On this page本页内容
MongoDB Enterprise supports authentication using a Kerberos service. MongoDB Enterprise支持使用Kerberos服务进行身份验证。Kerberos is an industry standard authentication protocol for large client/server systems. Kerberos是用于大型客户机/服务器系统的行业标准身份验证协议。MongoDB Enterprise only supports the MIT implementation of Kerberos.MongoDB Enterprise仅支持Kerberos的MIT实现。
To verify that you are using MongoDB Enterprise, pass the 要验证您正在使用MongoDB Enterprise,请将--version command line option to the mongod or mongos:--version命令行选项传递给mongod或mongos:
mongod --version
In the output from this command, look for the string 在该命令的输出中,查找字符串modules: subscription or modules: enterprise to confirm you are using the MongoDB Enterprise binaries.modules:subscription或modules:enterprise,以确认您正在使用MongoDBEnterprise二进制文件。
For replica sets and sharded clusters, ensure that your configuration uses fully qualified domain names (FQDN) rather than IP addresses or unqualified hostnames. 对于副本集和分片群集,请确保您的配置使用完全限定的域名(FQDN),而不是IP地址或非限定的主机名。You must use the FQDN for GSSAPI to correctly resolve the Kerberos realms and allow you to connect.您必须使用GSSAPI的FQDN来正确解析Kerberos域并允许您进行连接。
Setting up and configuring a Kerberos deployment is beyond the scope of this document. 设置和配置Kerberos部署超出了本文档的范围。Please refer to the MIT Kerberos documentation or your operating system documentation for information on how to configure a Kerberos deployment.有关如何配置Kerberos部署的信息,请参阅MIT Kerberos文档或您的操作系统文档。
In order to use MongoDB with Kerberos, a Kerberos service principal for each 为了将MongoDB与Kerberos一起使用,MongoDB部署中每个mongod and mongos instance in your MongoDB deployment must be added to the Kerberos database. mongod和mongos实例的Kerberos服务主体必须添加到Kerberos数据库中。You can add the service principal by running a command similar to the following on your KDC:您可以通过在KDC上运行类似以下命令来添加服务主体:
kadmin.local addprinc mongodb/m1.example.com@EXAMPLE.COM
On each system running 在运行mongod or mongos, a keytab file must be created for the respective service principal. mongod或mongos的每个系统上,必须为相应的服务主体创建一个keytab文件。You can create the keytab file by running a command similar to the following on the system running 您可以通过在运行mongod or mongos:mongod或mongos的系统上运行类似以下命令来创建keytab文件:
kadmin.local ktadd mongodb/m1.example.com@EXAMPLE.COM
The following procedure outlines the steps to add a Kerberos user principal to MongoDB, configure a standalone 以下过程概述了将Kerberos用户主体添加到MongoDB、为Kerberos支持配置独立的mongod instance for Kerberos support, and connect using mongosh and authenticate the user principal.mongod实例以及使用mongosh连接并验证用户主体的步骤。
mongod without Kerberos.mongod。For the initial addition of Kerberos users, start 对于Kerberos用户的初始添加,请在不支持Kerberos的情况下启动mongod without Kerberos support.mongod。
If a Kerberos user is already in MongoDB and has the privileges required to create a user, you can start 如果Kerberos用户已经在MongoDB中,并且具有创建用户所需的权限,则可以使用Kerberos支持启动mongod with Kerberos support.mongod。
Include additional settings as appropriate to your deployment.包括适合您的部署的其他设置。
Starting in MongoDB 3.6, 从MongoDB 3.6开始,mongod and mongos bind to localhost by default. mongod和mongos默认绑定到localhost。If the members of your deployment are run on different hosts or if you wish remote clients to connect to your deployment, you must specify 如果部署的成员在不同的主机上运行,或者如果希望远程客户端连接到部署,则必须指定--bind_ip or net.bindIp. --bind_ip或net.bindIp。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
Add a Kerberos principal, 向<username>@<KERBEROS REALM> or <username>/<instance>@<KERBEROS REALM>, to MongoDB in the $external database. $external数据库中的MongoDB添加Kerberos主体<username>@<KERBEROS REALM>或<username>/<instance>@<KERBEROS REALM>。Specify the Kerberos realm in all uppercase. 指定全部大写的Kerberos域。The $external database allows mongod to consult an external source (e.g. Kerberos) to authenticate. $external数据库允许mongod查询外部源(例如Kerberos)进行身份验证。To specify the user's privileges, assign roles to the user.要指定用户的权限,请为用户分配角色。
To use Client Sessions and Causal Consistency Guarantees with 要对$external authentication users (Kerberos, LDAP, or x.509 users), usernames cannot be greater than 10k bytes.$external身份验证用户(Kerberos、LDAP或x.509用户)使用客户端会话和因果一致性保证,用户名不能大于10k字节。
