diff --git a/snooty.toml b/snooty.toml index ae8757e1..18142a98 100644 --- a/snooty.toml +++ b/snooty.toml @@ -4,7 +4,8 @@ toc_landing_pages = [ "/get-started", "/connect", "/write", - "/indexes" + "/indexes", + "/security/authentication" ] intersphinx = ["https://www.mongodb.com/docs/manual/objects.inv"] diff --git a/source/includes/authentication/aws-iam.rb b/source/includes/authentication/aws-iam.rb new file mode 100644 index 00000000..b79752c3 --- /dev/null +++ b/source/includes/authentication/aws-iam.rb @@ -0,0 +1,43 @@ +require 'bundler/inline' +gemfile do + source 'https://rubygems.org' + gem 'mongo' +end + +# start-aws +client = Mongo::Client.new([''], + auth_mech: :aws, + user: '', + password: '') +# end-aws + +# start-aws-connection-string +client = Mongo::Client.new( + 'mongodb://:@host/?authMechanism=MONGODB-AWS') +# end-aws-connection-string + +# start-aws-temp +client = Mongo::Client.new([''], + auth_mech: :aws, + user: '', + password: '', + auth_mech_properties: { + aws_session_token: '<>', + }) +# end-aws-temp + +# start-aws-temp-connection-string +client = Mongo::Client.new( + 'mongodb://:@host/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:<>') +# end-aws-temp-connection-string + +# start-aws-automatic-retrieval +client = Mongo::Client.new([''], + auth_mech: :aws) +) +# end-aws-automatic-retrieval + +# start-aws-automatic-retrieval-connection-string +client = Mongo::Client.new( + 'mongodb://host/?authMechanism=MONGODB-AWS') +# end-aws-automatic-retrieval-connection-string \ No newline at end of file diff --git a/source/index.txt b/source/index.txt index 07a4fd70..c786ae4c 100644 --- a/source/index.txt +++ b/source/index.txt @@ -18,6 +18,7 @@ Read Data Operations on Replica Sets Indexes + Security Data Formats View the Source API Documentation <{+api-root+}> diff --git a/source/security.txt b/source/security.txt new file mode 100644 index 00000000..427d52cd --- /dev/null +++ b/source/security.txt @@ -0,0 +1,23 @@ +.. _ruby-security: + +======== +Security +======== + +.. contents:: On this page + :local: + :backlinks: none + :depth: 2 + :class: singlecol + +.. facet:: + :name: genre + :values: reference + +.. meta:: + :keywords: community, security + +.. toctree:: + :titlesonly: + + Authentication \ No newline at end of file diff --git a/source/security/auth-mechanisms/aws-iam.txt b/source/security/auth-mechanisms/aws-iam.txt new file mode 100644 index 00000000..48fc4597 --- /dev/null +++ b/source/security/auth-mechanisms/aws-iam.txt @@ -0,0 +1,236 @@ +.. _ruby-authentication-aws: + +================================== +AWS Identity and Access Management +================================== + +.. contents:: On this page + :local: + :backlinks: none + :depth: 3 + :class: singlecol + +.. facet:: + :name: genre + :values: reference + +.. meta:: + :keywords: amazon web services, code example + +Overview +-------- + +.. note:: + + AWS authentication is available only in the MongoDB Enterprise Edition for MongoDB 4.4 + and later. + +The AWS authentication mechanism uses AWS `Identity and Access Management (IAM) +`_ +and AWS `Security Token Service (STS) +`_ +to prove the client's identity to a MongoDB deployment. The following steps describe the +AWS authentication process: + +1. The client uses AWS IAM credentials to create a signature that is sent to + the MongoDB deployment. +2. The deployment uses the client's signature to send a request to AWS STS. +3. If the request succeeds, STS returns the Amazon Resource Name (ARN) of + the IAM user or role that corresponds to the client's credentials. +4. The deployment uses the returned ARN to look up the user. The + client is authenticated as this user. + +.. note:: + + The client and server use different usernames. The client uses the AWS access key ID, + but the server uses the ARN of the IAM user or role corresponding to the access key ID. + +AWS credentials include the following components: + +- Access key ID +- Secret access key +- Optional session token + +Authentication with `AWS IAM credentials +`__ +uses the access key ID and the secret