|
1 | | -.. uses authentication.rst |
| 1 | +.. _pymongo-enterprise-auth: |
2 | 2 |
|
3 | | -Enterprise Authentication |
4 | | -========================= |
| 3 | +Enterprise Authentication Mechanisms |
| 4 | +==================================== |
| 5 | + |
| 6 | +.. contents:: On this page |
| 7 | + :local: |
| 8 | + :backlinks: none |
| 9 | + :depth: 2 |
| 10 | + :class: singlecol |
| 11 | + |
| 12 | +.. facet:: |
| 13 | + :name: genre |
| 14 | + :values: reference |
| 15 | + |
| 16 | +.. meta:: |
| 17 | + :keywords: ldap, encryption, principal, tls |
| 18 | + |
| 19 | +In this guide, you can learn how to authenticate with MongoDB by using the authentication |
| 20 | +mechanisms available only in the MongoDB Enterprise Edition. |
5 | 21 |
|
6 | 22 | .. _gssapi: |
7 | 23 |
|
8 | 24 | GSSAPI (Kerberos) |
9 | 25 | ----------------- |
10 | | -.. versionadded:: 2.5 |
11 | 26 |
|
12 | | -GSSAPI (Kerberos) authentication is available in the Enterprise Edition of |
13 | | -MongoDB. |
| 27 | +The Generic Security Services API (GSSAPI) provides an interface for Kerberos |
| 28 | +authentication. |
14 | 29 |
|
15 | 30 | Unix |
16 | 31 | ~~~~ |
17 | 32 |
|
18 | | -To authenticate using GSSAPI you must first install the python `kerberos`_ or |
19 | | -`pykerberos`_ module using easy_install or pip. Make sure you run kinit before |
20 | | -using the following authentication methods: |
| 33 | +To use GSSAPI to authenticate, you must first use pip or easy_install to install the Python |
| 34 | +`kerberos <http://pypi.python.org/pypi/kerberos>`__ or |
| 35 | +`pykerberos <https://pypi.python.org/pypi/pykerberos>`__ module. |
21 | 36 |
|
22 | | -.. code-block:: python |
| 37 | +After installing the module, run the ``kinit`` command, as shown in the following example. |
| 38 | +``kinit`` obtains and caches an initial ticket-granting ticket. |
23 | 39 |
|
24 | | - |
25 | | - |
26 | | - $ klist |
27 | | - Credentials cache: FILE:/tmp/krb5cc_1000 |
28 | | - |
| 40 | +.. _kerberos: |
29 | 41 |
|
30 | | - Issued Expires Principal |
31 | | - Feb 9 13:48:51 2013 Feb 9 23:48:51 2013 krbtgt/ [email protected] |
| 42 | +.. code-block:: none |
32 | 43 |
|
33 | | -Now authenticate using the MongoDB URI. GSSAPI authenticates against the |
34 | | -$external virtual database so you do not have to specify a database in the |
35 | | -URI: |
| 44 | + |
| 45 | + |
| 46 | + $ klist |
| 47 | + Credentials cache: FILE:/tmp/krb5cc_1000 |
| 48 | + |
| 49 | + |
| 50 | + Issued Expires Principal |
| 51 | + Feb 9 13:48:51 2013 Feb 9 23:48:51 2013 krbtgt/ [email protected] |
| 52 | + |
| 53 | +After obtaining a ticket-granting ticket, call the ``MongoClient`` constructor, passing |
| 54 | +the MongoDB URI as an argument. The URI must contain the URL-encoded Kerberos principal |
| 55 | +and the ``authMechanism=GSSAPI`` as a parameter. |
36 | 56 |
|
37 | 57 | .. code-block:: python |
38 | 58 |
|
|
42 | 62 | >>> client = MongoClient(uri) |
43 | 63 | >>> |
44 | 64 |
|
45 | | -The default service name used by MongoDB and PyMongo is ``mongodb``. You can |
46 | | -specify a custom service name with the ``authMechanismProperties`` option: |
| 65 | +.. note:: |
| 66 | + |
| 67 | + You don't need to include a database in the MongoDB URI. GSSAPI authenticates against |
| 68 | + the ``$external`` virtual database. |
| 69 | + |
| 70 | +By default, MongoDB uses ``mongodb`` as the authentication service name. To specify a |
| 71 | +different service name, add the ``authMechanismProperties`` parameter to your MongoDB |
| 72 | +URI, as shown in the following example: |
47 | 73 |
|
48 | 74 | .. code-block:: python |
| 75 | + :emphasize-lines: 2 |
49 | 76 |
|
50 | | - >>> from pymongo import MongoClient |
51 | | - >>> uri = "mongodb://mongodbuser% [email protected]/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:myservicename" |
52 | | - >>> client = MongoClient(uri) |
| 77 | + >>> from pymongo import MongoClient |
| 78 | + >>> uri = "mongodb://mongodbuser% [email protected]/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:myservicename" |
| 79 | + >>> client = MongoClient(uri) |
53 | 80 |
|
54 | 81 | Windows (SSPI) |
55 | 82 | ~~~~~~~~~~~~~~ |
56 | | -.. versionadded:: 3.3 |
57 | 83 |
|
58 | | -First install the `winkerberos`_ module. Unlike authentication on Unix kinit is |
59 | | -not used. If the user to authenticate is different from the user that owns the |
60 | | -application process provide a password to authenticate: |
| 84 | +First, install the `winkerberos <https://pypi.python.org/pypi/winkerberos/>`__ module. |
| 85 | +You can then call the ``MongoClient()`` constructor, passing in your MongoDB URI. The |
