\f1\f1 or \fBmongos\f1\f1
instance is listening. If \fB\-\-port\f1\f1 is not specified,
\fBmongo\f1\f1 attempts to connect to port \fB27017\f1\&.
.RE
.PP
\fBmongo \-\-host\f1
.RS
.PP
Specifies the name of the host machine where the
\fBmongod\f1\f1 or \fBmongos\f1\f1 is running. If this is not specified,
\fBmongo\f1\f1 attempts to connect to a MongoDB process running on
the localhost.
.PP
\fBTo connect to a replica set,\f1
.RS
.PP
Specify the \fBreplica set name\f1\f1
and a seed list of set members. Use the following form:
.PP
.EX
<replSetName>/<hostname1><:port>,<hostname2><:port>,<...>
.EE
.RE
.PP
\fBFor TLS/SSL connections (\-\-ssl\f1),\f1
.RS
.PP
\fBmongosh\f1\f1 verifies that the hostname (specified
in \fB\-\-host\f1\f1 option or the connection string)
matches the \fBSAN\f1 (or, if \fBSAN\f1 is not present, the \fBCN\f1) in
the certificate presented by the \fBmongod\f1\f1 or
\fBmongos\f1\f1\&. If \fBSAN\f1 is present, \fBmongosh\f1\f1
does not match against the \fBCN\f1\&. If the hostname does not match
the \fBSAN\f1 (or \fBCN\f1), \fBmongosh\f1\f1 will fail to
connect.
.PP
Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB
supports comparison of DNS names or IP addresses. In previous versions,
MongoDB only supports comparisons of DNS names.
.RE
.PP
\fBFor DNS seedlist connections (https://docs.mongodb.com/manual/reference/connection\-string/#dns\-seedlist\-connection\-format/),\f1
.RS
.PP
Specify the connection protocol as \fBmongodb+srv\f1, followed by
the DNS SRV hostname record and any options. The \fBauthSource\f1
and \fBreplicaSet\f1 options, if included in the connection string,
will override any corresponding DNS\-configured options set in the
TXT record. Use of the \fBmongodb+srv:\f1 connection string
implicitly enables TLS/SSL (normally set with \fBssl=true\f1) for
the client connection. The TLS/SSL option can be turned off by
setting \fBssl=false\f1 in the query string.
.PP
Example:
.PP
.EX
mongodb+srv://server.example.com/?connectionTimeout=3000ms
.EE
.RE
.RE
.PP
\fBmongo \-\-eval\f1
.RS
.PP
Evaluates a JavaScript expression that is specified as an argument.
\fBmongo\f1\f1 does not load its own environment when evaluating code.
As a result many options of the shell environment are not available.
.RE
.PP
\fBmongo \-\-username\f1, \fBmongo \-u\f1
.RS
.PP
Specifies a username with which to authenticate to a MongoDB database
that uses authentication. Use in conjunction with the \fB\-\-password\f1\f1 and
\fB\-\-authenticationDatabase\f1\f1 options.
.PP
If connecting to a MongoDB Atlas (https://www.mongodb.com/cloud/atlas?tck=docs_server) cluster
using the \fBMONGODB\-AWS\f1 \fBauthentication mechanism\f1\f1, specify your AWS access key ID in this
field, or in the \fBconnection string\f1\&. Alternatively, this value may
also be supplied as the environment variable \fBAWS_ACCESS_KEY_ID\f1\&.
See \fBConnect to a MongoDB Atlas Cluster using AWS IAM Credentials\f1\&.
.RE
.PP
\fBmongo \-\-password\f1, \fBmongo \-p\f1
.RS
.PP
Specifies a password with which to authenticate to a MongoDB database
that uses authentication. Use in conjunction with the \fB\-\-username\f1\f1
and \fB\-\-authenticationDatabase\f1\f1 options. To force \fBmongo\f1\f1 to
prompt for a password, enter the \fB\-\-password\f1\f1 option as the
last option and leave out the argument.
.PP
If connecting to a MongoDB Atlas (https://www.mongodb.com/cloud/atlas?tck=docs_server) cluster
using the \fBMONGODB\-AWS\f1 \fBauthentication mechanism\f1\f1, specify your AWS secret access key in
this field, or in the \fBconnection string\f1\&. Alternatively, this value may
also be supplied as the environment variable
\fBAWS_SECRET_ACCESS_KEY\f1\&. See
\fBConnect to a MongoDB Atlas Cluster using AWS IAM Credentials\f1\&.
.RE
.PP
\fBmongo \-\-apiVersion\f1
.RS
.PP
Specifies the \fBapiVersion\f1\&. \fB"1"\f1 is
currently the only supported value.
.RE
.PP
\fBmongo \-\-apiStrict\f1
.RS
.PP
Specifies that the server will respond with \fBAPIStrictError\f1 if your application uses a command or behavior
outside of the \fBStable API\f1\&.
.PP
If you specify \fB\-\-apiStrict\f1\f1, you must also specify
\fB\-\-apiVersion\f1\f1\&.
.RE
.PP
\fBmongo \-\-apiDeprecationErrors\f1
.RS
.PP
Specifies that the server will respond with
\fBAPIDeprecationError\f1 if your application
uses a command or behavior that is deprecated in the specified
\fBapiVersion\f1\&.
.PP
If you specify \fB\-\-apiDeprecationErrors\f1\f1, you must also
specify \fB\-\-apiVersion\f1\f1\&.
.RE
.PP
\fBmongo \-\-awsIamSessionToken\f1
.RS
.PP
If connecting to a MongoDB Atlas (https://www.mongodb.com/cloud/atlas?tck=docs_server) cluster
using the \fBMONGODB\-AWS\f1 \fBauthentication mechanism\f1\f1 and using session tokens in addition to
your AWS access key ID and secret access key, specify your AWS
session token in this field, or in the \fBconnection string\f1\&. Alternatively, this value may
also be supplied as the environment variable
\fBAWS_SESSION_TOKEN\f1\&. See
\fBConnect to a MongoDB Atlas Cluster using AWS IAM Credentials\f1\&.
.PP
Only valid when using the \fBMONGODB\-AWS\f1
\fBauthentication mechanism\f1\f1\&.
.RE
.PP
\fBmongo \-\-help\f1, \fBmongo \-h\f1
.RS
.PP
Returns information on the options and use of \fBmongo\f1\f1\&.
.RE
.PP
\fBmongo \-\-version\f1
.RS
.PP
Returns the \fBmongo\f1\f1 release number.
.RE
.PP
\fBmongo \-\-verbose\f1
.RS
.PP
Increases the verbosity of the output of the shell during the connection
process.
.RE
.PP
\fBmongo \-\-networkMessageCompressors\f1
.RS
.PP
Enables network compression for communication between this
\fBmongo\f1\f1 shell and:
.RS
.IP \(bu 2
a \fBmongod\f1\f1 instance
.IP \(bu 2
a \fBmongos\f1\f1 instance.