access key. Authentication with +`temporary AWS IAM credentials +`__ +uses all three components. + +.. note:: + + The driver never sends the secret access key or the session token over + the network. + +Temporary credentials are used with: + +- STS `Assume Role `__ + requests. +- `EC2 instance roles `__. +- `ECS task roles `__. +- `AWS Lambda environment `__. +- `IAM roles for service accounts `__. + +Code Placeholders +~~~~~~~~~~~~~~~~~ + +The code examples on this page use the following placeholders: + +- ````: The network address of your MongoDB deployment +- ````: The AWS access key ID +- ````: The AWS secret access key +- ````: The AWS session token + +Using AWS IAM Authentication in Your Application +------------------------------------------------ + +The following sections describe how to use the AWS IAM authentication mechanism in your +application. + +Providing Credentials Explicitly +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +You can provide regular (non-temporary) IAM credentials as client options or by using a URI. +Select the :guilabel:`Connection String` or :guilabel:`Client Options` tab to +see the corresponding syntax: + +.. tabs:: + + .. tab:: Connection String + :tabid: default-connection-string + + .. literalinclude:: /includes/authentication/aws-iam.rb + :start-after: start-aws-connection-string + :end-before: end-aws-connection-string + :language: ruby + :copyable: + :dedent: + + .. tab:: Client Options + :tabid: default-mongo-credential + + .. literalinclude:: /includes/authentication/aws-iam.rb + :start-after: start-aws + :end-before: end-aws + :language: ruby + :copyable: + :dedent: + +.. note:: + + If you provide credentials in a URI, you must percent-encode them. + +Providing Temporary Credentials +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To provide temporary credentials, specify the session token in the +client options or by using a URI. Select the :guilabel:`Connection String` +or :guilabel:`Client Options` tab to see the corresponding syntax: + +.. tabs:: + + .. tab:: Connection String + :tabid: default-connection-string + + .. literalinclude:: /includes/authentication/aws-iam.rb + :start-after: start-aws-temp-connection-string + :end-before: end-aws-temp-connection-string + :language: ruby + :copyable: + :dedent: + + .. tab:: Client Options + :tabid: default-mongo-credential + + .. literalinclude:: /includes/authentication/aws-iam.rb + :start-after: start-aws-temp + :end-before: end-aws-temp + :language: ruby + :copyable: + :dedent: + +Automatically Retrieving Credentials +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The client can retrieve credentials from the environment or from EC2 or ECS +metadata endpoints. To retrieve credentials automatically, specify the +AWS authentication mechanism but do not specify a username or a password. Select the +:guilabel:`Connection String` or :guilabel:`Client Options` tab to see the corresponding syntax: + +.. tabs:: + + .. tab:: Connection String + :tabid: default-connection-string + + .. literalinclude:: /includes/authentication/aws-iam.rb + :start-after: start-aws-automatic-retrieval-connection-string + :end-before: end-aws-automatic-retrieval-connection-string + :language: ruby + :copyable: + :dedent: + + .. tab:: Client Options + :tabid: default-mongo-credential + + .. literalinclude:: /includes/authentication/aws-iam.rb + :start-after: start-aws-automatic-retrieval + :end-before: end-aws-automatic-retrieval + :language: ruby + :copyable: + :dedent: + +The driver tries to obtain credentials from the following sources, in +the specified order: + +- ``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY`` and ``AWS_SESSION_TOKEN`` + environment variables. These environment variables are recognized by + a variety of AWS-related libraries and tools, such as the official + AWS Ruby SDK and the AWS CLI. They are also defined when running in an + AWS Lambda environment. +- AWS STS `AssumeRoleWithWebIdentity action + `__. + This mechanism returns credentials associated with the service account token, and + requires