SCRAM

On this page

此页面

NOTE

Starting in version 4.0, MongoDB removes support for the deprecated MongoDB Challenge-Response (MONGODB-CR) authentication mechanism.

If your deployment has user credentials stored in MONGODB-CR schema, you must upgrade to SCRAM before you upgrade to version 4.0. For information on upgrading to SCRAM, see Upgrade to SCRAM.

Salted Challenge Response Authentication Mechanism (SCRAM) is the default authentication mechanism for MongoDB. SCRAM is based on the IETF RFC 5802 standard that defines best practices for implementation of challenge-response mechanisms for authenticating users with passwords.

Using SCRAM, MongoDB verifies the supplied user credentials against the user’s name, password and authentication database. The authentication database is the database where the user was created, and together with the user’s name, serves to identify the user.

注意从4.0版本开始，MongoDB删除了对已弃用的MongoDB质询-响应(MONGODB-CR)身份验证机制的支持。如果您的部署有存储在MONGODB-CR模式中的用户凭证，您必须在升级到SCRAM_之前_升级到MongoDB4.0版本。有关升级到SCRAM的信息，请参阅升级到SCRAM 。严肃的询问响应身份验证机制(SCRAM)是MongoDB的默认身份验证机制。SCRAM基于IETF RFC 5802 标准，该标准定义了实现询问-响应机制的最佳实践，用于对用户进行密码验证。使用SCRAM，MongoDB验证所提供的用户凭证 name , password 和 authentication database 。身份验证数据库是创建用户的数据库，它与用户名一起用于标识用户。

Features

MongoDB’s implementation of SCRAM provides:

A tunable work factor (i.e. the iteration count),
Per-user random salts, and
Authentication of the server to the client as well as the client to the server.

特征

MongoDB的SCRAM实现提供:

可调的工作因素(如：迭代计数)，
每个用户随机salts，和
服务器对客户端的认证，以及客户对服务器的认证。

SCRAM Mechanisms

MongoDB supports the following SCRAM mechanisms:

SCRAM Mechanism

Description

SCRAM-SHA-1

Uses the SHA-1 hashing function.To modify the iteration count for SCRAM-SHA-1, see scramIterationCount.

SCRAM-SHA-256

Uses the SHA-256 hashing function and requires featureCompatibilityVersion (fcv) set to 4.0.To modify the iteration count for SCRAM-SHA-256, see scramSHA256IterationCount.New in version 4.0.

When creating or updating a SCRAM user, you can indicate the specific SCRAM mechanism as well as indicate whether the server or the client digests the password. When using SCRAM-SHA-256, MongoDB requires server-side password hashing, i.e. the server digests the password. For details, see db.createUser() and db.updateUser().