成员身份验证¶

~~On this page~~本页内容

Keyfiles
x.509
~~Next Steps~~下一步

~~You can require that members of replica sets and sharded clusters authenticate to each other.~~您可以要求副本集和分片集群的成员相互验证。~~For the internal authentication of the members, MongoDB can use either keyfiles or x.509 certificates.~~对于成员的内部身份验证，MongoDB可以使用keyfiles或x.509证书。

~~The selected method is used for all internal communication.~~所选方法用于所有内部通信。For example, when a client authenticates to a mongos using one of the supported authentication mechanisms, the mongos then uses the configured internal authentication method to connect to the required mongod processes.例如，当客户端使用支持的身份验证机制之一对mongos进行身份验证时，mongos然后使用配置的内部身份验证方法连接到所需的mongod进程。

Note

~~Enabling internal authentication also enables client authorization.~~启用内部身份验证还可以启用客户端授权。

Keyfiles¶

~~Keyfiles use SCRAM challenge and response authentication mechanism where the keyfiles contain the shared password for the members.~~密钥文件使用SCRAM质询和响应身份验证机制，其中密钥文件包含成员的共享密码。

Key Requirements键要求¶

~~A key’s length must be between 6 and 1024 characters and may only contain characters in the base64 set.~~键的长度必须介于6到1024个字符之间，并且只能包含base64集合中的字符。~~MongoDB strips whitespace characters (e.g. x0d, x09, and x20) for cross-platform convenience.~~MongoDB去除空白字符（例如x0d、x09和x20）以方便跨平台使用。~~As a result, the following operations produce identical keys:~~因此，以下操作产生相同的密钥：

echo -e "mysecretkey" > key1
echo -e "my secret key" > key1
echo -e "my secret key\n" > key2
echo -e "my    secret    key" > key3
echo -e "my\r\nsecret\r\nkey\r\n" > key4

Keyfile Format格式¶

~~Starting in MongoDB 4.2, keyfiles for internal membership authentication use YAML format to allow for multiple keys in a keyfile.~~从MongoDB 4.2开始，用于内部成员身份验证的keyfiles使用YAML格式来允许一个keyfile中有多个密钥。~~The YAML format accepts content of:~~YAML格式接受以下内容：

~~a single key string (same as in earlier versions),~~单个键字符串（与早期版本相同），
~~multiple key strings (each string must be enclosed in quotes), or~~多个键字符串（每个字符串必须用引号括起来），或
~~sequence of key strings.~~键串的序列。

~~The YAML format is compatible with the existing single-key keyfiles that use the text file format.~~YAML格式与使用文本文件格式的现有单键密钥文件兼容。

~~For example,~~例如，

~~Single key~~单键
~~Multiple Key Strings~~多个键字符串
~~Multiple Key Sequence~~多键序列

~~If the keyfile contains a single key, you can specify the key string with or without quotes~~如果密钥文件包含单个密钥，则可以指定带引号或不带引号的密钥字符串

my old secret key1

~~You can specify multiple key strings [1] where each key string is enclosed in quotes:~~您可以指定多个键字符串[1]，其中每个键字符串都用引号括起来：

'myoldsecretkey1'
'mynewsecretkey2'

~~You can specify multiple key strings [1] as a sequence of key strings (optionally enclosed in quotes):~~可以将多个键字符串[1]指定为键字符串序列（可以选择用引号括起来）：

- my old secret key1
- my new secret key2

~~The ability to specify multiple keys in a file allows for the rolling upgrade of the keys without downtime.~~在一个文件中指定多个密钥的能力允许在不停机的情况下滚动升级密钥。~~See Rotate Keys for Replica Sets and Rotate Keys for Sharded Clusters.~~请参见复制集的旋转关键点和分片群集的旋转关键点。

~~All mongod and mongos instances of a deployment must share at least one common key.~~部署的所有mongod和mongos实例必须至少共享一个公共密钥。

~~On UNIX systems, the keyfile must not have group or world permissions.~~在UNIX系统上，密钥文件不能具有组或世界权限。~~On Windows systems, keyfile permissions are not checked.~~在Windows系统上，不检查keyfile权限。

~~You must store the keyfile on each server hosting the member of the replica set or sharded clusters.~~必须将密钥文件存储在承载复制集或分片集群成员的每个服务器上。

[1]	(1, 2) ~~For MongoDB’s encrypted storage engine, the keyfile used for local key management can only contain a single key .~~对于MongoDB的加密存储引擎，用于本地密钥管理的keyfile只能包含一个密钥。

MongoDB Configuration for KeyfileKeyfile的MongoDB配置¶

~~To specify the keyfile, use the security.keyFile setting or --keyFile command line option.~~要指定密钥文件，请使用security.keyFile文件设置或--keyFile命令行选项。

~~For an example of keyfile internal authentication, see Update Replica Set to Keyfile Authentication.~~有关密钥文件内部身份验证的示例，请参阅将副本集更新为密钥文件身份验证。

x.509¶

~~Members of a replica set or sharded cluster can use x.509 certificates for internal authentication instead of using keyfiles.~~副本集或分片集群的成员可以使用x.509证书进行内部身份验证，而不是使用密钥文件。~~MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection.~~MongoDB支持用于安全TLS/SSL连接的x.509证书身份验证。

