Docs Home / mongosh / Reference

Options选项

Use the following options to view and control various aspects of your MongoDB Shell.使用以下选项查看和控制MongoDB Shell的各个方面。

General Options常规选项

--build-info

Returns a JSON-formatted document with information about your mongosh build and driver dependencies.返回一个JSON格式的文档,其中包含有关mongosh构建和驱动程序依赖关系的信息。

Example: View Build Information示例:查看构建信息

You can check the build information and driver dependencies of your mongosh binary by running the following command from your terminal:您可以通过在终端运行以下命令来检查mongosh二进制文件的构建信息和驱动程序依赖关系:

mongosh --build-info

This command returns the following JSON-formatted document:此命令返回以下JSON格式的文档:

{
  version: '1.10.1',
  distributionKind: 'packaged',
  buildArch: 'x64',
  buildPlatform: 'linux',
  buildTarget: 'unknown',
  buildTime: '2023-06-21T09:49:37.225Z',
  gitVersion: '05ad91b4dd40382a13f27abe1ae8c3f9f52a38f7',
  nodeVersion: 'v16.20.1',
  opensslVersion: '3.1.1',
  sharedOpenssl: true,
  runtimeArch: 'x64',
  runtimePlatform: 'darwin',
  deps: {
     nodeDriverVersion: '5.6.0'
   }
}
--eval <javascript>

Evaluates a JavaScript expression. You can use a single --eval argument or multiple --eval arguments together.计算JavaScript表达式。您可以同时使用单个--eval参数或多个--eval参数。

After mongosh evaluates the --eval argument, it prints the results to your command line. If you use multiple --eval statements, mongosh only prints the results of the last --eval.mongosh计算完--eval参数后,会将结果打印到命令行。如果您使用多个--eval语句,mongosh只会打印最后一个--eval语句的结果。

You can use the --json flag with --eval to return mongosh results in Extended JSON format. 您可以将--json标志与--eval一起使用,以扩展json格式返回mongosh结果。mongosh supports both --json=canonical and --json=relaxed modes. mongosh既支持--json=canonical模式,也支持--json=relaxed模式。If you omit the mode, mongosh defaults to the canonical mode. 如果省略模式,mongosh默认为canonical(规范)模式。The --json flag is mutually exclusive with --shell.--json标志与--shell是互斥的。

Example: Format Output示例:格式化输出

To get output suitable for automated parsing, use EJSON.stringify().要获得适合自动解析的输出,请使用EJSON.stringify()

mongosh --quiet  --host rs0/centos1104 --port 27500 \
        --eval "EJSON.stringify(rs.status().members.map( \
          m => ({'id':m._id, 'name':m.name, 'stateStr':m.stateStr})));" \
| jq

After parsing with jq, the output resembles this:jq解析后,输出如下:

[
  {
     "id": 0,
     "name": "centos1104:27500",
     "stateStr": "PRIMARY"
  },
  {
     "id": 1,
     "name": "centos1104:27502",
     "stateStr": "SECONDARY"
  },
  {
     "id": 2,
     "name": "centos1104:27503",
     "stateStr": "SECONDARY"
  }
]

Note

EJSON has built in formatting options which may eliminate the need for a parser like jq. For example, the following code produces output that is formatted the same as above.EJSON内置了格式化选项,可以消除对jq等解析器的需求。例如,以下代码生成的输出格式与上述相同。

mongosh --quiet  --host rs0/centos1104 --port 27500 \
        --eval "EJSON.stringify( rs.status().members.map( \
          ({ _id, name, stateStr }) => ({ _id, name, stateStr })), null, 2);"

Example: Multiple --eval Arguments示例:多个--eval参数

To get a list of collections in the moviesDatabase, use multiple --eval statements:要获取moviesDatabase中的集合列表,请使用多个--eval语句:

mongosh --quiet \
        --eval 'use moviesDatabase' \
        --eval 'show collections' \
        mongodb://localhost/

Example: --json Option示例:--json选项

To return statistics about a collection in Extended JSON format using multiple --eval statements:要使用多个--eval语句以扩展JSON格式返回有关集合的统计信息,请执行以下操作:

mongosh --quiet --json=relaxed \
        --eval 'use <database-name>' \
        --eval 'db.<collection>.stats()' \
        mongodb://localhost/
--file, -f <javascript>