.RE
.PP
You can specify the following compressors:
.RS
.IP \(bu 2
\fBsnappy\f1
.IP \(bu 2
\fBzlib\f1 (Available starting in MongoDB 3.6)
.IP \(bu 2
\fBzstd\f1 (Available starting in MongoDB 4.2)
.RE
.PP
Messages are compressed when both parties enable network
compression. Otherwise, messages between the parties are
uncompressed.
.PP
If you specify multiple compressors, then the order in which you list
the compressors matter as well as the communication initiator. For
example, if \fBmongosh\f1\f1 specifies the following network
compressors \fBzlib,snappy\f1 and the \fBmongod\f1\f1 specifies
\fBsnappy,zlib\f1, messages between \fBmongosh\f1\f1 and
\fBmongod\f1\f1 uses \fBzlib\f1\&.
.PP
If the parties do not share at least one common compressor, messages
between the parties are uncompressed. For example, if
\fBmongosh\f1\f1 specifies the network compressor
\fBzlib\f1 and \fBmongod\f1\f1 specifies \fBsnappy\f1, messages
between \fBmongosh\f1\f1 and \fBmongod\f1\f1 are not
compressed.
.RE
.PP
\fBmongo \-\-ipv6\f1
.RS
.PP
Enables IPv6 support. \fBmongo\f1\f1 disables IPv6 by default.
.PP
To connect to a MongoDB cluster via IPv6, you must specify
both \fB\-\-ipv6\f1\f1 \fIand\f1
\fB\-\-host <mongod/mongos IPv6 address>\f1\f1
when starting the \fBmongo\f1\f1 shell.
.PP
\fBmongod\f1\f1 and \fBmongos\f1\f1 disable IPv6 support
by default. Specifying \fB\-\-ipv6\f1\f1 when connecting to a
\fBmongod/mongos\f1 does not enable IPv6 support on the
\fBmongod/mongos\f1\&. For documentation on enabling IPv6 support
on the \fBmongod/mongos\f1, see \fBnet.ipv6\f1\f1\&.
.RE
.PP
\fBmongo <db\f1
.RS
.PP
Specifies the name of the database to connect to. For
example:
.PP
.EX
mongo admin
.EE
.PP
The above command will connect the \fBmongo\f1\f1 shell to the
\fBadmin database\f1 of the MongoDB deployment running on the local machine. You may specify a remote
database instance, with the resolvable hostname or IP address. Separate
the database name from the hostname using a \fB/\f1 character. See the
following examples:
.PP
.EX
mongo mongodb1.example.net/test
mongo mongodb1/admin
mongo 10.8.8.10/test
.EE
.PP
This syntax is the \fIonly\f1 way to connect to a specific database.
.PP
To specify alternate hosts and a database, you must use this syntax and cannot
use \fB\-\-host\f1\f1 or \fB\-\-port\f1\f1\&.
.RE
.PP
\fBmongo \-\-enableJavaScriptJIT\f1
.RS
.PP
Enable the JavaScript engine\(aqs JIT compiler.
.RE
.PP
\fBmongo \-\-disableJavaScriptJIT\f1
.RS
.PP
The JavaScript engine\(aqs JIT compiler is now disabled by default.
.PP
Disables the JavaScript engine\(aqs JIT compiler.
.RE
.PP
\fBmongo \-\-disableJavaScriptProtection\f1
.RS
.PP
Allows fields of type \fBjavascript\f1 and
\fBjavascriptWithScope (*Deprecated*)\f1 to be automatically
marshalled to JavaScript functions in the \fBmongo\f1\f1
shell.
.PP
With the \fB\-\-disableJavaScriptProtection\f1 flag set, it is possible
to immediately execute JavaScript functions contained in documents.
The following example demonstrates this behavior within the shell:
.PP
.EX
> db.test.insert({ _id: 1, jsFunc: function(){ print("hello") } } )
WriteResult({ "nInserted" : 1 })
> var doc = db.test.findOne({ _id: 1 })
> doc
{ "_id" : 1, "jsFunc" : function (){ print ("hello") } }
> typeof doc.jsFunc
function
> doc.jsFunc()
hello
.EE
.PP
The default behavior (when \fBmongo\f1\f1 starts \fIwithout\f1 the
\fB\-\-disableJavaScriptProtection\f1 flag) is to convert embedded
JavaScript functions to the non\-executable MongoDB shell type
\fBCode\f1\&. The following example demonstrates the default behavior
within the shell:
.PP
.EX
> db.test.insert({ _id: 1, jsFunc: function(){ print("hello") } } )
WriteResult({ "nInserted" : 1 })
> var doc = db.test.findOne({ _id: 1 })
> doc
{ "_id" : 1, "jsFunc" : { "code" : "function (){print(\"hello\")}" } }
> typeof doc.func
object
> doc.func instanceof Code
true
> doc.jsFunc()
2016\-11\-09T12:30:36.808\-08:00 E QUERY [thread1] TypeError: doc.jsFunc is
not a function :
@(shell):1:1
.EE
.RE
.PP
\fBmongo <file.js>\f1
.RS
.PP
Specifies a JavaScript file to run and then exit. Generally this should
be the last option specified.
.PP
To specify a JavaScript file to execute \fIand\f1 allow
\fBmongo\f1\f1 to prompt you for a password using
\fB\-\-password\f1\f1, pass the filename as the first parameter with
\fB\-\-username\f1\f1 and \fB\-\-password\f1\f1 as the last options, as
in the following:
.PP
.EX
mongo file.js \-\-username username \-\-password
.EE
.PP
Use the \fB\-\-shell\f1\f1 option to return to a shell after the file
finishes running.
.RE
.SS AUTHENTICATION OPTIONS
.PP
\fBmongo \-\-authenticationDatabase\f1
.RS
.PP
Specifies the authentication database where the specified \fB\-\-username\f1\f1 has been created.
See \fBAuthentication Database\f1\&.
.PP
If you do not specify a value for \fB\-\-authenticationDatabase\f1\f1, \fBmongo\f1\f1 uses the database
specified in the connection string.
.PP
If using the \fBGSSAPI\f1 (Kerberos),
\fBPLAIN\f1 (LDAP SASL), or \fBMONGODB\-AWS\f1
\fBauthentication mechanisms\f1\f1, you
must set \fB\-\-authenticationDatabase\f1\f1 to \fB$external\f1\&.
.RE
.PP
\fBmongo \-\-authenticationMechanism\f1
.RS
.PP
\fIDefault\f1: SCRAM\-SHA\-1
.PP
Specifies the authentication mechanism the \fBmongo\f1\f1 instance uses to
authenticate to the \fBmongod\f1\f1 or \fBmongos\f1\f1\&.
