mongokerberos¶On this page本页内容
New in version 4.4:MongoDB Enterprise
Starting in version 4.4, MongoDB Enterprise provides mongokerberos for testing MongoDB’s Kerberos and GSSAPI configuration options against a running Kerberos deployment. mongokerberos can be used in one of two modes: server and client.
| Mode | |
|---|---|
| Server | In server mode, mongokerberos analyzes Kerberos-related configurations on the server, and returns a report which includes error messages for any configurations that are problematic. For usage, see Server Mode |
| Client | In client mode, mongokerberos tests Kerberos authentication for a provided username, and returns a report which includes the success or failure of each step in the Kerberos authentication procedure. For usage, see Client Mode |
Error messages for both modes include information on specific errors encountered and potential advice for resolving the error.
mongokerberos supports the following deployment types, in both server and client modes:
Note
MongoDB Enterprise and mongokerberos only support the MIT implementation of Kerberos.
Generally, when configuring options related to Kerberos authentication, it is good practice to verify your configuration with mongokerberos.
mongokerberos is a testing and verification tool; it does not edit any files or configure any services. For configuring Kerberos on your platform please consult the MIT Kerberos documentation, or your platform’s documentation. For configuring MongoDB to authenticate using Kerberos, please reference the following tutorials:
This document provides a complete overview of all command line options for mongokerberos.
The mongokerberos tool is part of the MongoDB Database Tools Extra
package, and can be installed with the MongoDB Server or as a standalone installation.
To install mongokerberos as part of a MongoDB Enterprise Server installation:
mongokerberos and the other included tools are available in the same location as the Server.
Note
For the Windows .msi installer wizard, the Complete installation option includes mongokerberos.
To install mongokerberos as a standalone installation:
| OS | Package |
|---|---|
| Linux | tgz package |
| Windows | zip package |
| macOS | tgz package |
mongokerberos to a location on your hard drive.
Tip
Linux and macOS users may wish to copy mongokerberos to a filesystem location that is defined in the $PATH environment variable, such as /usr/bin. Doing so allows referencing mongokerberos directly on the command line by name, without needing to specify its full path, or first navigating to its parent directory. See the installation guide for your platform for more information.
mongokerberos can be run in two modes: server and client.
Run mongokerberos from the system command line, not the mongo shell.
Running mongokerberos in server mode performs a series of verification steps against your system’s Kerberos configuration, including checking for proper DNS resolution, validation of the Kerberos system keytab file, and testing against the MongoDB service principal for your mongod or mongos instance.
Before you can use mongokerberos in server mode, you must:
mongod or mongos instance, as described in the following steps:Once you have completed these steps, you can run mongokerberos in server mode using the --server flag as follows:
If Kerberos has been configured properly on the server, and the service principal created successfully, the output might resemble the following:
The final message indicates that the system’s Kerberos configuration is ready to be used with MongoDB. If any errors are encountered with the configuration, they will be presented as part of the above output.
Running mongokerberos in client mode tests authentication against your system’s Kerberos environment, performing each step in the Kerberos authentication process, including checking for proper DNS resolution, verification of the Kerberos client keytab file, and testing whether a ticket can be successfully granted. Running mongokerberos in client mode simulates the client authentication procedure of the mongo shell.
Before you can use mongokerberos in client mode, you must first have configured Kerberos on your platform according to your platform’s documentation. Optionally, you may also choose to run mongokerberos in server mode first to verify that your platform’s Kerberos configuration is valid before using client mode.
Once you have completed these steps, you can run mongokerberos in client mode to test user authentication, using the --client flag as follows:
You must provide a valid username, which is used to request a Kerberos ticket as part of the authentication procedure. Your platform’s Kerberos infrastructure must be aware of this user.
If the provided credentials are valid, and the Kerberos options in the configuration files are valid, the output might resemble the following:
The final message indicates that client authentication completed successfully for the user provided. If any errors are encountered during the authentication steps, they will be presented as part of the above output.
mongokerberos¶--serverRuns mongokerberos in server mode to test that your platform’s Kerberos configuration is valid for use with MongoDB.
See Server Mode for example usage and expected output.
--clientRuns mongokerberos in client mode to test client authentication against your system’s Kerberos environment. Requires specifying a valid username with --username when running in client mode. mongokerberos will request a Kerberos ticket for this username as part of the validation procedure. Running mongokerberos in client mode simulates the client authentication procedure of the mongo shell.
See Client Mode for example usage and expected output.
--config <filename>,-f <filename>¶Specifies a configuration file for runtime configuration options. The options are equivalent to the command-line configuration options. See Configuration File Options for more information.
mongokerberos will read the values for saslHostName and saslServiceName from this file if present. These values can alteratively be specified with the --setParameter option instead.
Ensure the configuration file uses ASCII encoding. The mongokerberos instance does not support configuration files with non-ASCII encoding, including UTF-8.
Only valid in server mode.
--setParameter <options>¶Sets a configurable parameter. You can specify multiple setParameter fields.
While you can use any supported parameters with setParameter, mongokerberos only checks for the value of the following:
If using the --config option with a configuration file that also contains these values, the setParameter values will override the values from the configuration file.
Valid in both server mode and client mode.
--host <hostname>¶Specify the hostname of the MongoDB server to connect to when testing authentication.
If --host is not specified, mongokerberos does not perform any DNS validation of the hostname (i.e. PTR record verification)
Only valid in client mode.
--username <username>,-u <username>¶Username for mongokerberos to use when attempting Kerberos authentication. This value is required when running in client mode.
Only valid in client mode.
--gssapiServiceName <servicename>¶default: ‘mongodb’
Service principal name to use when authenticating using GSSAPI/Kerberos.
Only valid in client mode.
--gssapiHostName <hostname>¶Remote hostname to use for purpose of GSSAPI/Kerberos authentication.
Only valid in client mode.