Runs a script from the command line without entering the MongoDB Shell console.从命令行运行脚本,而无需进入MongoDB Shell控制台。

For additional details and an example, see Execute a Script From the Command Line.有关其他详细信息和示例,请参阅从命令行执行脚本

--help, -h

Returns information on the options and use of the MongoDB Shell.返回有关MongoDB Shell的选项和使用的信息。

--nodb

Prevents the shell from connecting to any database instances.阻止shell连接到任何数据库实例。

--no-quiet

Disables the default --quiet option mode for non-interactive shell sessions. When specified, mongosh displays all messages during startup.禁用非交互式shell会话的默认--quiet选项模式。指定后,mongosh将在启动期间显示所有消息。

--norc

Prevents the shell from sourcing and evaluating ~/.mongoshrc.js on startup.防止shell在启动时获取和评估~/.mongoshrc.js

--quiet

Skips all messages during startup (such as welcome messages and startup warnings) and goes directly to the prompt.在启动过程中跳过所有消息(如欢迎消息和启动警告),直接进入提示。

For non-interactive shell sessions, MongoDB enables --quiet by default. You can disable this behavior using --no-quiet.对于非交互式shell会话,MongoDB默认启用--quiet。您可以使用--no-quiet禁用此行为。

--skipStartupWarnings

Prevents mongosh from displaying server startup warnings when creating a session. To suppress all startup messages, use the --quiet option.防止mongosh在创建会话时显示服务器启动警告。要抑制所有启动消息,请使用--quiet选项。

--shell

Enables the shell interface. 启用shell界面。If you invoke the mongosh command and specify a JavaScript file as an argument, or use --eval to specify JavaScript on the command line, the --shell option provides the user with a shell prompt after the file finishes executing. 如果调用mongosh命令并指定一个JavaScript文件作为参数,或者在命令行上使用--eval指定JavaScript,则--shell选项会在文件执行完毕后为用户提供shell提示。The --shell flag is mutually exclusive with --json.--shell标志与--json是互斥的。

--verbose

Increases the verbosity of the shell output during the connection process and when running commands.在连接过程中和运行命令时增加shell输出的详细程度。

--version

Returns the MongoDB Shell release number.返回MongoDB Shell版本号。

Stable API Options稳定的API选项

--apiVersion <version number>

Specifies the apiVersion. "1" is currently the only supported value.指定apiVersion"1"是目前唯一支持的值。

--apiStrict

Specifies that the server will respond with APIStrictError if your application uses a command or behavior outside of the Stable API.指定如果应用程序使用Stable API之外的命令或行为,则服务器将使用APIStrictError进行响应。

If you specify --apiStrict, you must also specify --apiVersion.如果指定--apiStrict,则还必须指定--apiVersion

--apiDeprecationErrors

Specifies that the server will respond with APIDeprecationError if your application uses a command or behavior that is deprecated in the specified apiVersion.指定如果应用程序使用指定apiVersion中弃用的命令或行为,服务器将以APIDeprecationError响应。

If you specify --apiDeprecationErrors, you must also specify --apiVersion.如果指定--apiDeprecationErrors,则还必须指定--apiVersion

Connection Options连接选项

--host <hostname>

Specifies the name of the host machine where the mongod or mongos is running. If this is not specified, the MongoDB Shell attempts to connect to a MongoDB process running on the localhost.指定运行mongodmongos的主机的名称。如果未指定,MongoDB Shell将尝试连接到在本地主机上运行的MongoDB进程。

To connect to a replica set,为了连接到副本集,

Specify the replica set name and a seed list of set members. Use the following form:指定副本集名称和集成员的种子列表。使用以下表格:

<replSetName>/<hostname1><:port>,<hostname2><:port>,<...>
For TLS/SSL connections (--tls),对于TLS/SSL连接(--tls),
The MongoDB Shell verifies that the hostname (specified in the --host option or the connection string) matches the SAN (or, if SAN is not present, the CN) in the certificate presented by the mongod or mongos. MongoDB Shell验证主机名(在--host选项或连接字符串中指定)是否与mongodmongos提供的证书中的SAN(或者,如果SAN不存在,则为CN)匹配。If SAN is present, the MongoDB Shell does not match against the CN. If the hostname does not match the SAN (or CN), the MongoDB Shell shell fails to connect.如果存在SAN,则MongoDB Shell与CN不匹配。如果主机名与SAN(或CN)不匹配,MongoDB Shell Shell将无法连接。
For DNS seedlist connections,对于DNS种子列表连接