Note

~~Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available.~~从4.0版开始，MongoDB在tls1.1+可用的系统上禁用对tls1.0加密的支持。~~For more details, see Disable TLS 1.0.~~有关详细信息，请参见禁用TLS 1.0。

Member Certificate Requirements会员证书要求¶

The member certificate (net.tls.clusterFile, if specified, and net.tls.certificateKeyFile), used to verify membership to the sharded cluster or a replica set, must have the following properties:

A single Certificate Authority (CA) must issue all the x.509 certificates for the members of a sharded cluster or a replica set.
The Distinguished Name (DN), found in the member certificate’s subject, must specify a non-empty value for at least one of the following attributes: Organization (O), the Organizational Unit (OU) or the Domain Component (DC).
The Organization attributes (O’s), the Organizational Unit attributes (OU’s), and the Domain Components (DC’s) must match those from both the net.tls.clusterFile and net.tls.certificateKeyFile certificates for the other cluster members (or the tlsX509ClusterAuthDNOverride value, if set).

To match, the certificate must match all specifications of these attributes, or even the non-specification of these attributes. The order of the attributes does not matter.

In the following example, the two DN’s contain matching specifications for O, OU as well as the non-specification of the DC attribute.
```
CN=host1,OU=Dept1,O=MongoDB,ST=NY,C=US
C=US, ST=CA, O=MongoDB, OU=Dept1, CN=host2
```
However, the following two DN’s contain a mismatch for the OU attribute since one contains two OU specifications and the other, only one specification.
```
CN=host1,OU=Dept1,OU=Sales,O=MongoDB
CN=host2,OU=Dept1,O=MongoDB
```
Either the Common Name (CN) or one of the Subject Alternative Name (SAN) entries must match the hostname of the server, used by the other members of the cluster. Starting in MongoDB 4.2, when performing comparison of SAN, MongoDB supports comparison of DNS names or IP addresses. In previous versions, MongoDB only supports comparisons of DNS names.

For example, the certificates for a cluster could have the following subjects:
```
subject= CN=<myhostname1>,OU=Dept1,O=MongoDB,ST=NY,C=US
subject= CN=<myhostname2>,OU=Dept1,O=MongoDB,ST=NY,C=US
subject= CN=<myhostname3>,OU=Dept1,O=MongoDB,ST=NY,C=US
```
If the certificate includes the Extended Key Usage (extendedKeyUsage) setting, the value must include clientAuth (“TLS Web Client Authentication”).
```
extendedKeyUsage = clientAuth
```
~~You can also use a certificate that does not include the Extended Key Usage (EKU).~~您也可以使用不包含扩展密钥用法（EKU）的证书。
~~The x.509 certificate must not be expired.~~x.509证书不能过期。

~~Changed in version 4.4.~~在版本4.4中更改。mongod / mongos logs a warning on connection if the presented x.509 certificate expires within 30 days of the mongod/mongos host system time. See x.509 Certificates Nearing Expiry Trigger Warnings for more information.

MongoDB ConfigurationMongoDB配置¶

In addition to any TLS/SSL configurations as appropriate for your deployment, include the following to specify x.509 for internal authentication for each member of your replica set (i.e. the mongod instances) or sharded cluster (i.e. the mongod and mongos instances):

security.clusterAuthMode or --clusterAuthMode set to x509
net.tls.clusterFile or --tlsClusterFile (both new in MongoDB 4.2)

However, if no cluster file is specified, members can use their certificate key file specified in net.tls.certificateKeyFile or --tlsCertificateKeyFile (both new in MongoDB 4.2) for membership authentication. This certificate key file is used by mongod (and mongos) instances to prove their identity to clients, but can also be used for membership authentication. ~~To use for both client authentication and membership authentication, the certificate must either:~~要同时用于客户端身份验证和成员身份验证，证书必须：

~~Omit extendedKeyUsage or~~省略extendedKeyUsage或
~~Specify extendedKeyUsage values~~指定extendedKeyUsage值

Note

Athough still available, net.ssl.clusterFile (and the correponding --sslClusterFile) and net.ssl.PEMKeyFile (and the corresponding --sslPEMKeyFile) are deprecated as of MongoDB 4.2.

For deployments using MongoDB version 4.0 and earlier, use net.ssl.clusterFile (or the corresponding --sslClusterFile) and net.ssl.PEMKeyFile (or the corresponding --sslPEMKeyFile).

~~The x.509 certificate must not be expired.~~x.509证书不能过期。

Changed in version 4.4:mongod / mongos logs a warning on connection if the presented x.509 certificate expires within 30 days of the mongod/mongos host system time. See x.509 Certificates Nearing Expiry Trigger Warnings for more information.

Next Steps下一步¶

For an example of x.509 internal authentication, see Use x.509 Certificate for Membership Authentication.

To upgrade from keyfile internal authentication to x.509 internal authentication, see Upgrade from Keyfile Authentication to x.509 Authentication.