| 86 | +URI must include the principal name and ``authMechanism=GSSAPI`` parameter. |
| 87 | +If the user to authenticate is different from the user that owns the |
| 88 | +application process, you must also provide the authenticating user's password. |
61 | 89 |
|
62 | 90 | .. code-block:: python |
63 | 91 |
|
64 | | - >>> uri = "mongodb://mongodbuser%40EXAMPLE.COM: [email protected]/?authMechanism=GSSAPI" |
| 92 | + >>> uri = "mongodb://mongodbuser%40EXAMPLE.COM: [email protected]/?authMechanism=GSSAPI" |
65 | 93 |
|
66 | | -Two extra ``authMechanismProperties`` are supported on Windows platforms: |
| 94 | +Two more ``authMechanismProperties`` are supported on Windows platforms: |
67 | 95 |
|
68 | | -- CANONICALIZE_HOST_NAME - Uses the fully qualified domain name (FQDN) of the |
69 | | - MongoDB host for the server principal (GSSAPI libraries on Unix do this by |
70 | | - default): |
| 96 | +- **CANONICALIZE_HOST_NAME**: whether to use the fully qualified domain name (FQDN) of the |
| 97 | + MongoDB host for the server principal. (GSSAPI libraries on Unix do this by |
| 98 | + default). |
71 | 99 |
|
72 | 100 | .. code-block:: python |
73 | 101 |
|
74 | | - >>> uri = "mongodb://mongodbuser% [email protected]/?authMechanism=GSSAPI&authMechanismProperties=CANONICALIZE_HOST_NAME:true" |
| 102 | + >>> uri = "mongodb://mongodbuser% [email protected]/?authMechanism=GSSAPI&authMechanismProperties=CANONICALIZE_HOST_NAME:true" |
75 | 103 |
|
76 | | -- SERVICE_REALM - This is used when the user's realm is different from the service's realm: |
| 104 | +- **SERVICE_REALM**: specifies the realm of the service. Use this option when the user's |
| 105 | + realm is different from the service's realm. |
77 | 106 |
|
78 | 107 | .. code-block:: python |
79 | 108 |
|
80 | | - >>> uri = "mongodb://mongodbuser% [email protected]/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_REALM:otherrealm" |
81 | | - |
82 | | - |
83 | | -.. _kerberos: http://pypi.python.org/pypi/kerberos |
84 | | -.. _pykerberos: https://pypi.python.org/pypi/pykerberos |
85 | | -.. _winkerberos: https://pypi.python.org/pypi/winkerberos/ |
| 109 | + >>> uri = "mongodb://mongodbuser% [email protected]/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_REALM:otherrealm" |
86 | 110 |
|
87 | 111 | .. _sasl_plain: |
88 | 112 |
|
89 | 113 | SASL PLAIN (RFC 4616) |
90 | 114 | --------------------- |
91 | | -.. versionadded:: 2.6 |
92 | 115 |
|
93 | | -MongoDB Enterprise Edition version 2.6 and newer support the SASL PLAIN |
94 | | -authentication mechanism, initially intended for delegating authentication |
95 | | -to an LDAP server. Using the PLAIN mechanism is very similar to MONGODB-CR. |
96 | | -These examples use the $external virtual database for LDAP support: |
| 116 | +To authenticate with the PLAIN Simple Authentication and Security Layer (SASL), include |
| 117 | +``authMechanism=PLAIN`` as a parameter in your MongoDB URI: |
97 | 118 |
|
98 | 119 | .. code-block:: python |
99 | 120 |
|
100 | 121 | >>> from pymongo import MongoClient |
101 | 122 | >>> uri = "mongodb://user: [email protected]/?authMechanism=PLAIN" |
102 | 123 | >>> client = MongoClient(uri) |
103 | | - >>> |
104 | 124 |
|
105 | | -SASL PLAIN is a clear-text authentication mechanism. We **strongly** recommend |
106 | | -that you connect to MongoDB using TLS/SSL with certificate validation when |
107 | | -using the SASL PLAIN mechanism: |
| 125 | +SASL PLAIN is a clear-text authentication mechanism. We strongly recommend |
| 126 | +that you use TLS/SSL with certificate validation when using the SASL PLAIN mechanism |
| 127 | +to connect to MongoDB. The following example shows how to enable TLS and certificate |
| 128 | +validation when you construct a ``MongoClient`` object: |
108 | 129 |
|
109 | 130 | .. code-block:: python |
110 | 131 |
|
111 | | - >>> from pymongo import MongoClient |
112 | | - >>> uri = "mongodb://user: [email protected]/?authMechanism=PLAIN" |
113 | | - >>> client = MongoClient(uri, |
114 | | - ... tls=True, |
115 | | - ... tlsCertificateKeyFile='/path/to/client.pem', |
116 | | - ... tlsCAFile='/path/to/ca.pem') |
117 | | - >>> |
| 132 | + >>> from pymongo import MongoClient |
| 133 | + >>> uri = "mongodb://user: [email protected]/?authMechanism=PLAIN" |
| 134 | + >>> client = MongoClient(uri, |
| 135 | + ... tls=True, |
| 136 | + ... tlsCertificateKeyFile='/path/to/client.pem', |
| 137 | + ... tlsCAFile='/path/to/ca.pem') |
| 138 | + |
| 139 | +.. note:: |
| 140 | + |
| 141 | + The code examples in this section use the ``$external`` virtual database for LDAP support. |
0 commit comments