Specify the connection protocol as mongodb+srv, followed by the DNS SRV hostname record and any options. 将连接协议指定为mongodb+srv,然后指定DNS srv主机名记录和任何选项。The authSource and replicaSet options, if included in the connection string, overrides any corresponding DNS-configured options set in the TXT record. authSourcereplicaSet选项(如果包含在连接字符串中)会覆盖TXT记录中设置的任何相应的DNS配置选项。Use of the mongodb+srv: connection string implicitly enables TLS / SSL (normally set with tls=true) for the client connection. 使用mongodb+srv:连接字符串隐式地为客户端连接启用TLS/SSL(通常设置为TLS=true)。The TLS option can be turned off by setting tls=false in the query string.可以通过在查询字符串中设置tls=false来关闭TLS选项。

Example示例

mongodb+srv://server.example.com/?connectionTimeoutMS=3000
--port <port>

Specifies the port where the mongod or mongos instance is listening. 指定mongodmongos实例正在侦听的端口。If --port is not specified, the MongoDB Shell attempts to connect to port 27017.如果未指定--port,MongoDB Shell将尝试连接到端口27017

TLS OptionsTLS选项

--tls

Enables connection to a mongod or mongos that has TLS / SSL support enabled.启用与启用了TLS/SSL支持的mongodmongos的连接。

To learn more about TLS/SSL and MongoDB, see:要了解有关TLS/SSL和MongoDB的更多信息,请参阅:

--tlsCertificateKeyFile <filename>

Specifies the .pem file that contains both the TLS / SSL certificate and key for mongosh. Specify the file name of the .pem file using relative or absolute paths.指定包含mongosh的TLS/SSL证书和键的.pem文件。使用相对或绝对路径指定.pem文件的文件名。

This option is required when using the --tls option to connect to a mongod or mongos instance that requires client certificates. That is, the MongoDB Shell presents this certificate to the server.当使用--tls选项连接到需要客户端证书mongodmongos实例时,此选项是必需的。也就是说,MongoDB Shell将此证书呈现给服务器。

Note

Starting in version 4.4, mongod / mongos logs a warning on connection if the presented X.509 certificate expires within 30 days of the mongod/mongos host system time.从4.4版本开始,如果提供的X.509证书在mongod/mongos主机系统时间后30天内到期,mongod/mongos会在连接时记录警告。

To learn more about TLS/SSL and MongoDB, see:要了解有关TLS/SSL和MongoDB的更多信息,请参阅:

--tlsCertificateKeyFilePassword <value>

Specifies the password to de-crypt the certificate-key file (i.e. --tlsCertificateKeyFile).指定解密证书键文件的密码(即--tlsCertificateKeyFile)。

Use the --tlsCertificateKeyFilePassword option only if the certificate-key file is encrypted. In all cases, the MongoDB Shell redacts the password from all logging and reporting output.仅当证书键文件已加密时,才使用--tlsCertificateKeyFilePassword选项。在所有情况下,MongoDB Shell都会从所有日志和报告输出中编辑密码。

If the private key in the PEM file is encrypted and you do not specify the --tlsCertificateKeyFilePassword option; the MongoDB Shell prompts for a passphrase.如果PEM文件中的私钥是加密的,并且您没有指定--tlsCertificateKeyFilePassword选项;MongoDB Shell会提示输入密码。

See TLS/SSL Certificate Passphrase.请参阅TLS/SSL证书密码

To learn more about TLS/SSL and MongoDB, see:要了解有关TLS/SSL和MongoDB的更多信息,请参阅:

--tlsCAFile <filename>

Specifies the .pem file that contains the root certificate chain from the Certificate Authority. 指定包含来自证书颁发机构的根证书链的.pem文件。This file is used to validate the certificate presented by the mongod / mongos instance.此文件用于验证mongod/mongos实例提供的证书。