The following example adds the Kerberos principal 下面的示例添加了Kerberos主体application/reporting@EXAMPLE.NET with read-only access to the records database:application/reporting@EXAMPLE.NET以只读方式访问记录数据库:
use $external
db.createUser(
{
user: "application/reporting@EXAMPLE.NET",
roles: [ { role: "read", db: "records" } ]
}
)
Add additional principals as needed. 根据需要添加其他主体。For every user you want to authenticate using Kerberos, you must create a corresponding user in MongoDB. 对于要使用Kerberos进行身份验证的每个用户,必须在MongoDB中创建相应的用户。For more information about creating and managing users, see User Management Commands.有关创建和管理用户的详细信息,请参阅用户管理命令。
mongod with Kerberos support.mongod。To start 要启动支持Kerberos的mongod with Kerberos support, set the environmental variable KRB5_KTNAME to the path of the keytab file and the mongod parameter authenticationMechanisms to GSSAPI in the following form:mongod,请将环境变量KRB5_KTNAME设置为keytab文件的路径,并将mongod参数authenticationMechanisms设置为GSSAPI,格式如下:
env KRB5_KTNAME=<path to keytab file> \ mongod \ --setParameter authenticationMechanisms=GSSAPI \ <additional mongod options>
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
For example, the following starts a standalone 例如,以下内容启动了一个支持Kerberos的独立mongod instance with Kerberos support:mongod实例:
env KRB5_KTNAME=/opt/mongodb/mongod.keytab \ /opt/mongodb/bin/mongod --auth \ --setParameter authenticationMechanisms=GSSAPI \ --dbpath /opt/mongodb/data --bind_ip localhost,<hostname(s)|ip address(es)>
The path to your mongod as well as your keytab file may differ. mongod和keytab文件的路径可能不同。The keytab file must be only accessible to the owner of the keytab文件必须只能由mongod process.mongod进程的所有者访问。
With the official 使用正式的.deb or .rpm packages, you can set the KRB5_KTNAME in a environment settings file. .deb或.rpm包,您可以在环境设置文件中设置KRB5_KTNAME。See KRB5_KTNAME for details.有关详细信息,请参阅KRB5_KTNAME。
mongosh to mongod and authenticate.mongosh连接到mongod并进行身份验证。Connect 将mongosh client as the Kerberos principal application/reporting@EXAMPLE.NET. mongosh客户端连接为Kerberos主体应用程序/reporting@EXAMPLENET.Before connecting, you must have used Kerberos's 在连接之前,您必须使用Kerberos的kinit program to get credentials for application/reporting@EXAMPLE.NET.kinit程序来获取application/reporting@EXAMPLE.NET的凭据。
You can connect and authenticate from the command line.您可以从命令行进行连接和身份验证。
mongosh --host hostname.example.net --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username application/reporting@EXAMPLE.NET
If you are connecting to a system whose hostname matches the Kerberos name, ensure that you specify the fully qualified domain name (FQDN) for the 如果要连接到主机名与Kerberos名称匹配的系统,请确保为--host option, rather than an IP address or unqualified hostname.--host选项指定完全限定域名(FQDN),而不是IP地址或非限定主机名。
If you are connecting to a system whose hostname does not match the Kerberos name, first connect 如果要连接到主机名与Kerberos名称不匹配的系统,请首先将mongosh to the mongod, and then from mongosh, use the db.auth() method to authenticate in the $external database.mongosh连接到mongod,然后从mongosh使用db.auth()方法在$external数据库中进行身份验证。
use $external
db.auth( { mechanism: "GSSAPI", user: "application/reporting@EXAMPLE.NET" } )
If you installed MongoDB Enterprise using one of the official 如果您使用官方.deb or .rpm packages, and you use the included init/upstart scripts to control the mongod instance, you can set the KRB5_KTNAME variable in the default environment settings file instead of setting the variable each time..deb或.rpm包之一安装了MongoDB Enterprise,并且使用包含的init/upstart脚本来控制mongod实例,则可以在默认环境设置文件中设置KRB5_KTNAME变量,而不是每次都设置该变量。
For 对于.rpm packages, the default environment settings file is /etc/sysconfig/mongod..rpm包,默认的环境设置文件是/etc/sysconfig/mongod。
For 对于.deb packages, the file is /etc/default/mongodb..deb包,文件为/etc/default/mongodb。
Set the 在类似于以下内容的行中设置KRB5_KTNAME value in a line that resembles the following:KRB5_KTNAME值:
KRB5_KTNAME="<path to keytab>"
mongos for KerberosmongosTo start 要启动支持Kerberos的mongos with Kerberos support, set the environmental variable KRB5_KTNAME to the path of its keytab file and the mongos parameter authenticationMechanisms to GSSAPI in the following form:mongos,请将环境变量KRB5_KTNAME设置为其keytab文件的路径,并将mongos参数authenticationMechanisms设置为GSSAPI,格式如下:
env KRB5_KTNAME=<path to keytab file> \ mongos \ --setParameter authenticationMechanisms=GSSAPI \ <additional mongos options>
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定--bind_ip. --bind_ip。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
For example, the following starts a 例如,以下内容启动了一个支持Kerberos的mongos instance with Kerberos support:mongos实例:
env KRB5_KTNAME=/opt/mongodb/mongos.keytab \ mongos \ --setParameter authenticationMechanisms=GSSAPI \ --configdb shard0.example.net, shard1.example.net,shard2.example.net \ --keyFile /opt/mongodb/mongos.keyfile \ --bind_ip localhost,<hostname(s)|ip address(es)>
The path to your mongos as well as your keytab file may differ. mongos和keytab文件的路径可能不同。The keytab file must be only accessible to the owner of the keytab文件必须只能由mongos process.mongos进程的所有者访问。
Modify or include any additional 根据配置需要修改或包含任何其他mongos options as required for your configuration. mongos选项。For example, instead of using 例如,您可以使用x.509成员身份验证,而不是使用--keyFile for internal authentication of sharded cluster members, you can use x.509 member authentication instead.--keyFile进行分片集群成员的内部身份验证。
To configure 要使用配置文件为Kerberos支持配置mongod or mongos for Kerberos support using a configuration file, specify the authenticationMechanisms setting in the configuration file.mongod或mongos,请在配置文件中指定authenticationMechanisms设置。
If using the YAML configuration file format:如果使用YAML配置文件格式:
setParameter: authenticationMechanisms: GSSAPI
Include additional options as required for your configuration. 包括配置所需的其他选项。For instance, if you wish remote clients to connect to your deployment or your deployment members are run on different hosts, specify the 例如,如果希望远程客户端连接到部署,或者部署成员在不同的主机上运行,请指定net.bindIp setting. net.bindIp设置。For more information, see Localhost Binding Compatibility Changes.有关详细信息,请参阅本地主机绑定兼容性更改。
For example, if 例如,如果/opt/mongodb/mongod.conf contains the following configuration settings for a standalone mongod:/opt/mongodb/mongod.conf包含独立mongod的以下配置设置:
security: authorization: enabled setParameter: authenticationMechanisms: GSSAPI storage: dbPath: /opt/mongodb/data net: bindIp: localhost,<hostname(s)|ip address(es)>
To start 要使用Kerberos支持启动mongod with Kerberos support, use the following form:mongod,请使用以下格式:
env KRB5_KTNAME=/opt/mongodb/mongod.keytab \ /opt/mongodb/bin/mongod --config /opt/mongodb/mongod.conf
The path to your mongod, keytab file, and configuration file may differ. mongod、keytab文件和配置文件的路径可能不同。The keytab file must be only accessible to the owner of the keytab文件必须只能由mongod process.mongod进程的所有者访问。
If you encounter problems when starting 如果在使用Kerberos身份验证启动mongod or mongos with Kerberos authentication, see Troubleshoot Kerberos Authentication.mongod或mongos时遇到问题,请参阅Kerberos验证疑难解答。
Kerberos authentication (GSSAPI (Kerberos)) can work alongside:Kerberos身份验证(GSSAPI(Kerberos))可以与以下内容一起工作:
MongoDB's SCRAM authentication mechanism:MongoDB的SCRAM认证机制:
MongoDB's authentication mechanism for LDAP:MongoDB的LDAP身份验证机制:
MongoDB's authentication mechanism for x.509:MongoDB针对x.509的身份验证机制:
Specify the mechanisms as follows:指定以下机制:
--setParameter authenticationMechanisms=GSSAPI,SCRAM-SHA-256
Only add the other mechanisms if in use. 仅在使用时添加其他机制。This parameter setting does not affect MongoDB's internal authentication of cluster members.此参数设置不影响MongoDB对集群成员的内部身份验证。
After completing the configuration steps, you can validate your configuration with the 完成配置步骤后,可以使用mongokerberos tool.mongokerberos工具验证配置。
Introduced alongside MongoDB 4.4, mongokerberos provides a convenient method to verify your platform's Kerberos configuration for use with MongoDB, and to test that Kerberos authentication from a MongoDB client works as expected. mongokerberos与MongoDB 4.4一起推出,它提供了一种方便的方法来验证您的平台的Kerberos配置以用于MongoDB,并测试来自MongoDB客户端的Kerbero身份验证是否如预期那样工作。See the 有关更多信息,请参阅mongokerberos documentation for more information.mongokerberos文档。
mongokerberos is available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。