.PP
With MongoDB 4.4, the \fBmongo\f1\f1 shell adds support for the
new \fBMONGODB\-AWS\f1 authentication mechanism when connecting to a
MongoDB Atlas (https://www.mongodb.com/cloud/atlas?tck=docs_server) cluster.
.RS
.IP \(bu 2
.RS
.IP \(bu 4
Value
.IP \(bu 4
Description
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBSCRAM\-SHA\-1\f1
.IP \(bu 4
RFC 5802 (https://tools.ietf.org/html/rfc5802) standard
Salted Challenge Response Authentication Mechanism using the SHA\-1
hash function.
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBSCRAM\-SHA\-256\f1
.IP \(bu 4
RFC 7677 (https://tools.ietf.org/html/rfc7677) standard
Salted Challenge Response Authentication Mechanism using the SHA\-256
hash function.
.IP
Requires featureCompatibilityVersion set to \fB4.0\f1\&.
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBMONGODB\-X509\f1
.IP \(bu 4
MongoDB TLS/SSL certificate authentication.
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBMONGODB\-AWS\f1
.IP \(bu 4
External authentication using AWS IAM credentials for use in
connecting to a
MongoDB Atlas (https://www.mongodb.com/cloud/atlas?tck=docs_server)
cluster. See \fBConnect to a MongoDB Atlas Cluster using AWS IAM Credentials\f1\&.
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBGSSAPI\f1 (Kerberos)
.IP \(bu 4
External authentication using Kerberos. This mechanism is
available only in MongoDB Enterprise (http://www.mongodb.com/products/mongodb\-enterprise\-advanced?tck=docs_server)\&.
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBPLAIN\f1 (LDAP SASL)
.IP \(bu 4
External authentication using LDAP. You can also use \fBPLAIN\f1
for authenticating in\-database users. \fBPLAIN\f1 transmits
passwords in plain text. This mechanism is available only in
MongoDB Enterprise (http://www.mongodb.com/products/mongodb\-enterprise\-advanced?tck=docs_server)\&.
.RE
.RE
.RE
.PP
\fBmongo \-\-gssapiHostName\f1
.RS
.PP
Specify the hostname of a service using \fBGSSAPI/Kerberos\f1\&. \fIOnly\f1 required if the hostname of a machine does
not match the hostname resolved by DNS.
.PP
This option is available only in MongoDB Enterprise.
.RE
.PP
\fBmongo \-\-gssapiServiceName\f1
.RS
.PP
Specify the name of the service using \fBGSSAPI/Kerberos\f1\&. Only required if the service does not use the
default name of \fBmongodb\f1\&.
.PP
This option is available only in MongoDB Enterprise.
.RE
.SS TLS OPTIONS
.PP
Starting in version 4.0, \fBmongo\f1\f1 disables support for TLS 1.0
encryption on systems where TLS 1.1+ is available. For
more details, see \fBDisable TLS 1.0\f1\&.
.PP
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 for full
documentation of MongoDB\(aqs support.
.PP
\fBmongo \-\-tls\f1
.RS
.PP
Enables connection to a \fBmongod\f1\f1 or \fBmongos\f1\f1 that has
TLS/SSL support enabled.
.PP
Starting in version 3.2.6, if \fB\-\-tlsCAFile\f1 or \fBnet.tls.CAFile\f1
(or their aliases \fB\-\-sslCAFile\f1 or \fBssl.CAFile\f1) is not
specified, the system\-wide CA certificate store will be used when
connecting to an TLS/SSL\-enabled server. In previous versions of
MongoDB, \fBmongosh\f1\f1 exited with an error that it
could not validate the certificate.
.PP
To use x.509 authentication, \fB\-\-tlsCAFile\f1 or \fBnet.tls.CAFile\f1
must be specified unless you are using \fB\-\-tlsCertificateSelector\f1
or \fB\-\-net.tls.certificateSelector\f1\&.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-tlsCertificateKeyFile\f1
.RS
.PP
Specifies the \&.pem file that contains both the TLS/SSL
certificate and key for the \fBmongo\f1\f1 shell. Specify the
file name of the \&.pem file using relative or absolute paths.
.PP
This option is required when using the \fB\-\-tls\f1\f1
option to connect to a \fBmongod\f1\f1 or \fBmongos\f1\f1
instance that requires \fBclient certificates\f1\&. That is, the
\fBmongo\f1\f1 shell present this certificate to the server.
.PP
\fBmongod\f1\f1 / \fBmongos\f1\f1 logs a warning on
connection if the presented x.509 certificate expires within \fB30\f1
days of the \fBmongod/mongos\f1 host system time. See
\fBx.509 Certificates Nearing Expiry Trigger Warnings\f1 for more
information.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-tlsCertificateKeyFilePassword\f1
.RS
.PP
Specifies the password to de\-crypt the certificate\-key file (i.e.
\fB\-\-tlsCertificateKeyFile\f1\f1).
.PP
Use the \fB\-\-tlsCertificateKeyFilePassword\f1\f1 option only if the
certificate\-key file is encrypted. In all cases, the \fBmongo\f1\f1 will
redact the password from all logging and reporting output.
.PP
If the private key in the PEM file is encrypted and you do not
specify the \fB\-\-tlsCertificateKeyFilePassword\f1\f1 option, the \fBmongo\f1\f1 will prompt for a
passphrase. See \fBTLS/SSL Certificate Passphrase\f1\&.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-tlsCAFile\f1
.RS
.PP
Specifies the \&.pem file that contains the root certificate
chain from the Certificate Authority. This file is used to validate
the certificate presented by the
\fBmongod\f1\f1/\fBmongos\f1\f1 instance.
.PP
Specify the file name of the \&.pem file using relative or
absolute paths.
.PP
Starting in version 3.2.6, if \fB\-\-tlsCAFile\f1 or \fBnet.tls.CAFile\f1
(or their aliases \fB\-\-sslCAFile\f1 or \fBssl.CAFile\f1) is not
specified, the system\-wide CA certificate store will be used when
connecting to an TLS/SSL\-enabled server. In previous versions of
MongoDB, \fBmongosh\f1\f1 exited with an error that it
could not validate the certificate.
.PP
To use x.509 authentication, \fB\-\-tlsCAFile\f1 or \fBnet.tls.CAFile\f1
must be specified unless you are using \fB\-\-tlsCertificateSelector\f1
or \fB\-\-net.tls.certificateSelector\f1\&.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-tlsCRLFile\f1
.RS
.PP
In MongoDB 4.0 and earlier, see \fB\-\-sslCRLFile\f1\f1\&.
.PP
Specifies the \&.pem file that contains the Certificate Revocation
List. Specify the file name of the \&.pem file using relative or
absolute paths.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.PP
Starting in version 4.4, to check for certificate revocation,
MongoDB \fBenables\f1\f1 the use of OCSP
(Online Certificate Status Protocol) by default as an alternative
to specifying a CRL file or using the system SSL certificate
store.
