Authentication
On this page
Authentication is the process of verifying the identity of a client. When access control, i.e. authorization, is enabled, MongoDB requires all clients to authenticate themselves in order to determine their access.
Although authentication and authorization are closely connected, authentication is distinct from authorization. Authentication verifies the identity of a user; authorization determines the verified user’s access to resources and operations.
Authentication Methods
To authenticate as a user, you must provide a username, password, and the authentication database associated with that user.
To authenticate using the mongo shell, either:
Use the
mongocommand-line authentication options (--username,--password, and--authenticationDatabase) when connecting to themongodormongosinstance, orConnect first to the
mongodormongosinstance, and then run theauthenticatecommand or thedb.auth()method against the authentication database.Important
Authenticating multiple times as different users does not drop the credentials of previously-authenticated users. This may lead to a connection having more permissions than intended by the user, and causes operations within a logical session to raise an error.
For examples of authenticating using a MongoDB driver, see the driver documentation .
Authentication Mechanisms
MongoDB supports a number of authentication mechanisms that clients can use to verify their identity. These mechanisms allow MongoDB to integrate into your existing authentication system.
MongoDB supports multiple authentication mechanisms:
- SCRAM (Default)
- MongoDB Challenge and Response (MONGODB-CR) (Deprecated as of MongoDB 3.6)
- x.509 Certificate Authentication.
In addition to supporting the aforementioned mechanisms, MongoDB Enterprise also supports the following mechanisms:
Internal Authentication
In addition to verifying the identity of a client, MongoDB can require members of replica sets and sharded clusters to authenticate their membership to their respective replica set or sharded cluster. See Internal Authentication for more information.
Authentication on Sharded Clusters
In sharded clusters, clients generally authenticate directly to the mongos instances. However, some maintenance operations may require authenticating directly to a specific shard. For more information on authentication and sharded clusters, see Sharded Cluster Users.
- Users
- Authentication Mechanisms
- Enterprise Authentication Mechanisms
- Internal Authentication
- Deploy New Replica Set With Keyfile Access Control
- Enforce Keyfile Access Control in a Replica Set
- Enforce Keyfile Access Control in a Replica Set without Downtime
- Deploy Sharded Cluster with Keyfile Access Control
- Enforce Keyfile Access Control in Sharded Cluster
- Enforce Authentication in an Existing Sharded Cluster Without Downtime
- Use x.509 Certificate for Membership Authentication
- Upgrade from Keyfile Authentication to x.509 Authentication