Internal/Membership Authentication内部/成员身份验证

~~On this page~~本页内容

Keyfiles
x.509
~~Next Steps~~下一步

~~You can require that members of replica sets and sharded clusters authenticate to each other.~~ 您可以要求副本集和分片集群的成员相互进行身份验证。~~For the internal authentication of the members, MongoDB can use either keyfiles or x.509 certificates.~~对于成员的内部身份验证，MongoDB可以使用键文件或x.509证书。

The selected method is used for all internal communication. For example, when a client authenticates to a mongos using one of the supported authentication mechanisms, the mongos then uses the configured internal authentication method to connect to the required mongod processes.所选方法用于所有内部通信。例如，当客户端使用支持的身份验证机制之一对mongos进行身份验证时，mongos将使用配置的内部身份验证方法连接到所需的mongod进程。

Note

~~Enabling internal authentication also enables client authorization.~~启用内部身份验证还可以启用客户端授权。

Keyfiles键文件

~~Keyfiles use SCRAM challenge and response authentication mechanism where the keyfiles contain the shared password for the members.~~键文件使用SCRAM质询和响应身份验证机制，其中键文件包含成员的共享密码。

Key Requirements关键要求

~~A key's length must be between 6 and 1024 characters and may only contain characters in the base64 set.~~ 键的长度必须在6到1024个字符之间，并且只能包含base64集中的字符。~~MongoDB strips whitespace characters (e.g. x0d, x09, and x20) for cross-platform convenience.~~ MongoDB去掉空白字符（例如x0d、x09和x20）以便于跨平台使用。~~As a result, the following operations produce identical keys:~~因此，以下操作将生成相同的键：

echo -e "mysecretkey" > key1
echo -e "my secret key" > key1
echo -e "my secret key\n" > key2
echo -e "my    secret    key" > key3
echo -e "my\r\nsecret\r\nkey\r\n" > key4

Keyfile Format键文件格式

~~Starting in MongoDB 4.2, keyfiles for internal membership authentication use YAML format to allow for multiple keys in a keyfile. The YAML format accepts either:~~从MongoDB 4.2开始，用于内部成员身份验证的键文件使用YAML格式，允许在一个键文件中有多个键。YAML格式接受以下任一项：

~~A single key string (same as in earlier versions)~~单个键字符串（与早期版本相同）
~~A sequence of key strings~~一串键串

~~The YAML format is compatible with the existing single-key keyfiles that use the text file format.~~YAML格式与使用文本文件格式的现有单键键文件兼容。

~~For example,~~例如

~~Single key~~单键 ~~Multiple Key Sequence~~多个键序列

~~If the keyfile contains a single key, you can specify the key string with or without quotes:~~如果键文件包含单个键，则可以指定带引号或不带引号的键字符串：

my old secret key1

~~You can specify multiple key strings [1] as a sequence of key strings (optionally enclosed in quotes):~~您可以将多个键字符串[1]指定为一系列键字符串（可选地用引号括起来）：

- my old secret key1
- my new secret key2

~~The ability to specify multiple keys in a file allows for the rolling upgrade of the keys without downtime.~~ 在一个文件中指定多个键的功能允许在不停机的情况下滚动升级键。~~See Rotate Keys for Replica Sets and Rotate Keys for Sharded Clusters.~~请参见副本集的旋转键和分片群集的旋转键。

~~All mongod and mongos instances of a deployment must share at least one common key.~~部署的所有mongod和mongos实例必须至少共享一个公共键。

~~On UNIX systems, the keyfile must not have group or world permissions. On Windows systems, keyfile permissions are not checked.~~在UNIX系统上，键文件不得具有组权限或全局权限。在Windows系统上，不会检查键文件权限。

~~You must store the keyfile on each server hosting the member of the replica set or sharded clusters.~~必须将键文件存储在承载复制集或分片集群成员的每个服务器上。