Specify the file name of the .pem file using relative or absolute paths.使用相对或绝对路径指定.pem文件的文件名。

To learn more about TLS/SSL and MongoDB, see:要了解有关TLS/SSL和MongoDB的更多信息,请参阅:

--tlsCRLFile <filename>

Specifies the .pem file that contains the Certificate Revocation List. Specify the file name of the .pem file using relative or absolute paths.指定包含证书吊销列表的.pem文件。使用相对或绝对路径指定.pem文件的文件名。

To learn more about TLS/SSL and MongoDB, see:要了解有关TLS/SSL和MongoDB的更多信息,请参阅:

--tlsAllowInvalidHostnames

Disables the validation of the hostnames in the certificate presented by the mongod / mongos instance. 禁用mongod/mongos实例提供的证书中主机名的验证。Allows the MongoDB Shell to connect to MongoDB instances even if the hostname in the server certificates do not match the server's host.允许MongoDB Shell连接到MongoDB实例,即使服务器证书中的主机名与服务器的主机不匹配。

To learn more about TLS/SSL and MongoDB, see:要了解有关TLS/SSL和MongoDB的更多信息,请参阅:

--tlsAllowInvalidCertificates

New in version 4.2.在版本4.2中新增。

Bypasses the validation checks for the certificates presented by the mongod / mongos instance and allows connections to servers that present invalid certificates.绕过mongod/mongos实例提供的证书的验证检查,并允许连接到提供无效证书的服务器。

Note

Starting in MongoDB 4.0, if you specify --tlsAllowInvalidCertificates when using x.509 authentication, an invalid certificate is only sufficient to establish a TLS / SSL connection but is insufficient for authentication.从MongoDB 4.0开始,如果在使用x.509身份验证时指定--tlsAllowInvalidCertificates,则无效证书仅足以建立TLS/SSL连接,但不足以进行身份验证。

Warning

Although available, avoid using the --tlsAllowInvalidCertificates option if possible. If the use of --tlsAllowInvalidCertificates is necessary, only use the option on systems where intrusion is not possible.虽然可用,但如果可能的话,请避免使用--tlsAllowInvalidCertificates选项。如果需要使用--tlsAllowInvalidCertificates,请仅在不可能发生入侵的系统上使用该选项。

If the MongoDB Shell shell (and other MongoDB Tools) runs with the --tlsAllowInvalidCertificates option, the shell (and other MongoDB Tools) do not attempt to validate the server certificates. 如果MongoDB Shell Shell(和其他MongoDB工具)使用--tlsAllowInvalidCertificates选项运行,则Shell(和其它MongoDB工具)不会尝试验证服务器证书。This creates a vulnerability to expired mongod and mongos certificates as well as to foreign processes posing as valid mongod or mongos instances. 这为过期的mongodmongos证书以及冒充有效mongodmongos实例的外部进程创建了一个漏洞。If you only need to disable the validation of the hostname in the TLS / SSL certificates, see --tlsAllowInvalidHostnames.如果只需要禁用TLS/SSL证书中的主机名验证,请参阅--tlsAllowInvalidHostnames

To learn more about TLS/SSL and MongoDB, see:要了解有关TLS/SSL和MongoDB的更多信息,请参阅:

--tlsCertificateSelector <parameter>=<value>

Available on Windows and macOS as an alternative to --tlsCertificateKeyFile.可在Windows和macOS上作为--tlsCertificateKeyFile的替代方案。

Important

Windows and Importing Private KeysWindows和导入私钥

When you import your private key, you must mark it as exportable. The Windows Certificate Import Wizard doesn't check this option by default.导入私钥时,必须将其标记为可导出。默认情况下,Windows“证书导入向导”不选中此选项。

Microsoft Certificate Import Wizard where the key marked as exportable

The --tlsCertificateKeyFile and --tlsCertificateSelector options are mutually exclusive. You can only specify one.--tlsCertificateKeyFile--tlsCertificateSelector选项是互斥的。您只能指定一个。

Specifies a certificate property in order to select a matching certificate from the operating system's certificate store.指定证书属性,以便从操作系统的证书存储中选择匹配的证书。

--tlsCertificateSelector accepts an argument of the format <property>=<value> where the property can be one of the following:接受格式为<property>=<value>的参数,其中属性可以是以下之一:

Property属性Value type值类型Description描述
subjectASCII stringASCII字符串Subject name or common name on certificate证书上的主题名称或通用名称
thumbprinthex string

A sequence of bytes, expressed as hexadecimal, used to identify a public key by its SHA-1 digest.以十六进制表示的字节序列,用于通过SHA-1摘要标识公钥。

The thumbprint is sometimes referred to as a fingerprint.thumbprint有时被称为fingerprint

When using the system SSL certificate store, OCSP (Online Certificate Status Protocol) is used to validate the revocation status of certificates.使用系统SSL证书存储时,OCSP(在线证书状态协议)用于验证证书的吊销状态。

Note

Starting in version 4.4, mongod / mongos logs a warning on connection if the presented X.509 certificate expires within 30 days of the mongod/mongos host system time.从4.4版本开始,如果提供的X.509证书在mongod/mongos主机系统时间后30天内到期,mongod/mongos会在连接时记录警告。

--tlsDisabledProtocols <string>

Disables the specified TLS protocols. The option recognizes the following protocols:禁用指定的TLS协议。该选项可识别以下协议:

  • TLS1_0
  • TLS1_1
  • TLS1_2
  • (Starting in version 4.0.4, 3.6.9, 3.4.24)(从4.0.4、3.6.9、3.4.24版本开始) TLS1_3
  • On macOS, you cannot disable TLS1_1 and leave both TLS1_0 and TLS1_2 enabled. You must also disable at least one of the other two; for example, TLS1_0,TLS1_1.在macOS上,您无法禁用TLS1_1并同时启用TLS1_0TLS1_2。您还必须禁用其他两个选项中的至少一个;例如,TLS1_0TLS1_1
  • To list multiple protocols, specify as a comma separated list of protocols. For example TLS1_0,TLS1_1.要列出多个协议,请指定为逗号分隔的协议列表。例如TLS1_0,TLS1_1
  • The specified disabled protocols overrides any default disabled protocols.指定的禁用协议会覆盖任何默认禁用协议。

Starting in version 4.0, MongoDB disables the use of TLS 1.0 if TLS 1.1+ is available on the system. 从4.0版本开始,如果系统上有TLS 1.1+可用,MongoDB将禁用TLS 1.0。To enable the disabled TLS 1.0, specify none to --tlsDisabledProtocols.要启用已禁用的TLS 1.0,请在--tlsDisabledProtocols中指定none

--tlsUseSystemCA

Allows mongosh to load TLS certificates already available to the operating system's certificate authority without explicitly specifying the certificates to the shell. You cannot turn off this behavior. 允许mongosh加载操作系统证书颁发机构已经可用的TLS证书,而无需向shell明确指定证书。您无法关闭此行为。--tlsUseSystemCA can still be set for backward compatibility, but it has no effect.仍然可以设置为向后兼容性,但它没有效果。

Note

This flag applies to both MongoDB connections and OIDC identity provider connections.此标志适用于MongoDB连接和OIDC身份提供程序连接。

Authentication Options身份验证选项

--authenticationDatabase <dbname>

Specifies the authentication database where the specified --username has been created. See Authentication Database.指定创建指定--username的身份验证数据库。请参阅身份验证数据库

If you do not specify a value for --authenticationDatabase, the MongoDB Shell uses the database specified in the connection string.如果不为--authenticationDatabase指定值,MongoDB Shell将使用连接字符串中指定的数据库。

--authenticationMechanism <name>

Specifies the authentication mechanism the MongoDB Shell uses to authenticate to the mongod or mongos. 指定MongoDB Shell用于向mongodmongos进行身份验证的身份验证机制。If you don't specify an authenticationMechanism but provide user credentials, the MongoDB Shell and drivers attempt to use SCRAM-SHA-256. If this fails, they fall back to SCRAM-SHA-1.如果你不指定authenticationMechanism(身份验证机制),但提供用户凭据,MongoDB Shell和驱动程序会尝试使用SCRAM-SHA-256。如果失败,它们将退回到SCRAM-SHA-1。

ValueDescription描述
SCRAM-SHA-1RFC 5802 standard Salted Challenge Response Authentication Mechanism using the SHA-1 hash function.使用SHA-1哈希函数的标准Salted Challenge Response认证机制。
SCRAM-SHA-256

RFC 7677 standard Salted Challenge Response Authentication Mechanism using the SHA-256 hash function.使用SHA-256哈希函数的标准Salted Challenge Response认证机制。

Requires featureCompatibilityVersion set to 4.0.