.RE
.PP
\fBmongo \-\-tlsAllowInvalidHostnames\f1
.RS
.PP
Disables the validation of the hostnames in the certificate presented
by the \fBmongod\f1\f1/\fBmongos\f1\f1 instance. Allows
\fBmongo\f1\f1 to connect to MongoDB instances even if the hostname in
the server certificates do not match the server\(aqs host.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-tlsAllowInvalidCertificates\f1
.RS
.PP
Bypasses the validation checks for the certificates presented by the
\fBmongod\f1\f1/\fBmongos\f1\f1 instance and allows
connections to servers that present invalid certificates.
.PP
Starting in MongoDB 4.2, if you specify
\fB\-\-tlsAllowInvalidateCertificates\f1 or
\fBnet.tls.allowInvalidCertificates: true\f1 when using x.509
authentication, an invalid certificate is only sufficient to
establish a TLS connection but it is \fIinsufficient\f1 for
authentication.
.PP
Although available, avoid using the
\fB\-\-sslAllowInvalidCertificates\f1 option if possible. If the use of
\fB\-\-sslAllowInvalidCertificates\f1 is necessary, only use the option
on systems where intrusion is not possible.
.PP
If \fBmongosh\f1\f1 (and other
\fBMongoDB Tools\f1) runs with the
\fB\-\-sslAllowInvalidCertificates\f1 option,
\fBmongosh\f1\f1 (and other
\fBMongoDB Tools\f1) will not attempt to validate
the server certificates. This creates a vulnerability to expired
\fBmongod\f1\f1 and \fBmongos\f1\f1 certificates as
well as to foreign processes posing as valid
\fBmongod\f1\f1 or \fBmongos\f1\f1 instances. If you
only need to disable the validation of the hostname in the
TLS/SSL certificates, see \fB\-\-sslAllowInvalidHostnames\f1\&.
.PP
When using the \fBallowInvalidCertificates\f1\f1 setting,
MongoDB logs as a warning the use of the invalid certificate.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-tlsFIPSMode\f1
.RS
.PP
Directs the \fBmongo\f1\f1 to use the FIPS mode of the TLS/SSL
library. Your system must have a FIPS compliant library to use
the \fB\-\-tlsFIPSMode\f1\f1 option.
.PP
FIPS\-compatible TLS/SSL is
available only in MongoDB Enterprise (http://www.mongodb.com/products/mongodb\-enterprise\-advanced?tck=docs_server)\&. See
\fBConfigure MongoDB for FIPS\f1 for more information.
.RE
.PP
\fBmongo \-\-tlsCertificateSelector\f1
.RS
.PP
Available on Windows and macOS as an alternative to \fB\-\-tlsCertificateKeyFile\f1\f1\&.
.PP
The \fB\-\-tlsCertificateKeyFile\f1\f1 and \fB\-\-tlsCertificateSelector\f1\f1 options are mutually exclusive. You can only
specify one.
.PP
Specifies a certificate property in order to select a matching
certificate from the operating system\(aqs certificate store.
.PP
\fB\-\-tlsCertificateSelector\f1\f1 accepts an argument of the format \fB<property>=<value>\f1
where the property can be one of the following:
.RS
.IP \(bu 2
.RS
.IP \(bu 4
Property
.IP \(bu 4
Value type
.IP \(bu 4
Description
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBsubject\f1
.IP \(bu 4
ASCII string
.IP \(bu 4
Subject name or common name on certificate
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBthumbprint\f1
.IP \(bu 4
hex string
.IP \(bu 4
A sequence of bytes, expressed as hexadecimal, used to
identify a public key by its SHA\-1 digest.
.IP
The \fBthumbprint\f1 is sometimes referred to as a
\fBfingerprint\f1\&.
.RE
.RE
.PP
When using the system SSL certificate store, OCSP (Online
Certificate Status Protocol) is used to validate the revocation
status of certificates.
.PP
\fBmongod\f1\f1 / \fBmongos\f1\f1 logs a warning on
connection if the presented x.509 certificate expires within \fB30\f1
days of the \fBmongod/mongos\f1 host system time. See
\fBx.509 Certificates Nearing Expiry Trigger Warnings\f1 for more
information.
.RE
.PP
\fBmongo \-\-tlsDisabledProtocols\f1
.RS
.PP
Disables the specified TLS protocols. The option recognizes the
following protocols: \fBTLS1_0\f1, \fBTLS1_1\f1, \fBTLS1_2\f1, and
starting in version 4.0.4 (and 3.6.9 and 3.4.24), \fBTLS1_3\f1\&.
.RS
.IP \(bu 2
On macOS, you cannot disable \fBTLS1_1\f1 and leave both \fBTLS1_0\f1 and
\fBTLS1_2\f1 enabled. You must also disable at least one of the other
two; for example, \fBTLS1_0,TLS1_1\f1\&.
.IP \(bu 2
To list multiple protocols, specify as a comma separated list of
protocols. For example \fBTLS1_0,TLS1_1\f1\&.
.IP \(bu 2
The specified disabled protocols overrides any default disabled
protocols.
.RE
.PP
Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS
1.1+ is available on the system. To enable the
disabled TLS 1.0, specify \fBnone\f1 to \fB\-\-tlsDisabledProtocols\f1\f1\&. See \fBDisable TLS 1.0\f1\&.
.RE
.SS SSL OPTIONS (DEPRECATED)
.PP
Starting in version 4.2, the SSL options are deprecated. Use the TLS
counterparts instead. The SSL protocol is deprecated and MongoDB
supports TLS 1.0 and later.
.PP
Starting in version 4.0, \fBmongo\f1\f1 disables support for TLS 1.0
encryption on systems where TLS 1.1+ is available. For
more details, see \fBDisable TLS 1.0\f1\&.
.PP
\fBmongo \-\-ssl\f1
.RS
.PP
Use \fB\-\-tls\f1\f1 instead.
.PP
Enables connection to a \fBmongod\f1\f1 or \fBmongos\f1\f1 that has
TLS/SSL support enabled.
.PP
Starting in version 3.2.6, if \fB\-\-tlsCAFile\f1 or \fBnet.tls.CAFile\f1
(or their aliases \fB\-\-sslCAFile\f1 or \fBssl.CAFile\f1) is not
specified, the system\-wide CA certificate store will be used when
connecting to an TLS/SSL\-enabled server. In previous versions of
MongoDB, \fBmongosh\f1\f1 exited with an error that it
could not validate the certificate.
.PP
To use x.509 authentication, \fB\-\-tlsCAFile\f1 or \fBnet.tls.CAFile\f1
must be specified unless you are using \fB\-\-tlsCertificateSelector\f1
or \fB\-\-net.tls.certificateSelector\f1\&.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-sslPEMKeyFile\f1
.RS
.PP
Use \fB\-\-tlsCertificateKeyFile\f1\f1 instead.
