翻译或纠错本页面

• 安全 >
• 认证

认证

Authentication is the process of verifying the identity of a client. When access control, i.e. authorization, is enabled, MongoDB requires all clients to authenticate themselves in order to determine their access.

Although authentication and authorization are closely connected, authentication is distinct from authorization. Authentication verifies the identity of a user; authorization determines the verified user’s access to resources and operations.

Authentication Methods

参见:doc:/tutorial/generate-key-file 如何生成密钥文件并且开启使用密钥文件认证成员。例如使用密钥文件进行分片集认证。参见 /tutorial/enable-authentication-in-sharded-cluster。

For the mongo shell and the MongoDB tools, you can also authenticate a user by passing in the user authentication information from the command line.

在分片集中，应用程序可以直接使用:term:config servers <config server>`服务器``admin``数据库中的用户身份凭证向 :program:`mongos 实例认证。分片集中的分片也存有用户身份凭证，客户端在维护服务器时可以直接向分片认证。一般来讲，应用程序或者客户端应该通过:program:`mongos`连接到分片集。

在之前版本里，用户向一个集中的数据库认证的身份凭证是存在该数据库的 primary shard 里。

MongoDB supports multiple authentication mechanisms:

• SCRAM-SHA-1

• MongoDB Challenge and Response (MONGODB-CR)

  在 3.0 版更改: 你可以使用本地主机例外在系统中建立第一个用户。在被开启时，本地主机例外允许所有来自本地主机接口的所有连接都对该实例有完全的访问权限。本地主机例外只有在MongoDB实例中没有任何用户时才适用。

• x.509 Certificate Authentication.

In addition to supporting the aforementioned mechanisms, MongoDB Enterprise also supports the following mechanisms:

• LDAP proxy authentication, and
• Kerberos authentication.

Internal Authentication

In addition to verifying the identity of a client, MongoDB can require members of replica sets and sharded clusters to authenticate their membership to their respective replica set or sharded cluster. See Internal Authentication for more information.

Authentication on Sharded Clusters

In sharded clusters, clients generally authenticate directly to the mongos instances. However, some maintenance operations may require authenticating directly to a specific shard. For more information on authentication and sharded clusters, see Sharded Cluster Users.

• Users
  • Add Users
• Authentication Mechanisms
  • SCRAM-SHA-1
  • MONGODB-CR
  • x.509
    • Use x.509 Certificates to Authenticate Clients
• Enterprise Authentication Mechanisms
  • Kerberos Authentication
    • Configure MongoDB with Kerberos Authentication on Linux
    • Configure MongoDB with Kerberos Authentication on Windows
    • Troubleshoot Kerberos Authentication
    • Configure MongoDB with Kerberos Authentication and Active Directory Authorization
  • LDAP Proxy Authentication
    • Authenticate Using SASL and LDAP with ActiveDirectory
    • Authenticate Using SASL and LDAP with OpenLDAP
    • Authenticate and Authorize Users Using Active Directory via Native LDAP
  • LDAP Authorization
• Internal Authentication
  • Enforce Keyfile Access Control in a Replica Set
  • Enforce Keyfile Access Control in a Replica Set without Downtime
  • 使用Keyfile存取控制部署复制集
  • Enforce Keyfile Access Control in Sharded Cluster
  • Deploy Sharded Cluster with Keyfile Access Control
  • Use x.509 Certificate for Membership Authentication
  • Upgrade from Keyfile Authentication to x.509 Authentication

←   Security Checklist Users  →

© MongoDB, Inc 2008-2017. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.