MONGODB-X509MongoDB TLS / SSL certificate authentication.证书认证。
GSSAPI (Kerberos)External authentication using Kerberos. This mechanism is available only in MongoDB Enterprise.使用Kerberos的外部身份验证。此机制仅在MongoDB Enterprise中可用。
PLAIN (LDAP SASL)External authentication using LDAP. You can also use PLAIN for authenticating in-database users. 使用LDAP进行外部身份验证。您还可以使用PLAIN对数据库中的用户进行身份验证。PLAIN transmits passwords in plain text. This mechanism is available in MongoDB Enterprise and MongoDB Atlas.PLAIN以纯文本形式传输密码。此机制在MongoDB企业版MongoDB Atlas中可用。
MONGODB-OIDC (OpenID Connect)External authentication using OpenID Connect. This mechanism is available in MongoDB Enterprise and MongoDB Atlas.使用OpenID Connect进行外部身份验证。此机制在MongoDB企业版MongoDB Atlas中可用。
MONGODB-AWS (AWS IAM)External authentication using Amazon Web Services Identity and Access Management (AWS IAM) credentials. This mechanism is available in MongoDB Enterprise and MongoDB Atlas.使用Amazon Web Services身份和访问管理(AWS IAM)凭据进行外部身份验证。此机制在MongoDB企业版MongoDB Atlas中可用。
--gssapiServiceName

Specify the name of the service using GSSAPI/Kerberos. Only required if the service does not use the default name of mongodb.使用GSSAPI/Kerberos指定服务的名称。仅当服务不使用默认名称mongodb时才需要。

This option is available only in MongoDB Enterprise.此选项仅在MongoDB Enterprise中可用。

--sspiHostnameCanonicalization <string>

Specifies whether or not to use Hostname Canonicalization.指定是否使用主机名规范化。

--sspiHostnameCanonicalization has the same effect as setting the CANONICALIZE_HOST_NAME:true|false key-pair in the authMechanismProperties portion of the connection string.与在连接字符串authMechanismProperties部分设置CANONICALIZE_HOST_NAME:true|false键对具有相同的效果。

If --sspiHostnameCanonicalization is set to:如果--sspiHostnameCanonicalization设置为:

  • forwardAndReverse, performs a forward DNS lookup and then a reverse lookup. New in mongosh 1.3.0.,执行正向DNS查找,然后执行反向查找。mongosh1.3.0版新增。
  • forward, the effect is the same as setting authMechanismProperties=CANONICALIZE_HOST_NAME:true.,效果与设置authMechanismProperties=CANONICALIZE_HOST_NAME:true相同。
  • none, the effect is the same as setting authMechanismProperties=CANONICALIZE_HOST_NAME:false.,效果与设置authMechanismProperties=CANONICALIZE_HOST_NAME:false相同。
--oidcFlows

Specifies OpenID Connect flows in a comma-separated list. The OpenID Connect flows specify how mongosh interacts with the identity provider for the authentication process. 以逗号分隔的列表指定OpenID连接流。OpenID连接流指定mongosh如何与身份提供者交互以进行身份验证过程。mongosh supports the following OpenID Connect flows:支持以下OpenID连接流:

OpenID Connect Flow连接流量Description描述
auth-codeDefault. mongosh opens a browser and redirects you to the identity provider log-in screen.违约。mongosh打开浏览器,将您重定向到身份提供者登录屏幕。
device-authmongosh provides you with a URL and code to finish authentication. This is considered a less secure OpenID Connect flow but can be used when mongosh is run in an environment in which it cannot open a browser.mongosh为您提供了一个URL和代码来完成身份验证。这被认为是一个不太安全的OpenID连接流,但可以在mongosh无法打开浏览器的环境中运行时使用。