[1]	~~For MongoDB's encrypted storage engine, the keyfile used for local key management can only contain a single key .~~对于MongoDB的加密存储引擎，用于本地键管理的键文件只能包含一个键。

MongoDB Configuration for Keyfile键文件的MongoDB配置

~~To specify the keyfile, use the security.keyFile setting or --keyFile command line option.~~要指定键文件，请使用security.keyFile设置或--keyfile命令行选项。

~~For an example of keyfile internal authentication, see Update Replica Set to Keyfile Authentication.~~有关键文件内部身份验证的示例，请参阅将副本集更新为键文件身份验证。

x.509

Members of a replica set or sharded cluster can use x.509 certificates for internal authentication instead of using keyfiles. MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection.副本集或分片集群的成员可以使用x.509证书进行内部身份验证，而不是使用键文件。MongoDB支持x.509证书身份验证，用于安全的TLS/SSL连接。

Note

~~MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.~~MongoDB在TLS 1.1+可用的系统上禁用对TLS 1.0加密的支持。有关更多详细信息，请参阅禁用TLS 1.0。

Member Certificate Requirements会员证书要求

~~Use member certificates to verify membership to a sharded cluster or a replica set.~~ 使用成员证书来验证分片集群或副本集的成员身份。~~Member certificates are stored in net.tls.clusterFile and net.tls.certificateKeyFile. Member certificate requirements:~~成员证书存储在net.tls.clusterFile和net.tls.certificateKeyFile中。会员证书要求：

~~A single Certificate Authority (CA) must issue all x.509 certificates for the members of a sharded cluster or a replica set.~~单个证书颁发机构（CA）必须为分片集群或副本集的成员颁发所有x.509证书。
~~The x.509 certificate must not be expired.~~x.509证书不得过期。

Note

~~Changed in version 4.4.~~4.4版更改。~~mongod / mongos logs a warning on connection if the presented x.509 certificate expires within 30 days of the mongod/mongos host system time.~~ 如果提供的x.509证书在mongod/mongos主机系统时间后30天内过期，mongod/mongos会在连接时记录警告。~~See x.509 Certificates Nearing Expiry Trigger Warnings for more information.~~有关详细信息，请参阅x.509证书接近到期触发警告。
~~The Distinguished Name (DN), found in the member certificate's subject, must specify a non-empty value for at least one of the following attributes:~~在成员证书的subject中找到的可分辨名称（DN）必须为以下至少一个属性指定非空值：
- the Organization (O)
- the Organizational Unit (OU)
- the Domain Component (DC)
~~Each cluster member certificate must have identical Os, OUs, and DCs in their net.tls.clusterFile and net.tls.certificateKeyFile certificates.~~ 每个群集成员证书的net.tls.clusterFile和net.tls.certificateKeyFile证书中必须具有相同的O、OU和DC。~~This also applies to the tlsX509ClusterAuthDNOverride value, if set. Attribute order doesn't matter.~~这也适用于tlsX509ClusterAuthDNOverride值（如果已设置）。属性顺序无关紧要。

~~Here's an example. The two DNs below have matching specifications for O and OU, and DC is not specified.~~下面是一个例子。下面的两个DN具有匹配的O和OU规范，并且未指定DC。
```
CN=host1,OU=Dept1,O=MongoDB,ST=NY,C=US
C=US, ST=CA, O=MongoDB, OU=Dept1, CN=host2
```
~~The following example is incorrect, because the DNs don't match.~~ 以下示例不正确，因为DN不匹配。~~One DN has two OU specifications and the other has only one OU specification.~~一个DN有两个OU规范，另一个只有一个OU规范。
```
CN=host1,OU=Dept1,OU=Sales,O=MongoDB
CN=host2,OU=Dept1,O=MongoDB
```
~~You can also specify a custom set of DN attributes and values in the configuration file using the net.tls.clusterAuthX509.attributes setting.~~ 还可以使用net.tls.clusterAuthX509.attributes设置在配置文件中指定一组自定义DN属性和值。~~This is useful when you wish to configure X.509 authentication with member certificates that do not have DC, O, or OU attributes in their subject DNs.~~当您希望使用在其主题DN中没有DC、O或OU属性的成员证书配置X.509身份验证时，这很有用。

