Docs HomeMongoDB Manual

Authentication身份验证

On this page本页内容

Authentication is the process of verifying the identity of a client. 身份验证是验证客户端身份的过程。When access control (authorization) is enabled, MongoDB requires all clients to authenticate themselves in order to determine their access.当启用访问控制(授权)时,MongoDB要求所有客户端对自己进行身份验证,以确定其访问权限。

Although authentication and authorization are closely connected, authentication is distinct from authorization:尽管身份验证和授权密切相关,但身份验证与授权不同:

  • Authentication verifies the identity of a user.身份验证验证用户的身份。
  • Authorization determines the verified user's access to resources and operations.授权决定了已验证用户对资源和操作的访问权限。

Getting Started入门

To get started using access control, follow these tutorials:要开始使用访问控制,请遵循以下教程:

Authentication Mechanisms身份验证机制

SCRAM AuthenticationSCRAM身份验证

Salted Challenge Response Authentication Mechanism (SCRAM)Salted质询-响应认证机制(SCRAM) is the default authentication mechanism for MongoDB.是MongoDB的默认身份验证机制。

For more information on SCRAM and MongoDB, see:有关SCRAM和MongoDB的更多信息,请参阅:

x.509 Certificate Authentication证书身份验证

MongoDB supports x.509 certificate authentication for client authentication and internal authentication of the members of replica sets and sharded clusters.MongoDB支持x.509证书身份验证,用于客户端身份验证以及副本集和分片集群成员的内部身份验证。x.509 certificate authentication requires a secure TLS/SSL connection.x.509证书身份验证需要安全的TLS/SSL连接

To use MongoDB with x.509, you must use valid certificates generated and signed by a certificate authority. The client x.509 certificates must meet the client certificate requirements.要将MongoDB与x.509一起使用,必须使用由证书颁发机构生成和签名的有效证书。客户端x.509证书必须满足客户端证书要求

For more information on x.509 and MongoDB, see:有关x.509和MongoDB的更多信息,请参阅:

Kerberos AuthenticationKerberos身份验证

MongoDB Enterprise supports Kerberos Authentication. Kerberos is an industry standard authentication protocol for large client/server systems that provides authentication using short-lived tokens that are called tickets.MongoDB Enterprise支持Kerberos身份验证。Kerberos是一种用于大型客户端/服务器系统的行业标准身份验证协议,它使用称为票证的短期令牌提供身份验证。

To use MongoDB with Kerberos, you must have a properly configured Kerberos deployment, configured Kerberos service principals for MongoDB, and a Kerberos user principal added to MongoDB.要将MongoDB与Kerberos一起使用,您必须具有正确配置的Kerberos部署、为MongoDB配置的Kerberos服务主体,以及向MongoDB添加的Kerberos用户主体

For more information on Kerberos and MongoDB, see:有关Kerberos和MongoDB的更多信息,请参阅:

LDAP Proxy AuthenticationLDAP代理身份验证

MongoDB Enterprise and MongoDB Atlas support LDAP Proxy Authentication proxy authentication through a Lightweight Directory Access Protocol (LDAP) service.通过轻量级目录访问协议(LDAP)服务支持LDAP代理身份验证代理身份验证。

For more information on Kerberos and MongoDB, see:有关Kerberos和MongoDB的更多信息,请参阅:

These mechanisms allow MongoDB to integrate into your existing authentication system.这些机制允许MongoDB集成到您现有的身份验证系统中。

OpenID Connect AuthenticationOpenID连接身份验证

MongoDB Enterprise supports OpenID Connect authentication. OpenID Connect is an authentication layer built on top of OAuth2. You can use OpenID Connect to configure single sign-on between your MongoDB database and a third-party identity provider.MongoDB Enterprise支持OpenID Connect身份验证。OpenIDConnect是一个建立在OAuth2之上的身份验证层。您可以使用OpenIDConnect在MongoDB数据库和第三方身份提供商之间配置单一登录。

For more information on OpenID Connect and MongoDB, see:有关OpenID Connect和MongoDB的更多信息,请参阅:

Internal / Membership Authentication内部/成员身份验证

In addition to verifying the identity of a client, MongoDB can require members of replica sets and sharded clusters to authenticate their membership to their respective replica set or sharded cluster. 除了验证客户端的身份外,MongoDB还可以要求副本集和分片集群的成员对其各自的副本集或分片集群进行成员身份验证See Internal/Membership Authentication for more information.有关详细信息,请参阅内部/成员身份验证