On this page本页内容
The following procedure sets up SCRAM for client authentication on a standalone 以下过程为独立mongod instance.mongod实例上的客户端身份验证设置了SCRAM。
To use SCRAM authentication for replica sets or sharded clusters, see Deploy Replica Set With Keyfile Authentication.要对副本集或分片群集使用SCRAM身份验证,请参阅使用密钥文件身份验证部署副本集。
Start a standalone 启动一个没有访问控制的独立mongod instance without access control.mongod实例。
Open a terminal and run the following command as the 打开终端,以mongod user:mongod用户身份运行以下命令:
mongod --port 27017 --dbpath /var/lib/mongodb
The 本教程中的mongod instance in this tutorial uses port 27017 and the /var/lib/mongodb data directory.mongod实例使用端口port 27017和/var/lib/mongodb数据目录。
The tutorial assumes that the 本教程假设/var/lib/mongodb directory exists and is the default dbPath. /var/lib/mongodb目录存在,并且是默认的dbPath。You may specify a different data directory or port as needed.您可以根据需要指定不同的数据目录或端口。
When 当mongod starts, it creates some system files in the /var/lib/mongodb directory. mongod启动时,它会在/var/lib/mongodb目录中创建一些系统文件。To ensure the system files have the correct ownership, follow this tutorial as the 为了确保系统文件具有正确的所有权,请以mongod user. mongod用户的身份遵循本教程。If you start 如果您以mongod as the root user you will have to update file ownership later.root用户身份启动mongod,则稍后必须更新文件所有权。
Open a new terminal and connect to the database deployment with 打开一个新终端并使用mongosh:mongosh连接到数据库部署:
mongosh --port 27017
If you are connecting to a different deployment, specify additional command line options, such as 如果要连接到其他部署,请根据需要指定其他命令行选项,如--host, as needed to connect.--host。
You can create the user administrator either before or after enabling access control. 您可以在启用访问控制之前或之后创建用户管理员。If you enable access control before creating any user, MongoDB provides a localhost exception which allows you to create a user administrator in the 如果在创建任何用户之前启用访问控制,MongoDB将提供一个本地主机异常,允许您在admin database. admin数据库中创建用户管理员。Once created, you must authenticate as the user administrator to create additional users.创建后,您必须作为用户管理员进行身份验证才能创建其他用户。
Using 使用mongosh:mongosh:
admin databaseadmin数据库myUserAdmin user with the userAdminAnyDatabase and readWriteAnyDatabase roles":userAdminAnyDatabase和readWriteAnyDatabase角色的myUserAdmin用户:use admin
db.createUser(
{
user: "myUserAdmin",
pwd: passwordPrompt(), // or cleartext password
roles: [
{ role: "userAdminAnyDatabase", db: "admin" },
{ role: "readWriteAnyDatabase", db: "admin" }
]
}
)
The passwordPrompt() method prompts you to enter the password. passwordPrompt()方法提示您输入密码。You can also specify your password directly as a string. 您还可以直接将密码指定为字符串。We recommend to use the 我们建议使用passwordPrompt() method to avoid the password being visible on your screen and potentially leaking the password to your shell history.passwordPrompt()方法,以避免密码在屏幕上可见,并可能将密码泄漏到shell历史记录中。
The userAdminAnyDatabase role allows this user to:userAdminAnyDatabase角色允许此用户:
You can assign your user additional built-in roles or user-defined roles as needed.您可以根据需要为用户分配其他内置角色或用户定义的角色。
The database where you create the user, in this example 创建用户的数据库(在本例中为admin, is the user's authentication database. admin)是用户的身份验证数据库。Although the user needs to authenticate to this database, the user can have roles in other databases. 虽然用户需要对此数据库进行身份验证,但用户可以在其他数据库中拥有角色。The user's authentication database doesn't limit the user's privileges.用户的身份验证数据库不限制用户的权限。
Shut down the 关闭mongod instance. mongod实例。Using 使用mongosh, issue the following command:mongosh,发出以下命令:
db.adminCommand( { shutdown: 1 } )
Exit 退出mongosh.mongosh。
Start the 在启用访问控制的情况下启动mongod with access control enabled.mongod。
If you start the 如果从命令行启动mongod from the command line, add the --auth command line option:mongod,请添加--auth命令行选项:
mongod --auth --port 27017 --dbpath /var/lib/mongodb
If you start the 如果使用配置文件启动mongod using a configuration file, add the security.authorization configuration file setting:mongod,请添加security.authorization配置文件设置:
security:
authorization: enabled
Clients that connect to this instance must now authenticate themselves and can only perform actions as determined by their assigned roles.连接到此实例的客户端现在必须对自己进行身份验证,并且只能执行由其分配的角色确定的操作。
You can create users either before or after enabling access control. 您可以在启用访问控制之前或之后创建用户。If you enable access control before creating any user, MongoDB provides a localhost exception which allows you to create a user administrator in the 如果在创建任何用户之前启用访问控制,MongoDB将提供一个本地主机异常,允许您在admin database. admin数据库中创建用户管理员。Once created, you must authenticate as the user administrator to create additional users.创建后,您必须作为用户管理员进行身份验证才能创建其他用户。
Using 使用mongosh, you can:mongosh,您可以:
Start 使用mongosh with the -u <username>, -p, and the --authenticationDatabase <database> command line options:-u <username>、-p和--authenticationDatabase <database>命令行选项启动mongosh:
mongosh --port 27017 --authenticationDatabase \
"admin" -u "myUserAdmin" -pEnter your password when prompted.提示时输入密码。
Using 使用mongosh, connect to your database deployment:mongosh连接到数据库部署:
mongosh --port 27017
In 在mongosh, switch to the authentication database (in this case, admin), and use the db.auth(<username>, <pwd>) method to authenticate:mongosh中,切换到身份验证数据库(在本例中为admin),并使用db.auth(<username>, <pwd>)方法进行身份验证:
use admin db.auth("myUserAdmin", passwordPrompt()) // or cleartext password
The passwordPrompt() method prompts you to enter the password. passwordPrompt()方法提示您输入密码。You can also specify your password directly as a string. 您也可以将密码直接指定为字符串。We recommend to use the 我们建议使用passwordPrompt() method to avoid the password being visible on your screen and potentially leaking the password to your shell history.passwordPrompt()方法,以避免密码在屏幕上可见,并可能将密码泄漏到外壳历史记录中。
Enter the password when prompted.出现提示时输入密码。
To use SCRAM authentication for replica sets or sharded clusters, see Deploy Replica Set With Keyfile Authentication.要对副本集或分片群集使用SCRAM身份验证,请参阅使用密钥文件身份验证部署副本集。