.PP
Specifies the \&.pem file that contains both the TLS/SSL certificate
and key. Specify the file name of the \&.pem file using relative
or absolute paths.
.PP
This option is required when using the \fB\-\-ssl\f1 option to connect
to a \fBmongod\f1\f1 or \fBmongos\f1\f1 that has
\fBCAFile\f1\f1 enabled \fIwithout\f1
\fBallowConnectionsWithoutCertificates\f1\f1\&.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-sslPEMKeyPassword\f1
.RS
.PP
Use \fB\-\-tlsCertificateKeyFilePassword\f1\f1 instead.
.PP
Specifies the password to de\-crypt the certificate\-key file (i.e.
\fB\-\-sslPEMKeyFile\f1). Use the \fB\-\-sslPEMKeyPassword\f1\f1 option only if the
certificate\-key file is encrypted. In all cases, the \fBmongo\f1\f1 will
redact the password from all logging and reporting output.
.PP
If the private key in the PEM file is encrypted and you do not
specify the \fB\-\-sslPEMKeyPassword\f1\f1 option, the \fBmongo\f1\f1 will prompt for a
passphrase. See \fBTLS/SSL Certificate Passphrase\f1\&.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-sslCAFile\f1
.RS
.PP
Use \fB\-\-tlsCAFile\f1\f1 instead.
.PP
Specifies the \&.pem file that contains the root certificate chain
from the Certificate Authority. Specify the file name of the
\&.pem file using relative or absolute paths.
.PP
Starting in version 3.2.6, if \fB\-\-tlsCAFile\f1 or \fBnet.tls.CAFile\f1
(or their aliases \fB\-\-sslCAFile\f1 or \fBssl.CAFile\f1) is not
specified, the system\-wide CA certificate store will be used when
connecting to an TLS/SSL\-enabled server. In previous versions of
MongoDB, \fBmongosh\f1\f1 exited with an error that it
could not validate the certificate.
.PP
To use x.509 authentication, \fB\-\-tlsCAFile\f1 or \fBnet.tls.CAFile\f1
must be specified unless you are using \fB\-\-tlsCertificateSelector\f1
or \fB\-\-net.tls.certificateSelector\f1\&.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-sslCertificateSelector\f1
.RS
.PP
Use \fB\-\-tlsCertificateSelector\f1\f1 instead.
.PP
Available on Windows and macOS as an alternative to \fB\-\-tlsCertificateKeyFile\f1\f1\&.
.PP
\fB\-\-tlsCertificateKeyFile\f1\f1 and \fB\-\-sslCertificateSelector\f1\f1 options are mutually exclusive. You can only
specify one.
.PP
Specifies a certificate property in order to select a matching
certificate from the operating system\(aqs certificate store.
.PP
\fB\-\-sslCertificateSelector\f1\f1 accepts an argument of the format \fB<property>=<value>\f1
where the property can be one of the following:
.RS
.IP \(bu 2
.RS
.IP \(bu 4
Property
.IP \(bu 4
Value type
.IP \(bu 4
Description
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBsubject\f1
.IP \(bu 4
ASCII string
.IP \(bu 4
Subject name or common name on certificate
.RE
.IP \(bu 2
.RS
.IP \(bu 4
\fBthumbprint\f1
.IP \(bu 4
hex string
.IP \(bu 4
A sequence of bytes, expressed as hexadecimal, used to
identify a public key by its SHA\-1 digest.
.IP
The \fBthumbprint\f1 is sometimes referred to as a
\fBfingerprint\f1\&.
.RE
.RE
.PP
When using the system SSL certificate store, OCSP (Online
Certificate Status Protocol) is used to validate the revocation
status of certificates.
.RE
.PP
\fBmongo \-\-sslCRLFile\f1
.RS
.PP
Use \fB\-\-tlsCRLFile\f1\f1 instead.
.PP
Specifies the \&.pem file that contains the Certificate Revocation
List. Specify the file name of the \&.pem file using relative or
absolute paths.
.PP
Starting in version 4.4, to check for certificate revocation,
MongoDB \fBenables\f1\f1 the use of OCSP
(Online Certificate Status Protocol) by default as an alternative
to specifying a CRL file or using the system SSL certificate
store.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-sslFIPSMode\f1
.RS
.PP
Use \fB\-\-tlsFIPSMode\f1\f1 instead.
.PP
Directs the \fBmongo\f1\f1 to use the FIPS mode of the TLS/SSL
library. Your system must have a FIPS compliant library to use
the \fB\-\-sslFIPSMode\f1\f1 option.
.PP
FIPS\-compatible TLS/SSL is
available only in MongoDB Enterprise (http://www.mongodb.com/products/mongodb\-enterprise\-advanced?tck=docs_server)\&. See
\fBConfigure MongoDB for FIPS\f1 for more information.
.RE
.PP
\fBmongo \-\-sslAllowInvalidCertificates\f1
.RS
.PP
Use \fB\-\-tlsAllowInvalidCertificates\f1\f1 instead.
.PP
Bypasses the validation checks for server certificates and allows
the use of invalid certificates to connect.
.PP
Starting in MongoDB 4.2, if you specify
\fB\-\-tlsAllowInvalidateCertificates\f1 or
\fBnet.tls.allowInvalidCertificates: true\f1 when using x.509
authentication, an invalid certificate is only sufficient to
establish a TLS connection but it is \fIinsufficient\f1 for
authentication.
.PP
Although available, avoid using the
\fB\-\-sslAllowInvalidCertificates\f1 option if possible. If the use of
\fB\-\-sslAllowInvalidCertificates\f1 is necessary, only use the option
on systems where intrusion is not possible.
.PP
If \fBmongosh\f1\f1 (and other
\fBMongoDB Tools\f1) runs with the
\fB\-\-sslAllowInvalidCertificates\f1 option,
\fBmongosh\f1\f1 (and other
\fBMongoDB Tools\f1) will not attempt to validate
the server certificates. This creates a vulnerability to expired
\fBmongod\f1\f1 and \fBmongos\f1\f1 certificates as
well as to foreign processes posing as valid
\fBmongod\f1\f1 or \fBmongos\f1\f1 instances. If you
only need to disable the validation of the hostname in the
TLS/SSL certificates, see \fB\-\-sslAllowInvalidHostnames\f1\&.
.PP
When using the \fBallowInvalidCertificates\f1\f1 setting,
MongoDB logs as a warning the use of the invalid certificate.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-sslAllowInvalidHostnames\f1
.RS
.PP
Use \fB\-\-tlsAllowInvalidHostnames\f1\f1 instead.
