Note
Starting in MongoDB 8.0, LDAP authentication and authorization is deprecated. LDAP is available and will continue to operate without changes throughout the lifetime of MongoDB 8. LDAP will be removed in a future major release.从MongoDB 8.0开始,LDAP身份验证和授权被弃用。LDAP是可用的,并将在MongoDB 8的整个生命周期内继续运行而不做任何更改。LDAP将在未来的主要版本中删除。
For details, see LDAP Deprecation.有关详细信息,请参阅LDAP弃用。
Authentication is the process of verifying the identity of a client. When access control (authorization) is enabled, MongoDB requires all clients to authenticate themselves in order to determine their access.身份验证是验证客户端身份的过程。启用访问控制(授权)后,MongoDB要求所有客户端进行身份验证,以确定其访问权限。
Although authentication and authorization are closely connected, authentication is distinct from authorization:虽然身份验证和授权密切相关,但身份验证与授权不同:
Authentication verifies the identity of a user.身份验证验证用户的身份。Authorization determines the verified user's access to resources and operations.授权决定了经过验证的用户对资源和操作的访问权限。
You can configure authentication through the UI for deployments hosted in MongoDB Atlas.您可以通过MongoDB Atlas中托管的部署的UI配置身份验证。
Getting Started入门指南
To get started using access control, follow these tutorials:要开始使用访问控制,请遵循以下教程:
Authentication Mechanisms认证机制
| SCRAM | X.509 | Kerberos | LDAP | OIDC | AWS-IAM | |
|---|---|---|---|---|---|---|
| MongoDB Community | ✓ | ✓ | ||||
| MongoDB Enterprise | ✓ | ✓ | ✓ | ✓ | ✓ | |
| MongoDB Atlas (M10 and above) | ✓ | ✓ | ✓ | ✓ | ✓ | |
| MongoDB Atlas (Shared Tier) | ✓ | ✓ | ✓ | |||
| MongoDB Atlas (Flex) | ✓ | ✓ | ✓ |
SCRAM AuthenticationSCRAM身份验证
Salted Challenge Response Authentication Mechanism (SCRAM)盐挑战响应认证机制(SCRAM) is the default authentication mechanism for MongoDB.是MongoDB的默认身份验证机制。
For more information on SCRAM and MongoDB, see:有关SCRAM和MongoDB的更多信息,请参阅:
X.509 Certificate AuthenticationX.509证书身份验证
MongoDB supports X.509 certificate authentication for client authentication and internal authentication of the members of replica sets and sharded clusters. X.509 certificate authentication requires a secure TLS/SSL connection.MongoDB支持X.509证书身份验证,用于客户端身份验证和副本集和分片集群成员的内部身份验证。X.509证书身份验证需要安全的TLS/SSL连接。
To use MongoDB with X.509, you must use valid certificates generated and signed by a certificate authority. The client X.509 certificates must meet the client certificate requirements.要将MongoDB与X.509一起使用,您必须使用由证书颁发机构生成和签名的有效证书。客户端X.509证书必须满足客户端证书要求。
For more information on X.509 and MongoDB, see:有关X.509和MongoDB的更多信息,请参阅:
Kerberos AuthenticationKerberos认证
MongoDB Enterprise企业版 supports Kerberos Authentication. 支持Kerberos身份验证。Kerberos is an industry standard authentication protocol for large client/server systems that provides authentication using short-lived tokens that are called tickets.Kerberos是用于大型客户端/服务器系统的行业标准身份验证协议,它使用称为票证的短期令牌提供身份验证。
To use MongoDB with Kerberos, you must have a properly configured Kerberos deployment, configured Kerberos service principals for MongoDB, and a Kerberos user principal added to MongoDB.要将MongoDB与Kerberos一起使用,您必须具有正确配置的Kerberos部署、为MongoDB配置的Kerberos服务主体以及添加到MongoDB的Kerberos用户主体。
For more information on Kerberos and MongoDB, see:有关Kerberos和MongoDB的更多信息,请参阅:
LDAP Proxy AuthenticationLDAP代理身份验证
MongoDB Enterprise and MongoDB Atlas support LDAP Proxy Authentication proxy authentication through a Lightweight Directory Access Protocol (LDAP) service.MongoDB企业版和MongoDB Atlas通过轻量级目录访问协议(LDAP)服务支持LDAP代理身份验证代理身份验证。
For more information on Kerberos and MongoDB, see:有关Kerberos和MongoDB的更多信息,请参阅:
LDAP Proxy AuthenticationLDAP代理身份验证Authenticate Using Self-Managed SASL and LDAP with ActiveDirectory通过活动目录使用自管理SASL和LDAP进行身份验证Authenticate Using Self-Managed SASL and LDAP with OpenLDAP通过OpenLDAP使用自管理SASL和LDAP进行身份验证Configure Users Using Self-Managed Active Directory with Native LDAP使用具有本机LDAP的自管理活动目录配置用户
These mechanisms allow MongoDB to integrate into your existing authentication system.这些机制允许MongoDB集成到您现有的身份验证系统中。
OpenID Connect AuthenticationOpenID连接身份验证
MongoDB Enterprise supports OpenID Connect authentication. OpenID Connect is an authentication layer built on top of OAuth2. You can use OpenID Connect to configure single sign-on between your MongoDB database and a third-party identity provider.MongoDB企业版支持OpenID连接身份验证。OpenID连接是建立在OAuth2之上的身份验证层。您可以使用OpenID连接在MongoDB数据库和第三方身份提供者之间配置单点登录。
For more information on OpenID Connect and MongoDB, see:有关OpenID连接和MongoDB的更多信息,请参阅:
Internal / Membership Authentication内部/成员身份验证
In addition to verifying the identity of a client, MongoDB can require members of replica sets and sharded clusters to authenticate their membership to their respective replica set or sharded cluster. 除了验证客户端的身份外,MongoDB还可以要求副本集和分片集群的成员对其各自的副本集或分片集群进行身份验证。See Self-Managed Internal/Membership Authentication for more information.有关更多信息,请参阅自我管理内部/成员身份验证。