To set device-auth as a fallback option to auth-code, see the following example:要将device-auth(设备身份验证)设置为auth-code(身份验证代码)的回退选项,请参阅以下示例:

mongosh 'mongodb://localhost/' --authenticationMechanism MONGODB-OIDC --oidcFlows=auth-code,device-auth
--oidcDumpTokens

Specifies whether mongosh prints tokens with extra debugging information. Use this option for debugging purposes only.指定mongosh是否打印带有额外调试信息的令牌。此选项仅用于调试目的。

The --oidcDumpTokens option accepts the following values:--oidcDumpTokens选项接受以下值:

ValueDescription描述
redactedDefault when you only set --oidcDumpTokens. Prints token debugging information with sensitive data redacted.仅设置--oidcDumpTokens时的默认值。打印带有已编辑敏感数据的令牌调试信息。
include-secretsPrints token debugging information including credentials that can potentially authenticate to database servers.打印令牌调试信息,包括可能向数据库服务器进行身份验证的凭据。

Important

The include-secrets value exposes credentials that attackers can use for authentication. Only use this option when unauthorized people cannot view the output of mongosh and the credentials are necessary for diagnostic purposes.include-secrets值暴露了攻击者可用于身份验证的凭据。仅当未经授权的人员无法查看mongosh的输出,并且出于诊断目的需要凭据时,才使用此选项。

--oidcIdTokenAsAccessToken

Specifies whether mongosh uses the ID token received from the identity provider instead of the access token. Use this option with identity providers that you can't configure to provide JWT access tokens.指定mongosh是否使用从身份提供程序收到的ID令牌而不是访问令牌。对于无法配置为提供JWT访问令牌的身份提供程序,请使用此选项。

--oidcNoNonce

By default, mongosh sends a nonce parameter during the OIDC Authorization Code Flow.默认情况下,mongoshOIDC授权代码流期间发送nonce参数。

If you set the --oidcNoNonce option, mongosh does not send a nonce parameter. Use this option if your identity provider does not support nonce values as part of authorization.如果设置了--oidcNoNonce选项,mongosh不会发送nonce参数。如果身份提供者不支持随机数值作为授权的一部分,请使用此选项。

--oidcRedirectUri

Specifies a URI where the identity provider redirects you after authentication. The URI must match the configuration of the identity provider. The default is http://localhost:27097/redirect.指定身份验证后身份提供程序重定向URI。URI必须与身份提供程序的配置匹配。默认值为http://localhost:27097/redirect

--oidcTrustedEndpoint

Indicates that the current connection is to a trusted endpoint that is not Atlas or localhost. This ensures that access tokens are sent to the server. 表示当前连接到的受信任端点不是Atlas或localhost。这确保了访问令牌被发送到服务器。Only use this option when connecting to servers that you trust.仅在连接到您信任的服务器时使用此选项。

--browser

Specifies the browser mongosh redirects you to when MONGODB-OIDC is enabled.指定启用MONGODB-OIDC时浏览器mongosh将您重定向到的位置。

This option is run with the system shell.此选项与系统shell一起运行。

Set --no-browser to disable opening browsers entirely.设置--no-browser以完全禁用打开浏览器。

--password <password>, -p <password>

Specifies a password with which to authenticate to a MongoDB database that uses authentication. Use in conjunction with the --username and --authenticationDatabase options.指定用于向使用身份验证的MongoDB数据库进行身份验证的密码。与--username--authenticationDatabase选项结合使用。

To force the MongoDB Shell to prompt for a password, enter the --password option as the last option and leave out the argument.要强制MongoDB Shell提示输入密码,请输入--password选项作为最后一个选项,并省略参数。

--username <username>, -u <username>

Specifies a username with which to authenticate to a MongoDB database that uses authentication. Use in conjunction with the --password and --authenticationDatabase options.指定用于向使用身份验证的MongoDB数据库进行身份验证的用户名。与--password--authenticationDatabase选项结合使用。

Session Options会话选项

--retryWrites

Enables Retryable Writes.启用可重试写入

By default, retryable writes are:默认情况下,可重试的写入操作包括:

  • enabled in mongoshmongosh中启用
  • disabled in the legacy mongo shell在遗留的mongoshell中禁用

To disable retryable writes, use --retryWrites=false.要禁用可重试写入,请使用--retryWrites=false