.PP
Disables the validation of the hostnames in TLS/SSL certificates. Allows
\fBmongo\f1\f1 to connect to MongoDB instances even if the hostname in their
certificates do not match the specified hostname.
.PP
For more information about TLS/SSL and MongoDB, see
\fBConfigure mongod\f1 and mongos\f1 for TLS/SSL\f1 and
\fBTLS/SSL Configuration for Clients\f1 .
.RE
.PP
\fBmongo \-\-sslDisabledProtocols\f1
.RS
.PP
Use \fB\-\-tlsDisabledProtocols\f1\f1 instead.
.PP
Disables the specified TLS protocols. The option recognizes the
following protocols: \fBTLS1_0\f1, \fBTLS1_1\f1, \fBTLS1_2\f1, and
starting in version 4.0.4 (and 3.6.9), \fBTLS1_3\f1\&.
.RS
.IP \(bu 2
On macOS, you cannot disable \fBTLS1_1\f1 and leave both \fBTLS1_0\f1 and
\fBTLS1_2\f1 enabled. You must also disable at least one of the other
two; for example, \fBTLS1_0,TLS1_1\f1\&.
.IP \(bu 2
To list multiple protocols, specify as a comma separated list of
protocols. For example \fBTLS1_0,TLS1_1\f1\&.
.IP \(bu 2
The specified disabled protocols overrides any default disabled
protocols.
.RE
.PP
Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS
1.1+ is available on the system. To enable the
disabled TLS 1.0, specify \fBnone\f1 to \fB\-\-sslDisabledProtocols\f1\f1\&. See \fBDisable TLS 1.0\f1\&.
.RE
.SS SESSIONS
.PP
\fBmongo \-\-retryWrites\f1
.RS
.PP
Enables retryable writes as the default for sessions in the
\fBmongo\f1\f1 shell.
.PP
For more information on sessions, see \fBClient Sessions and Causal Consistency Guarantees\f1\&.
.RE
.SS CLIENT-SIDE FIELD LEVEL ENCRYPTION OPTIONS
.PP
\fBmongo \-\-awsAccessKeyId\f1
.RS
.PP
An AWS Access Key (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access\-keys.html)
associated to an IAM user with \fBList\f1 and \fBRead\f1 permissions for the
AWS Key Management Service (KMS). The \fBmongo\f1\f1 shell uses the specified
\fB\-\-awsAccessKeyId\f1\f1 to access the KMS.
.PP
\fB\-\-awsAccessKeyId\f1\f1 is required for enabling \fBClient\-Side Field Level Encryption\f1
for the \fBmongo\f1\f1 shell session. \fB\-\-awsAccessKeyId\f1\f1 requires \fIall\f1 of the following
command line options:
.RS
.IP \(bu 2
\fB\-\-awsSecretAccessKey\f1\f1
.IP \(bu 2
\fB\-\-keyVaultNamespace\f1\f1
.RE
.PP
If \fB\-\-awsAccessKeyId\f1\f1 is omitted, use the \fBMongo()\f1\f1 constructor within the shell
session to enable client\-side field level encryption.
.PP
To mitigate the risk of leaking access keys into logs, consider specifying
an environmental variable to \fB\-\-awsAccessKeyId\f1\f1\&.
.RE
.PP
\fBmongo \-\-awsSecretAccessKey\f1
.RS
.PP
An AWS Secret Key (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access\-keys.html)
associated to the specified \fB\-\-awsAccessKeyId\f1\f1\&.
.PP
\fB\-\-awsSecretAccessKey\f1\f1 is required for enabling \fBClient\-Side Field Level Encryption\f1
for the \fBmongo\f1\f1 shell session. \fB\-\-awsSecretAccessKey\f1\f1 requires \fIall\f1 of the following
command line options:
.RS
.IP \(bu 2
\fB\-\-awsAccessKeyId\f1\f1
.IP \(bu 2
\fB\-\-keyVaultNamespace\f1\f1
.RE
.PP
If \fB\-\-awsSecretAccessKey\f1\f1 and its supporting options are omitted, use \fBMongo()\f1\f1
within the shell session to enable client\-side field level encryption.
.PP
To mitigate the risk of leaking access keys into logs, consider specifying
an environmental variable to \fB\-\-awsSecretAccessKey\f1\f1\&.
.RE
.PP
\fBmongo \-\-awsSessionToken\f1
.RS
.PP
An AWS Session Token (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access\-keys.html)
associated to the specified \fB\-\-awsAccessKeyId\f1\f1\&.
.PP
\fB\-\-awsSessionToken\f1\f1 is required for enabling \fBClient\-Side Field Level Encryption\f1
for the \fBmongo\f1\f1 shell session. \fB\-\-awsSessionToken\f1\f1 requires \fIall\f1 of the following
command line options:
.RS
.IP \(bu 2
\fB\-\-awsAccessKeyId\f1\f1
.IP \(bu 2
\fB\-\-awsSecretAccessKey\f1\f1
.IP \(bu 2
\fB\-\-keyVaultNamespace\f1\f1
.RE
.PP
If \fB\-\-awsSessionToken\f1\f1 and its supporting options are omitted, use \fBMongo()\f1\f1
within the shell session to enable client\-side field level encryption.
.PP
To mitigate the risk of leaking access keys into logs, consider specifying
an environmental variable to \fB\-\-awsSessionToken\f1\f1\&.
.RE
.PP
\fBmongo \-\-keyVaultNamespace\f1
.RS
.PP
The full namespace (\fB<database>.<collection>\f1) of the collection used as a
key vault for \fBClient\-Side Field Level Encryption\f1\&. \fB\-\-keyVaultNamespace\f1\f1 is
required for enabling client\-side field level encryption. for the \fBmongo\f1\f1
shell session. \fBmongo\f1\f1 creates the specified namespace if it does not
exist.
.PP
\fB\-\-keyVaultNamespace\f1\f1 requires \fIall\f1 of the following command line options:
.RS
.IP \(bu 2
\fB\-\-awsAccessKeyId\f1\f1
.IP \(bu 2
\fB\-\-awsSecretAccessKey\f1\f1
.RE
.PP
If \fB\-\-keyVaultNamespace\f1\f1 and its supporting options are omitted, use the \fBMongo()\f1\f1
constructor within the shell session to enable client\-side field level
encryption.
.RE
.SH FILES
.PP
\fB~/.dbshell\f1
.RS
.PP
\fBmongo\f1\f1 maintains a history of commands in the \&.dbshell
file.
.PP
\fBmongo\f1\f1 does not record interaction related to
authentication in the history file, including
\fBauthenticate\f1\f1 and \fBdb.createUser()\f1\f1\&.
.RE
.PP
\fB~/.mongorc.js\f1
.RS
.PP
\fBmongo\f1\f1 will read the \fB\&.mongorc.js\f1 file from the home
directory of the user invoking \fBmongo\f1\f1\&. In the file, users
can define variables, customize the \fBmongo\f1\f1 shell prompt,
or update information that they would like updated every time they
launch a shell. If you use the shell to evaluate a JavaScript file
or expression either on the command line with \fBmongo \-\-eval\f1\f1 or
by specifying \fBa .js file to mongo\f1,
\fBmongo\f1\f1 will read the \fB\&.mongorc.js\f1 file \fIafter\f1 the
JavaScript has finished processing.
.PP
Specify the \fB\-\-norc\f1\f1 option to disable
reading \fB\&.mongorc.js\f1\&.
.RE
.PP
\fB/etc/mongorc.js\f1
.RS
.PP
Global \fBmongorc.js\f1 file which the \fBmongo\f1\f1 shell
evaluates upon start\-up. If a user also has a \&.mongorc.js
file located in the \fBHOME\f1\f1 directory, the \fBmongo\f1\f1
shell evaluates the global /etc/mongorc.js file \fIbefore\f1
evaluating the user\(aqs \&.mongorc.js file.
.PP
/etc/mongorc.js must have read permission for the user
running the shell. The \fB\-\-norc\f1\f1 option for \fBmongo\f1\f1
suppresses only the user\(aqs \&.mongorc.js file.
.PP
On Windows, the global mongorc.js </etc/mongorc.js> exists
in the %ProgramData%\MongoDB directory.
.RE
.PP
\fB/tmp/mongo_edit{<time_t>}.js\f1
.RS
.PP
Created by \fBmongo\f1\f1 when editing a file. If the file exists,
\fBmongo\f1\f1 will append an integer from \fB1\f1 to \fB10\f1 to the
time value to attempt to create a unique file.
.RE
.PP
\fB%TEMP%mongo_edit{<time_t>}.js\f1
.RS
.PP
Created by \fBmongo.exe\f1\f1 on Windows when editing a file. If
the file exists, \fBmongo\f1\f1 will append an integer from \fB1\f1
to \fB10\f1 to the time value to attempt to create a unique file.
.RE
.SH ENVIRONMENT
.PP
\fBEDITOR\f1
.RS
.PP
Specifies the path to an editor to use with the \fBedit\f1 shell
command. A JavaScript variable \fBEDITOR\f1 will override the value of
\fBEDITOR\f1\f1\&.
.RE
.PP
\fBHOME\f1
.RS
.PP
Specifies the path to the home directory where \fBmongo\f1\f1 will
read the \&.mongorc.js file and write the \&.dbshell
file.
.RE
.PP
\fBHOMEDRIVE\f1
.RS
.PP
On Windows systems, \fBHOMEDRIVE\f1\f1 specifies the path the
directory where \fBmongo\f1\f1 will read the \&.mongorc.js
file and write the \&.dbshell file.
.RE
.PP
\fBHOMEPATH\f1
.RS
.PP
Specifies the Windows path to the home directory where
\fBmongo\f1\f1 will read the \&.mongorc.js file and write
the \&.dbshell file.
.RE
.SH KEYBOARD SHORTCUTS
.PP
The \fBmongo\f1\f1 shell supports the following keyboard shortcuts:
.RS
.IP \(bu 2
.RS
.IP \(bu 4
Keybinding
.IP \(bu 4
Function
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Up arrow
.IP \(bu 4
Retrieve previous command from history
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Down\-arrow
.IP \(bu 4
Retrieve next command from history
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Home
.IP \(bu 4
Go to beginning of the line
.RE
.IP \(bu 2
.RS
.IP \(bu 4
End
.IP \(bu 4
Go to end of the line
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Tab
.IP \(bu 4
Autocomplete method/command
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Left\-arrow
.IP \(bu 4
Go backward one character
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Right\-arrow
.IP \(bu 4
Go forward one character
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-left\-arrow
.IP \(bu 4
Go backward one word
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-right\-arrow
.IP \(bu 4
Go forward one word
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Meta\-left\-arrow
.IP \(bu 4
Go backward one word
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Meta\-right\-arrow
.IP \(bu 4
Go forward one word
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-A
.IP \(bu 4
Go to the beginning of the line
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-B
.IP \(bu 4
Go backward one character
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-C
.IP \(bu 4
Exit the \fBmongo\f1\f1 shell
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-D
.IP \(bu 4
Delete a char (or exit the \fBmongo\f1\f1 shell)
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-E
.IP \(bu 4
Go to the end of the line
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-F
.IP \(bu 4
Go forward one character
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-G
.IP \(bu 4
Abort
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-J
.IP \(bu 4
Accept/evaluate the line
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-K
.IP \(bu 4
Kill/erase the line
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-L or type \fBcls\f1
.IP \(bu 4
Clear the screen
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-M
.IP \(bu 4
Accept/evaluate the line
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-N
.IP \(bu 4
Retrieve next command from history
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-P
.IP \(bu 4
Retrieve previous command from history
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-R
.IP \(bu 4
Reverse\-search command history
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-S
.IP \(bu 4
Forward\-search command history
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-T
.IP \(bu 4
Transpose characters
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-U
.IP \(bu 4
Perform Unix line\-discard
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-W
.IP \(bu 4
Perform Unix word\-rubout
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-Y
.IP \(bu 4
Yank
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-Z
.IP \(bu 4
Suspend (job control works in linux)
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-H
.IP \(bu 4
Backward\-delete a character
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Ctrl\-I
.IP \(bu 4
Complete, same as Tab
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Meta\-B
.IP \(bu 4
Go backward one word
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Meta\-C
.IP \(bu 4
Capitalize word
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Meta\-D
.IP \(bu 4
Kill word
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Meta\-F
.IP \(bu 4
Go forward one word
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Meta\-L
.IP \(bu 4
Change word to lowercase
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Meta\-U
.IP \(bu 4
Change word to uppercase
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Meta\-Y
.IP \(bu 4
Yank\-pop
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Meta\-Backspace
.IP \(bu 4
Backward\-kill word
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Meta\-<
.IP \(bu 4
Retrieve the first command in command history
.RE
.IP \(bu 2
.RS
.IP \(bu 4
Meta\->
.IP \(bu 4
Retrieve the last command in command history
.RE
.RE
.SH USE
.PP
Typically users invoke the shell with the \fBmongo\f1\f1 command at
the system prompt. Consider the following examples for other
scenarios.
.SS CONNECT TO A MONGOD INSTANCE WITH ACCESS CONTROL
.PP
To connect to a database on a remote host using authentication and a
non\-standard port, use the following form:
.PP
.EX
mongo \-\-username <user> \-\-password \-\-host <host> \-\-port 28015
.EE
.PP
Alternatively, consider the following short form:
.PP
.EX
mongo \-u <user> \-p \-\-host <host> \-\-port 28015
.EE
.PP
Replace \fB<user>\f1 and \fB<host>\f1 with the appropriate values for your
situation and substitute or omit the \fB\-\-port\f1\f1 as
needed.