~~For more information, see Rotate X.509 Cluster Certificates.~~有关详细信息，请参阅旋转X.509群集证书。
~~Either the Common Name (CN) or one of the Subject Alternative Name (SAN) entries must match the server hostname for other cluster members.~~ 公用名称（CN）或其中一个使用者备用名称（SAN）条目必须与其他群集成员的服务器主机名匹配。~~Starting in MongoDB 4.2, when comparing SANs, MongoDB can compare either DNS names or IP addresses.~~ 从MongoDB 4.2开始，在比较SAN时，MongoDB可以比较DNS名称或IP地址。~~In previous versions, MongoDB only compares DNS names.~~在以前的版本中，MongoDB只比较DNS名称。

~~For example, the certificates for a cluster could have the following subjects:~~例如，群集的证书可能具有以下subject：
```
subject= CN=<myhostname1>,OU=Dept1,O=MongoDB,ST=NY,C=US
subject= CN=<myhostname2>,OU=Dept1,O=MongoDB,ST=NY,C=US
subject= CN=<myhostname3>,OU=Dept1,O=MongoDB,ST=NY,C=US
```
~~If the certificate includes the Extended Key Usage (extendedKeyUsage) setting, the value must include clientAuth ("TLS Web Client Authentication").~~如果证书包括扩展键用法（extendedKeyUsage）设置，则该值必须包括clientAuth（“TLS Web客户端身份验证”）。
```
extendedKeyUsage = clientAuth
```

MongoDB ConfigurationMongoDB配置

~~You can use TLS for internal authentication between each member of your replica set (each mongod instance) or sharded cluster (each mongod and mongos instance).~~您可以使用TLS在副本集的每个成员（每个mongod实例）或分片集群（每个mongood和mongos实例）之间进行内部身份验证。

~~To use TLS for internal authentication, use the following settings:~~要使用TLS进行内部身份验证，请使用以下设置：

security.clusterAuthMode or 或--clusterAuthMode ~~set to~~ 设置为x509
net.tls.clusterFile or --tlsClusterFile (available starting in MongoDB 4.2)

~~mongod and mongos instances use their certificate key files to prove their identity to clients, but certificate key files can also be used for membership authentication.~~ mongod和mongos实例使用它们的证书键文件向客户端证明它们的身份，但是证书键文件也可以用于成员身份验证。If you do not specify a cluster file, members use their certificate key files for membership authentication. Specify the certificate key file with net.tls.certificateKeyFile or --tlsCertificateKeyFile (available starting in MongoDB 4.2).如果未指定群集文件，则成员将使用其证书键文件进行成员身份验证。使用net.tls.certificateKeyFile或--tlsCertificateKeyFile指定证书键文件（从MongoDB 4.2开始提供）。

~~To use the certificate key file for both client authentication and membership authentication, the certificate must either:~~要将证书键文件用于客户端身份验证和成员身份验证，证书必须：

Omit extendedKeyUsage or
Specify extendedKeyUsage = serverAuth, clientAuth

Next Steps下一步

~~For an example of x.509 internal authentication, see Use x.509 Certificate for Membership Authentication.~~有关x.509内部身份验证的示例，请参阅使用x.509证书进行成员身份验证。

~~To upgrade from keyfile internal authentication to x.509 internal authentication, see Upgrade from Keyfile Authentication to x.509 Authentication.~~要从键文件内部身份验证升级为x.509内部身份验证，请参阅从键文件身份验证升级到x.509身份验证。

← Configure MongoDB with OpenID Connect Deploy Replica Set With Keyfile Authentication →