For more information on sessions, see Client Sessions and Causal Consistency Guarantees.有关会话的更多信息,请参阅客户端会话和因果一致性保证

Field Level Encryption Options字段级加密选项

--cryptSharedLibPath <string>

New in version 8.2.在版本8.2中新增。

The path to the Automatic Encryption Shared Library. The library must be version 8.2.0 or higher. Required to use automatic encryption for the mongosh shell session.自动加密共享库的路径。库必须是8.2.0或更高版本。需要对mongosh shell会话使用自动加密。

--awsAccessKeyId <string>

An AWS Access Key associated with an IAM user who has List and Read permissions for the AWS Key Management Service (KMS). 与具有AWS键管理服务(KMS)ListRead权限的IAM用户关联的AWS访问键mongosh uses the specified --awsAccessKeyId to access the KMS.mongosh使用指定的--awsAccessKeyId访问KMS。

--awsAccessKeyId is required to enable Client-Side Field Level Encryption for the mongosh shell session. --awsAccessKeyId requires both of the following command line options:--awsAccessKeyId是为mongosh shell会话启用客户端字段级加密所必需的。--awsAccessKeyId需要以下两个命令行选项:

If --awsAccessKeyId is omitted, use the Mongo() constructor within the shell session to enable client-side field level encryption.如果省略--awsAccessKeyId,请在shell会话中使用Mongo()构造函数来启用客户端字段级加密。

To mitigate the risk of leaking access keys into logs, consider specifying an environmental variable to --awsAccessKeyId.为了降低将访问键泄漏到日志中的风险,请考虑将环境变量指定为--awsAccessKeyId

--awsSecretAccessKey <string>

An AWS Secret Key associated to the specified --awsAccessKeyId.AWS Secret Key关联到指定的--awsAccessKeyId

--awsSecretAccessKey is required to enable Client-Side Field Level Encryption for the mongosh session. --awsSecretAccessKey requires both of the following command line options:--awsSecretAccessKey是为mongosh会话启用客户端字段级加密所必需的。--awsSecretAccessKey需要以下两个命令行选项:

If --awsSecretAccessKey and its supporting options are omitted, use Mongo() within the shell session to enable client-side field level encryption.如果省略了--awsSecretAccessKey及其支持选项,请在shell会话中使用Mongo()启用客户端字段级加密。

To mitigate the risk of leaking access keys into logs, consider specifying an environmental variable to --awsSecretAccessKey.为了降低访问键泄露到日志中的风险,可以考虑为--awsSecretAccessKey指定一个环境变量。

--awsSessionToken <string>

An AWS Session Token associated to the specified --awsAccessKeyId.与指定的--awsAccessKeyId关联的AWS会话令牌

--awsSessionToken is required to enable Client-Side Field Level Encryption for the mongosh shell session. --awsSessionToken是为mongosh shell会话启用客户端字段级加密所必需的。--awsSessionToken requires all of the following command line options:需要以下所有命令行选项:

If --awsSessionToken and its supporting options are omitted, use Mongo() within the shell session to enable client-side field level encryption.如果省略了--awsSessionToken及其支持选项,请在shell会话中使用Mongo()启用客户端字段级加密。

To mitigate the risk of leaking access keys into logs, consider specifying an environmental variable to --awsSessionToken.为了降低访问键泄露到日志中的风险,可以考虑为--awsSessionToken指定一个环境变量。

--keyVaultNamespace <string>

The full namespace (<database>.<collection>) of the collection used as a key vault for Client-Side Field Level Encryption. 用作客户端字段级加密键库的集合的完整命名空间(<database>.<collection>)。--keyVaultNamespace is required for enabling client-side field level encryption for the mongosh shell session. --keyVaultNamespace是为mongosh shell会话启用客户端字段级加密所必需的。mongosh creates the specified namespace if it does not exist.如果指定的命名空间不存在,mongosh会创建它。

--keyVaultNamespace requires both of the following command line options:--keyVaultNamespace需要以下两个命令行选项:

If --keyVaultNamespace and its supporting options are omitted, use the Mongo() constructor within the shell session to enable client-side field level encryption.如果省略了--keyVaultNamespace及其支持选项,请在shell会话中使用Mongo()构造函数来启用客户端字段级加密。