.PP
If you do not specify the password to the \fB\-\-password\f1\f1 or \fB\-p\f1\f1 command\-line option, the
\fBmongo\f1\f1 shell prompts for the password.
.SS CONNECT TO A REPLICA SET USING THE DNS SEEDLIST CONNECTION FORMAT
.PP
To connect to a replica set described using the
\fBDNS Seed List Connection Format\f1, use the \fB\-\-host\f1\f1 option
to specify the connection string to the \fBmongo\f1\f1 shell. In
the following example, the DNS configuration resembles:
.PP
.EX
Record TTL Class Priority Weight Port Target
_mongodb._tcp.server.example.com. 86400 IN SRV 0 5 27317 mongodb1.example.com.
_mongodb._tcp.server.example.com. 86400 IN SRV 0 5 27017 mongodb2.example.com.
.EE
.PP
The TXT record for the DNS entry includes the \fBreplicaSet\f1 and \fBauthSource\f1 options:
.PP
.EX
Record TTL Class Text
server.example.com. 86400 IN TXT "replicaSet=rs0&authSource=admin"
.EE
.PP
The following command then connects the \fBmongo\f1\f1 shell to
the replica set:
.PP
.EX
mongo \-\-host "mongodb+srv://server.example.com/?username=allison"
.EE
.PP
The \fBmongo\f1\f1 shell will automatically prompt you to provide
the password for the user specified in the \fBusername\f1 option.
.SS CONNECT TO A MONGODB ATLAS CLUSTER USING AWS IAM CREDENTIALS
.PP
To connect to a MongoDB Atlas (https://www.mongodb.com/cloud/atlas?tck=docs_server) cluster which
has been configured to support authentication via AWS IAM credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access\-keys.html),
provide a \fBconnection string\f1 to
the \fBmongo\f1\f1 shell similar to the following:
.PP
.EX
mongo \(aqmongodb+srv://<aws access key id>:<aws secret access key>@cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB\-AWS\(aq
.EE
.PP
Connecting to Atlas using AWS IAM credentials in this manner uses the
\fBMONGODB\-AWS\f1 \fBauthentication mechanism\f1\f1
and the \fB$external\f1 \fBauthSource\f1\f1, as shown in this example.
.PP
If using an AWS session token (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use\-resources.html)
as well, provide it with the \fBAWS_SESSION_TOKEN\f1
\fBauthMechanismProperties\f1\f1 value in your
\fBconnection string\f1, as follows:
.PP
.EX
mongo \(aqmongodb+srv://<aws access key id>:<aws secret access key>@cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB\-AWS&authMechanismProperties=AWS_SESSION_TOKEN:<aws session token>\(aq
.EE
.PP
If the AWS access key ID, secret access key, or session token include
the following characters:
.PP
.EX
: / ? # [ ] @
.EE
.PP
those characters must be converted using percent encoding (https://tools.ietf.org/html/rfc3986#section\-2.1)\&.
.PP
Alternatively, the AWS access key ID, and secret access key, and
optionally session token can each be provided outside of the connection
string using the \fB\-\-username\f1\f1, \fB\-\-password\f1\f1, and
\fB\-\-awsIamSessionToken\f1\f1 options instead, like so:
.PP
.EX
mongo \(aqmongodb+srv://cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB\-AWS\(aq \-\-username <aws access key id> \-\-password <aws secret access key> \-\-awsIamSessionToken <aws session token>
.EE
.PP
When provided as command line parameters, these three options do not
require percent encoding.
.PP
You may also set these credentials on your platform using standard
AWS IAM environment variables (https://docs.aws.amazon.com/cli/latest/userguide/cli\-configure\-envvars.html#envvars\-list)\&.
The \fBmongo\f1\f1 shell checks for the following environment
variables when you use the \fBMONGODB\-AWS\f1
\fBauthentication mechanism\f1\f1:
.RS
.IP \(bu 2
\fBAWS_ACCESS_KEY_ID\f1
.IP \(bu 2
\fBAWS_SECRET_ACCESS_KEY\f1
.IP \(bu 2
\fBAWS_SESSION_TOKEN\f1
.RE
.PP
If set, these credentials do not need to be specified in the connection
string or via the explicit options to the \fBmongo\f1\f1 shell
(i.e. \fB\-\-username\f1\f1 and \fB\-\-password\f1\f1).
.PP
The following example sets these environment variables in the \fBbash\f1
shell:
.PP
.EX
export AWS_ACCESS_KEY_ID=\(aq<aws access key id>\(aq
export AWS_SECRET_ACCESS_KEY=\(aq<aws secret access key>\(aq
export AWS_SESSION_TOKEN=\(aq<aws session token>\(aq
.EE
.PP
Syntax for setting environment variables in other shells will be
different. Consult the documentation for your platform for more
information.
.PP
You can verify that these environment variables have been set with the
following command:
.PP
.EX
env | grep AWS
.EE
.PP
Once set, the following example connects to a MongoDB Atlas cluster
using these environment variables:
.PP
.EX
mongo \(aqmongodb+srv://cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB\-AWS\(aq
.EE
.SS EXECUTE JAVASCRIPT AGAINST THE MONGO SHELL
.PP
To execute a JavaScript file without evaluating the ~/.mongorc.js
file before starting a shell session, use the following form:
.PP
.EX
mongo \-\-shell \-\-norc alternate\-environment.js
.EE
.PP
To execute a JavaScript file with authentication, with password prompted
rather than provided on the command\-line, use the following form:
.PP
.EX
mongo script\-file.js \-u <user> \-p
.EE
.PP
\fBisInteractive()\f1\f1
.SS USE --EVAL TO EXECUTE JAVASCRIPT CODE
.PP
You may use the \fB\-\-eval\f1\f1 option to execute
JavaScript directly from the command line.
.PP
For example, the following operation evaluates a JavaScript string
which queries a collection and prints the results as JSON.
.PP
On Linux and macOS, you will need to use single quotes (e.g. \fB\(aq\f1)
to enclose the JavaScript, using the following form:
.PP
.EX
mongo \-\-eval \(aqdb.collection.find().forEach(printjson)\(aq
.EE
.PP
On Windows, you will need to use double quotes (e.g. \fB"\f1)
to enclose the JavaScript, using the following form:
.PP
.EX
mongo \-\-eval "db.collection.find().forEach(printjson)"
.EE
.RS
.IP \(bu 2
\fBmongo\f1 Shell Quick Reference\f1
.IP \(bu 2
\fBmongosh\f1 Methods\f1
.IP \(bu 2
\fBLegacy mongo\f1 Shell\f1
.IP \(bu 2
\fBisInteractive()\f1\f1
.RE
Reference in New Issue View Git Blame Copy Permalink