Overview概述
The Generic Security Services API (GSSAPI) authentication mechanism allows you to use your principal name to authenticate to a Kerberos service. You can use this mechanism only when authenticating to MongoDB Enterprise Advanced.通用安全服务API(GSSAPI)身份验证机制允许您使用主体名称对Kerberos服务进行身份验证。您只能在向MongoDB Enterprise Advanced进行身份验证时使用此机制。
Specify Kerberos (GSSAPI) Authentication指定Kerberos(GSSAPI)身份验证
Note
The Node.js driver supports Kerberos on UNIX using the MIT Kerberos library and on Windows using the SSPI API.Node.js驱动程序在使用MIT Kerberos库的UNIX上和使用SSPI API的Windows上支持Kerberos。
The GSSAPI authentication mechanism uses your user principal to authenticate to a Kerberos service.GSSAPI身份验证机制使用您的用户主体对Kerberos服务进行身份验证。
You can specify this authentication mechanism by performing the following actions while specifying options on your connection string:您可以通过在连接字符串上指定选项时执行以下操作来指定此身份验证机制:
Set the将authMechanismparameter toGSSAPI.authMechanism参数设置为GSSAPI。Set the如果使用SERVICE_NAMEvalue in theauthMechanismPropertiesparameter if using a value other thanmongodb.mongodb以外的值,请在authMechanismProperties参数中设置SERVICE_NAME值。Specify a如果需要自定义服务领域,请在SERVICE_REALMvalue in theauthMechanismPropertiesparameter if a custom service realm is required.authMechanismProperties参数中指定SERVICE_REALM值。Specify a如果需要规范化主机名,请在CANONICALIZE_HOST_NAMEvalue in theauthMechanismPropertiesparameter if canonicalization of the hostname is required. This property accepts the following values:authMechanismProperties参数中指定CANONICALIZE_HOST_NAME值。此属性接受以下值:none: (Default) Does not perform hostname canonicalization:(默认)不执行主机名规范化forward: Performs a forward DNS lookup to canonicalize the hostname:执行正向DNS查找以规范主机名forwardAndReverse: Performs a forward DNS lookup and then a reverse lookup on that value to canonicalize the hostname:对该值执行正向DNS查找,然后进行反向查找,以规范主机名
Important
The gssapiServiceName parameter is deprecated and may be removed in future versions of the driver. Use authMechanismProperties=SERVICE_NAME:<your service name> in the connection URI instead. gssapiServiceName参数已弃用,在驱动程序的未来版本中可能会被删除。请在连接URI中使用authMechanismProperties=SERVICE_NAME:<your service name>。To learn more about the authentication options for a connection string, see the Authentication Options section of the Connection String Options reference in the Server Manual.要了解有关连接字符串的身份验证选项的更多信息,请参阅《服务器手册》中“连接字符串选项”参考的“身份验证选项”部分。
The following code example authenticates to Kerberos for UNIX using 以下代码示例使用GSSAPI.GSSAPI对UNIX的Kerberos进行身份验证。
Important
Always URI encode the principal using the 始终使用encodeURIComponent method to ensure it is correctly parsed.encodeURIComponent方法对主体进行URI编码,以确保其被正确解析。
const { MongoClient } = require("mongodb");
// Replace the placeholder values with the values for your environment in the following lines用以下行中的环境值替换占位符值
const clusterUrl = "<cluster_url>";
const principal = encodeURIComponent("<Kerberos principal and realm>");
const serviceRealm = "<Kerberos service realm>";
const canonicalizationSetting = "<canonicalization setting>";
const authMechanismProperties = `SERVICE_REALM:${serviceRealm},CANONICALIZE_HOST_NAME:${canonicalizationSetting}`;
const authMechanism = "GSSAPI";
// Connection URI连接URI
const uri = `mongodb+srv://${principal}@${clusterUrl}/?authMechanism=${authMechanism}&authMechanismProperties=${authMechanismProperties}`;
const client = new MongoClient(uri);
// Function to connect to the server连接到服务器的功能
async function run() {
try {
// Establish and verify connection
await client.db("admin").command({ ping: 1 });
console.log("Connected successfully to server");
} finally {
// Ensures that the client will close when you finish/error确保客户端在您完成/出错时关闭
await client.close();
}
}
run().catch(console.dir);Note
The method refers to the 该方法引用GSSAPI authentication mechanism instead of Kerberos because the driver authenticates through GSSAPI RFC-4652, the SASL mechanism.GSSAPI身份验证机制而不是Kerberos,因为驱动程序通过SASL机制GSSAPI RFC-4652进行身份验证。
API Documentation文档
To learn more about any of the methods or types discussed on this page, see the following API documentation:要了解有关本页中讨论的任何方法或类型的更多信息,请参阅以下API文档: