Authentication

Authentication is the process of verifying the identity of a client. Whenaccess control, i.e. authorization, is enabled,MongoDB requires all clients to authenticate themselves in order to determinetheir access.

Although authentication and authorization areclosely connected, authentication is distinct from authorization.Authentication verifies the identity of a user; authorization determines theverified user’s access to resources and operations.

Authentication Methods

To authenticate as a user, you must provide a username, password, andthe authentication databaseassociated with that user.

To authenticate using the mongo shell, either:

• Use the mongo command-line authentication options(—username,—password, and—authenticationDatabase)when connecting to the mongod ormongos instance, or

• Connect first to the mongod or mongosinstance, and then run the authenticate command or thedb.auth() method against the authentication database.

Important

Authenticating multiple times as different users does not dropthe credentials of previously-authenticated users. This may lead toa connection having more permissions than intended by the user, andcauses operations within alogical session to raise anerror.

For examples of authenticating using a MongoDB driver, see thedriver documentation.

Authentication Mechanisms

MongoDB supports a number of authentication mechanisms that clients can use to verifytheir identity. These mechanisms allow MongoDB to integrate into yourexisting authentication system.

MongoDB supports multiple authentication mechanisms:

• SCRAM (Default)
• x.509 Certificate Authentication.

In addition to supporting the aforementioned mechanisms, MongoDB Enterprisealso supports the following mechanisms:

• LDAP proxy authentication, and
• Kerberos authentication.

Internal Authentication

In addition to verifying the identity of a client, MongoDB can requiremembers of replica sets and sharded clusters to authenticatetheir membership to their respectivereplica set or sharded cluster. See Internal/Membership Authenticationfor more information.

Authentication on Sharded Clusters

In sharded clusters, clients generally authenticate directly to themongos instances. However, some maintenance operations may requireauthenticating directly to a specific shard. For more information onauthentication and sharded clusters, see Sharded Cluster Users.