On this page本页内容
MongoDB Enterprise provides support for Kerberos authentication of MongoDB clients to MongoDB Enterprise为MongoDB客户端到mongod and mongos instances. mongod和mongos实例的Kerberos身份验证提供支持。Kerberos is an industry standard authentication protocol for large client/server systems. Kerberos是用于大型客户机/服务器系统的行业标准身份验证协议。Kerberos allows MongoDB and applications to take advantage of existing authentication infrastructure and processes. Kerberos允许MongoDB和应用程序利用现有的身份验证基础设施和进程。MongoDB Enterprise only supports the MIT implementation of Kerberos.MongoDB Enterprise仅支持Kerberos的MIT实现。
In a Kerberos-based system, every participant in the authenticated communication is known as a "principal", and every principal must have a unique name.在基于Kerberos的系统中,经过身份验证的通信中的每个参与者都被称为“主体”,并且每个主体都必须具有唯一的名称。
Principals belong to administrative units called realms. 校长属于称为领域的行政单位。For each realm, the Kerberos Key Distribution Center (KDC) maintains a database of the realm's principal and the principals' associated "secret keys".对于每个领域,Kerberos密钥分发中心(KDC)维护该领域的主体和主体的相关“密钥”的数据库。
For a client-server authentication, the client requests from the KDC a "ticket" for access to a specific asset. 对于客户端-服务器身份验证,客户端向KDC请求访问特定资产的“票据”。KDC uses the client's secret and the server's secret to construct the ticket which allows the client and server to mutually authenticate each other, while keeping the secrets hidden.KDC使用客户机的秘密和服务器的秘密来构造票证,允许客户机和服务器相互认证,同时隐藏秘密。
For the configuration of MongoDB for Kerberos support, two kinds of principal names are of interest: user principals and service principals.对于用于Kerberos支持的MongoDB配置,有两种主体名称值得关注:用户主体和服务主体。
To authenticate using Kerberos, you must add the Kerberos user principals to MongoDB to the 要使用Kerberos进行身份验证,必须将Kerberos用户主体添加到$external database. User principal names have the form:$external数据库的MongoDB中。用户主体名称的格式为:
<username>@<KERBEROS REALM>
For every user you want to authenticate using Kerberos, you must create a corresponding user in MongoDB in the 对于要使用Kerberos进行身份验证的每个用户,必须在$external database.$external数据库中的MongoDB中创建相应的用户。
To use Client Sessions and Causal Consistency Guarantees with 要对$external authentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.$external身份验证用户(Kerberos、LDAP或x.509用户)使用客户端会话和因果一致性保证,用户名不能大于10k字节。
For examples of adding a user to MongoDB as well as authenticating as that user, see Configure MongoDB with Kerberos Authentication on Linux and Configure MongoDB with Kerberos Authentication on Windows.有关将用户添加到MongoDB以及作为该用户进行身份验证的示例,请参阅在Linux上使用Kerberos身份验证配置MongoDB和在Windows上使用KerKerberos验证配置MongoDB。
Manage Users and Roles for general information regarding creating and managing users in MongoDB.管理用户和角色,了解有关在MongoDB中创建和管理用户的一般信息。
Every MongoDB 每个MongoDB mongod and mongos instance (or exe or exe on Windows) must have an associated service principal. mongod和mongos实例(或Windows上的exe或exe)必须具有关联的服务主体。Service principal names have the form:服务主体名称的格式如下:
<service>/<fully qualified domain name>@<KERBEROS REALM>
For MongoDB, the 对于MongoDB,<service> defaults to mongodb. <service>默认为MongoDB。For example, if 例如,如果m1.example.com is a MongoDB server, and example.com maintains the EXAMPLE.COM Kerberos realm, then m1 should have the service principal name mongodb/m1.example.com@EXAMPLE.COM.m1.example.com是MongoDB服务器,并且example.com维护EXAMPLE.COM Kerberos领域,那么m1应该具有服务主体名称mongodb/m1.example.com@EXAMPLE.COM。
To specify a different value for 要为<service>, use serviceName during the start up of mongod or mongos (or exe or exe). <service>指定不同的值,请在启动mongod或mongos(或exe或exe)时使用serviceName。mongosh or other clients may also specify a different service principal name using 或者其他客户端也可以使用serviceName.serviceName指定不同的服务主体名称。
Service principal names must be reachable over the network using the fully qualified domain name (FQDN) part of its service principal name.必须使用其服务主体名称的完全限定域名(FQDN)部分通过网络访问服务主体名称。
By default, Kerberos attempts to identify hosts using the 默认情况下,Kerberos在使用DNS解析主机之前,会尝试使用/etc/krb5.conf file before using DNS to resolve hosts./etc/krb5.conf文件识别主机。
On Windows, if running MongoDB as a service, see Assign Service Principal Name to MongoDB Windows Service.在Windows上,如果将MongoDB作为服务运行,请参阅将服务主体名称分配给MongoDB Windows服务。
Linux systems can store Kerberos authentication keys for a service principal in keytab files. Linux系统可以将服务主体的Kerberos身份验证密钥存储在keytab文件中。Each Kerberized 在Linux上运行的每个Kerberized mongod and mongos instance running on Linux must have access to a keytab file containing keys for its service principal.mongod和mongos实例必须能够访问包含其服务主体密钥的keytab文件。
To keep keytab files secure, use file permissions that restrict access to only the user that runs the 为了确保keytab文件的安全,请使用文件权限,该权限仅限制运行mongod or mongos process.mongod或mongos进程的用户访问。
On Linux, MongoDB clients can use Kerberos's 在Linux上,MongoDB客户端可以使用Kerberos的kinit program to initialize a credential cache for authenticating the user principal to servers.kinit程序来初始化凭证缓存,以便向服务器验证用户主体。
Unlike on Linux systems, 与Linux系统不同,在Windows上运行的mongod and mongos instances running on Windows do not require access to keytab files. mongod和mongos实例不需要访问keytab文件。Instead, the 相反,mongod and mongos instances read their server credentials from a credential store specific to the operating system.mongod和mongos实例从特定于操作系统的凭据存储中读取其服务器凭据。
However, from the Windows Active Directory, you can export a keytab file for use on Linux systems. 但是,可以从Windows 活动目录导出密钥表文件以供Linux系统使用。See Ktpass for more information.有关详细信息,请参阅Ktpass。
To configure MongoDB for Kerberos support and authenticate, see Configure MongoDB with Kerberos Authentication on Linux and Configure MongoDB with Kerberos Authentication on Windows.要为Kerberos支持和身份验证配置MongoDB,请参阅在Linux上使用Kerberos身份验证配置MongoDB和在Windows上使用KerKerberos验证配置MongoDB。
Each host that runs a 运行mongod or mongos instance must have both A and PTR DNS records to provide forward and reverse lookup.mongod或mongos实例的每个主机必须同时具有A和PTR DNS记录,以提供正向和反向查找。
Without 如果没有A and PTR DNS records, the host cannot resolve the components of the Kerberos domain or the Key Distribution Center (KDC).A和PTR DNS记录,主机将无法解析Kerberos域或密钥分发中心(KDC)的组件。
To successfully authenticate, the system time for each 为了成功地进行身份验证,每个mongod and mongos instance must be within 5 minutes of the system time of the other hosts in the Kerberos infrastructure.mongod和mongos实例的系统时间必须在Kerberos基础结构中其他主机的系统时间的5分钟内。
The following MongoDB drivers support Kerberos authentication:以下MongoDB驱动程序支持Kerberos身份验证:
Although MongoDB supports the use of Kerberos authentication with other authentication mechanisms, only add the other mechanisms as necessary. 尽管MongoDB支持将Kerberos身份验证与其他身份验证机制一起使用,但仅在必要时添加其他机制。See the 有关详细信息,请参阅在Linux上使用Kerberos身份验证配置MongoDB和在Windows上使用KerKerberos认证配置MongoDB中的“合并其他身份验证机制部分。Incorporate Additional Authentication Mechanisms section in Configure MongoDB with Kerberos Authentication on Linux and Configure MongoDB with Kerberos Authentication on Windows for details.
Introduced alongside MongoDB 4.4, the mongokerberos program provides a convenient method to verify your platform's Kerberos configuration for use with MongoDB, and to test that Kerberos authentication from a MongoDB client works as expected. mongokerberos程序与MongoDB 4.4一起推出,它提供了一种方便的方法来验证您的平台的Kerberos配置以供MongoDB使用,并测试来自MongoDB客户端的Kerberosauthentication是否按预期工作。See the 有关详细信息,请参阅mongokerberos documentation for more information.mongokerberos文档。
mongokerberos is available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。