On this page本页内容
MongoDB Enterprise supports authentication using a Kerberos service. MongoDB Enterprise支持使用Kerberos服务进行身份验证。Kerberos is an industry standard authentication protocol for large client/server systems. Kerberos是用于大型客户机/服务器系统的行业标准身份验证协议。Kerberos allows MongoDB and applications to take advantage of existing authentication infrastructure and processes. Kerberos允许MongoDB和应用程序利用现有的身份验证基础架构和流程。MongoDB Enterprise only supports the MIT implementation of Kerberos.MongoDB Enterprise仅支持Kerberos的MIT实现。
Setting up and configuring a Kerberos deployment is beyond the scope of this document. 设置和配置Kerberos部署超出了本文档的范围。This tutorial assumes have configured a Kerberos service principal for each 本教程假定已为每个exe and exe instance.exe和exe实例配置了Kerberos服务主体。
For replica sets and sharded clusters, ensure that your configuration uses fully qualified domain names (FQDN) rather than IP addresses or unqualified hostnames. 对于副本集和分片群集,请确保您的配置使用完全限定的域名(FQDN),而不是IP地址或非限定的主机名。You must use the FQDN for GSSAPI to correctly resolve the Kerberos realms and allow you to connect.您必须使用GSSAPI的FQDN来正确解析Kerberos域并允许您进行连接。
mongod.exe without Kerberos.mongod.exe。For the initial addition of Kerberos users, start 对于Kerberos用户的初始添加,请在不支持Kerberos的情况下启动exe without Kerberos support.exe。
If a Kerberos user is already in MongoDB and has the privileges required to create a user, you can start 如果Kerberos用户已经在MongoDB中,并且具有创建用户所需的权限,则可以使用Kerberos支持启动exe with Kerberos support.exe。
Include additional settings as appropriate to your deployment.
Starting in MongoDB 3.6, 从MongoDB 3.6开始,mongod and mongos bind to localhost by default. mongod和mongos默认绑定到localhost。If the members of your deployment are run on different hosts or if you wish remote clients to connect to your deployment, you must specify 如果部署的成员在不同的主机上运行,或者如果希望远程客户端连接到部署,则必须指定--bind_ip or net.bindIp. --bind_ip或net.bindIp。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
mongod.mongod。Connect 将mongosh to the exe instance. mongosh连接到exe实例。If exe has --auth enabled, ensure you connect with the privileges required to create a user.
Add a Kerberos principal, <username>@<KERBEROS REALM>, to MongoDB in the $external database. Specify the Kerberos realm in ALL UPPERCASE. The $external database allows exe to consult an external source (e.g. Kerberos) to authenticate. To specify the user's privileges, assign roles to the user.
To use Client Sessions and Causal Consistency Guarantees with 要对$external authentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.$external身份验证用户(Kerberos、LDAP或x.509用户)使用客户端会话和因果一致性保证,用户名不能大于10k字节。
The following example adds the Kerberos principal 下面的示例添加了Kerberos主体reportingapp@EXAMPLE.NET with read-only access to the records database:reportingapp@EXAMPLE.NET以只读方式访问records数据库:
use $external
db.createUser(
{
user: "reportingapp@EXAMPLE.NET",
roles: [ { role: "read", db: "records" } ]
}
)
Add additional principals as needed. For every user you want to authenticate using Kerberos, you must create a corresponding user in MongoDB. 根据需要添加其他主体。对于要使用Kerberos进行身份验证的每个用户,必须在MongoDB中创建相应的用户。For more information about creating and managing users, see User Management Commands.有关创建和管理用户的详细信息,请参阅用户管理命令。
mongod.exe with Kerberos support.You must start exe as the service principal account.
To start exe with Kerberos support, set the exe parameter authenticationMechanisms to GSSAPI:
mongod.exe --setParameter authenticationMechanisms=GSSAPI <additional mongod.exe options>
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.
For example, the following starts a standalone exe instance with Kerberos support:
mongod.exe --auth --setParameter authenticationMechanisms=GSSAPI --bind_ip localhost,<hostname(s)|ip address(es)>
mongo.exe shell to mongod.exe and authenticate.Connect the mongo.exe shell client as the Kerberos principal application@EXAMPLE.NET.
You can connect and authenticate from the command line.
Using cmd.exe:
mongo.exe --host hostname.example.net --authenticationMechanism=GSSAPI --authenticationDatabase=$external --username reportingapp@EXAMPLE.NET
Using Windows PowerShell:
mongo.exe --host hostname.example.net --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username reportingapp@EXAMPLE.NET
If you are connecting to a system whose hostname matches the Kerberos name, ensure that you specify the fully qualified domain name (FQDN) for the --host option, rather than an IP address or unqualified hostname.
If you are connecting to a system whose hostname does not match the Kerberos name, first connect mongo.exe to the exe, and then from the mongo.exe shell, use the db.auth() method to authenticate in the $external database.
use $external
db.auth( { mechanism: "GSSAPI", user: "reportingapp@EXAMPLE.NET" } )
mongos.exe for KerberosTo start exe with Kerberos support, set the exe parameter authenticationMechanisms to GSSAPI. You must start exe as the service principal account:
mongos.exe --setParameter authenticationMechanisms=GSSAPI <additional mongos options>
Include additional options as required for your configuration. For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the --bind_ip. For more information, see Localhost Binding Compatibility Changes.
For example, the following starts a mongos instance with Kerberos support:
mongos.exe --setParameter authenticationMechanisms=GSSAPI --configdb shard0.example.net, shard1.example.net,shard2.example.net --keyFile C:\<path>\mongos.keyfile --bind_ip localhost,<hostname(s)|ip address(es)>
Modify or include any additional exe options as required for your configuration. For example, instead of using --keyFile for internal authentication of sharded cluster members, you can use x.509 member authentication instead.
Use setspn.exe to assign the service principal name (SPN) to the account running the exe and the exe service:
setspn.exe -S <service>/<fully qualified domain name> <service account name>
If exe runs as a service named mongodb on testserver.mongodb.com with the service account name mongodtest, assign the SPN as follows:
setspn.exe -S mongodb/testserver.mongodb.com mongodtest
Kerberos authentication (GSSAPI (Kerberos)) can work alongside:
MongoDB's SCRAM authentication mechanism:
MongoDB's authentication mechanism for LDAP:
MongoDB's authentication mechanism for x.509:
Specify the mechanisms as follows:
--setParameter authenticationMechanisms=GSSAPI,SCRAM-SHA-256
Only add the other mechanisms if in use. This parameter setting does not affect MongoDB's internal authentication of cluster members.
After completing the configuration steps, you can validate your configuration with the mongokerberos tool.
Introduced alongside MongoDB 4.4, mongokerberos provides a convenient method to verify your platform's Kerberos configuration for use with MongoDB, and to test that Kerberos authentication from a MongoDB client works as expected. See the mongokerberos documentation for more information.
mongokerberos is available in MongoDB Enterprise only.