the following environment variables to be set: + + - ``AWS_WEB_IDENTITY_TOKEN_FILE``: Path to a file containing the service + account token. + - ``AWS_ROLE_ARN``: The Amazon Resource Name (ARN) of the role that the + caller is assuming. + - ``AWS_ROLE_SESSION_NAME`` (optional): Identifier for the assumed role + session. If this variable is empty, the driver generates a random identifier. + +- The AWS `ECS task metadata + `__ endpoint. + This endpoint returns credentials associated with the ECS task role assigned to + the container. +- The AWS `EC2 instance metadata + `__ endpoint. + This endpoint returns credentials associated with the EC2 instance role assigned to + the instance. + +.. important:: + + A credentials source must provide a complete + set of credentials. For example, if your application uses the ``AWS_ACCESS_KEY_ID`` + and ``AWS_SECRET_ACCESS_KEY`` environment variables, the driver raises an error if only + one of these variables has a value. + +.. note:: + + If an application runs in an ECS container on an EC2 instance and + the container is allowed access to the instance metadata, + the driver attempts to retrieve AWS credentials from the EC2 instance metadata endpoint. + If the driver retrieves credentials in this way, your application can authenticate as the IAM + role assigned to the EC2 instance. + + To learn how to prevent containers from accessing EC2 instance metadata, + see the `AWS documentation `__. + +API Documentation +----------------- + +To learn more about any of the methods or types discussed on this +page, see the following API documentation: + +- `Mongo::Client <{+api-root+}/Mongo/Client.html>`__ diff --git a/source/security/auth-mechanisms/kerberos.txt b/source/security/auth-mechanisms/kerberos.txt new file mode 100644 index 00000000..1c1ace92 --- /dev/null +++ b/source/security/auth-mechanisms/kerberos.txt @@ -0,0 +1,136 @@ +.. _ruby-authentication-kerberos: + +================= +Kerberos (GSSAPI) +================= + +.. contents:: On this page + :local: + :backlinks: none + :depth: 2 + :class: singlecol + +.. facet:: + :name: genre + :values: reference + +.. meta:: + :keywords: code example + +Overview +-------- + +The Generic Security Services API (GSSAPI) authentication mechanism allows you to +use your principal name to authenticate to a Kerberos service. +You can use this mechanism only when authenticating to MongoDB Enterprise Advanced. + +Code Placeholders +~~~~~~~~~~~~~~~~~ + +The code examples on this page use the following placeholders: + +- ````: LDAP username. +- ````: Network address of your MongoDB deployment. +- ````: Port number of your MongoDB deployment. If you omit this parameter, + the driver uses the default port number (``27017``). Specifying a port number is optional + when connecting to a MongoDB Atlas cluster. +- ````: MongoDB database that contains the user's LDAP credentials. + If you omit this parameter, the driver uses the default database (``admin``). + +To use the code examples on this page, replace these placeholders with your own values. + +Using GSSAPI Authentication in Your Application +----------------------------------------------- + +To configure {+mdb-server+} to use Kerberos, see the +:manual:`{+mdb-server+} Kerberos documentation +`. + +To use the Kerberos authentication mechanism with the {+driver-short+}, +you must install and load the `mongo_kerberos `__ +library. To do so, add the following lines to your ``Gemfile``: + +.. code-block:: ruby + + gem 'mongo', '~> 2' + gem 'mongo_kerberos', '~> 2' + +Then, add the following lines to your application code: + +.. code-block:: ruby + + require 'mongo' + require 'mongo_kerberos' + +.. note:: + + When using Kerberos authentication, you must specify the fully qualified domain name + (FQDN) of the host. + +The following sections describe how to use Kerberos authentication with Ruby MRI and +JRuby. + +Using Kerberos Authentication with Ruby MRI +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If you're using Kerberos authentication with **Ruby MRI**, you must perform the following +steps: + +- Establish a Kerberos session on the driver. The driver uses this session to prove the user's identity to + the server. + +- You must ensure that the host system is + configured for Kerberos authentication. To learn more about configuring the host system + to use Kerberos, see the `Kerberos documentation `__ + or your operating system documentation for details. + +Use the `kinit utility `__ +to establish a Kerberos session. + +Using Kerberos Authentication with JRuby +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If you're using Kerberos authentication with **JRuby**, you can externally establish the Kerberos +session to the driver by using the process described above for MRI. You can also provide the +path to a keytab file by storing the configuration in the ``java.security.auth.login.config`` system property. +You must also configure the Java Runtime Environment to use Kerberos. To learn more, see the +:driver:`MongoDB Java Driver Kerberos documentation ` +for more information. + +Kerberos Authentication Example +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Select the :guilabel:`Connection String` or :guilabel:`Client Options` tab to +see the corresponding syntax for connecting to MongoDB with Kerberos authentication: + +.. tabs:: + + .. tab:: Connection String + :tabid: connection-string + + .. code-block:: ruby + + client = Mongo::Client.new("mongodb://@[:]/?authMechanism=GSSAPI") + + + .. tab:: Client Options + :tabid: mongo-credential + + .. code-block:: ruby + + client = Mongo::Client.new(['[:]'], + auth_mech: :gssapi, + user: '') + +.. note:: + + If you use a connection string to connect to MongoDB, ensure that you percent-encode any + special characters that appear in the username. + +API Documentation +----------------- + +To learn more about any of the methods or types discussed on this +page, see the following API documentation: + +- `Mongo::Client <{+api-root+}/Mongo/Client.html>`__ diff --git a/source/security/auth-mechanisms/ldap.txt b/source/security/auth-mechanisms/ldap.txt new file mode 100644 index 00000000..5c5573ab --- /dev/null +++ b/source/security/auth-mechanisms/ldap.txt @@ -0,0 +1,83 @@ +.. _ruby-authentication-ldap: + +==== +LDAP +==== + +.. contents:: On this page + :local: + :backlinks: none + :depth: 2 + :class: singlecol + +.. facet:: + :name: genre + :values: reference + +.. meta:: + :keywords: code example + +Overview +-------- + +The PLAIN authentication mechanism allows you to use your Lightweight Directory Access +Protocol (LDAP) username and password to authenticate to MongoDB. +You can use this mechanism only when authenticating to MongoDB Enterprise Advanced. + +.. tip:: PLAIN Authentication + + LDAP authentication uses the PLAIN Simple Authentication and Security Layer + (SASL) defined in `RFC-4616 `__. + +Code Placeholders +~~~~~~~~~~~~~~~~~ + +The code examples on this page use the following placeholders: + +- ````: Your LDAP username. +- ````: Your LDAP password. +- ````: The network address of your MongoDB deployment. +- ````: The port number of your MongoDB deployment. If you omit this parameter, + the driver uses the default port number (``27017``). You don't need to specify a port + when connecting to a MongoDB Atlas cluster. +- ````: The MongoDB database that contains the user's LDAP credentials. + If you omit this parameter, the driver uses the default database (``admin``). + +To use the code examples on this page, replace these placeholders with your own values. + +Using PLAIN Authentication in Your Application +---------------------------------------------- + +You can specify the ``PLAIN`` authentication mechanism and supply your LDAP credentials +either as a client option or as part of the connection string. +Select the :guilabel:`Connection String` or :guilabel:`Client Options` tab to +see the corresponding syntax: + +.. tabs:: + + .. tab:: Connection String + :tabid: connection-string + + .. code-block:: ruby + + client = Mongo::Client.new('mongodb://:@[:]/?authSource=&authMechanism=PLAIN') + + .. tab:: Client Options + :tabid: mongo-credential + + .. code-block:: ruby + + client = Mongo::Client.new([ '' ], + auth_mech: :plain, + ssl: true, + ssl_verify: true, + ssl_cert: '/path/to/client.pem', + ssl_ca_cert: '/path/to/ca.pem' ) + +API Documentation +----------------- + +To learn more about any of the methods or types discussed on this +page, see the following API documentation: + +- `Mongo::Client <{+api-root+}/Mongo/Client.html>`__ diff --git a/source/security/auth-mechanisms/scram.txt b/source/security/auth-mechanisms/scram.txt new file mode 100644 index 00000000..a58a120a --- /dev/null +++ b/source/security/auth-mechanisms/scram.txt @@ -0,0 +1,98 @@ +.. _ruby-authentication-scram: + +===== +SCRAM +===== + +.. contents:: On this page + :local: + :backlinks: none + :depth: 2 + :class: singlecol + +.. facet:: + :name: genre + :values: reference + +.. meta:: + :keywords: salt, default, code example + +Overview +-------- + +**Salted Challenge Response Authentication Mechanism (SCRAM)** is a family of +authentication mechanisms that use a challenge-response mechanism to authenticate +the user. SCRAM-SHA-256, which uses the SHA-256 algorithm to hash your password, is the +default authentication mechanism in {+mdb-server+} version 4.0 +and later. SCRAM-SHA-1, which uses the SHA-1 algorithm instead, is the default +authentication mechanism in {+mdb-server+} versions earlier than 4.0. + +You can use SCRAM to authenticate to MongoDB Atlas, MongoDB +Enterprise Advanced, and MongoDB Community Edition. + +.. tip:: SCRAM Mechanisms + + To learn more about the SCRAM family of authentication mechanisms, see + `RFC 5802 `__ and + :wikipedia:`Salted Challenge Response Authentication Mechanism ` + on Wikipedia. + + For more information about the MongoDB implementation of SCRAM, see + :manual:`SCRAM ` in the {+mdb-server+} manual. + +Code Placeholders +~~~~~~~~~~~~~~~~~ + +The code examples on this page use the following placeholders: + +- ``+srv``: Include this option in your connection string prefix only if you are connecting + to a MongoDB Atlas cluster. To learn more about the ``+srv`` option, see + :manual:`Connection String Formats ` + in the {+mdb-server+} manual. +- ````: The MongoDB username of the user to authenticate. +- ````: The MongoDB password of the user to authenticate. +- ````: The network address of your MongoDB deployment. +- ````: The port number of your MongoDB deployment. If you omit this parameter, + the driver uses the default port number (``27017``). You don't need a port number + when connecting to a MongoDB Atlas cluster. +- ````: The MongoDB database that contains the user's authentication + data. If you omit this parameter, the driver uses the default value, ``admin``. + +To use the code examples on this page, replace these placeholders with your own values. + +Using SCRAM Authentication in Your Application +---------------------------------------------- + +To use SCRAM to authenticate your MongoDB user, specify your +MongoDB credentials, but don't specify an authentication mechanism. +You can specify your MongoDB +credentials either in your connection string or by passing your username and password to the +``user`` and ``password`` options when creating a client. +Select the :guilabel:`Connection String` or :guilabel:`Client Options` tab to +see the corresponding syntax: + +.. tabs:: + + .. tab:: Connection String + :tabid: default-connection-string + + .. code-block:: ruby + + client = Mongo::Client.new('mongodb[+srv]://:@[:]/?authSource=') + + .. tab:: Client Options + :tabid: default-mongo-credential + + .. code-block:: ruby + + client = Mongo::Client.new('', + user: '', + password: '') + +API Documentation +----------------- + +To learn more about any of the methods or types discussed on this +page, see the following API documentation: + +- `Mongo::Client <{+api-root+}/Mongo/Client.html>`__ diff --git a/source/security/auth-mechanisms/x509.txt b/source/security/auth-mechanisms/x509.txt new file mode 100644 index 00000000..a438f9ad --- /dev/null +++ b/source/security/auth-mechanisms/x509.txt @@ -0,0 +1,101 @@ +.. _ruby-authentication-x509: + +===== +X.509 +===== + +.. contents:: On this page + :local: + :backlinks: none + :depth: 2 + :class: singlecol + +.. facet:: + :name: genre + :values: reference + +.. meta:: + :keywords: certificate, code example + +Overview +-------- + +In the **X.509** authentication mechanism, the server and client use the +:wikipedia:`TLS ` protocol to exchange X.509 public-key +certificates. You can use this mechanism to authenticate to MongoDB Atlas, MongoDB +Enterprise Advanced, and MongoDB Community Edition. + +.. tip:: X.509 Mechanism + + To learn how to use TLS/SSL with the {+driver-short+}, + see :ref:`TLS/SSL `. + + For more information about X.509 certificates, see + :ref:`X.509 ` in the {+mdb-server+} manual. + +Code Placeholders +~~~~~~~~~~~~~~~~~ + +The code examples on this page use the following placeholders: + +- ``+srv``: Include this option in your connection string prefix only if you are connecting + to a MongoDB Atlas cluster. To learn more about the ``+srv`` option, see + :manual:`Connection String Formats ` + in the {+mdb-server+} manual. +- ````: The network address of your MongoDB deployment. +- ````: The port number of the MongoDB deployment. If you omit this parameter, + the driver uses the default port number (``27017``). You don't need a port number + when connecting to a MongoDB Atlas cluster. +- ````: The username of the user associated with the X.509 + certificate. The username must match the distinguished subject name of the certificate. + If you omit this parameter, the MongoDB deployment infers the username + from the X.509 certificate. +- ````: The password for the X.509 certificate. + +To use the code examples on this page, replace these placeholders with your own values. + +Using X.509 Authentication in Your Application +---------------------------------------------- + +X.509 authentication requires the use of TLS encryption with +certificate validation. To authenticate the client, you will need a valid TLS certificate +and private encryption key. These can be stored in separate files, or together in one ``.pem`` file. + +.. note:: + + Even if the certificate and private key are stored in the same file, you must specify the + path to that file in both the ``ssl_cert`` and ``ssl_key`` options. + +Select the :guilabel:`Connection String` or :guilabel:`Client Options` tab to +see the corresponding syntax: + +.. tabs:: + + .. tab:: Connection String + :tabid: default-connection-string + + .. code-block:: ruby + + client = Mongo::Client.new("mongodb[+srv]://[:]/?authSource=$external&authMechanism=MONGODB-X509") + + + .. tab:: Client Options + :tabid: default-mongo-credential + + .. code-block:: ruby + + client = Mongo::Client.new('', + auth_mech: :mongodb_x509, + ssl: true, + ssl_cert: '/path/to/client.pem', + ssl_key: '/path/to/client.pem', + ssl_ca_cert: '/path/to/ca.pem') + + +API Documentation +----------------- + +To learn more about any of the MongoDB methods and types used on this +page, see the following API documentation: + +- `Mongo::Client <{+api-root+}/Mongo/Client.html>`__ diff --git a/source/security/authentication.txt b/source/security/authentication.txt new file mode 100644 index 00000000..d5290fc3 --- /dev/null +++ b/source/security/authentication.txt @@ -0,0 +1,76 @@ +.. _ruby-authentication-mechanisms: + +========================= +Authentication Mechanisms +========================= + +.. contents:: On this page + :local: + :backlinks: none + :depth: 2 + :class: singlecol + +.. facet:: + :name: genre + :values: reference + +.. meta:: + :keywords: community, security + +.. toctree:: + :caption: Authentication + + SCRAM + X.509 + AWS IAM + LDAP (PLAIN) + Kerberos (GSSAPI) + +Overview +-------- + +In this guide, you can learn how to authenticate to MongoDB by using the +**authentication mechanisms** available in {+mdb-server+}. +Authentication mechanisms are processes by which the driver and server confirm +the identity of a client to ensure security before connecting. + +.. tip:: Connecting to MongoDB + + To learn how to establish a connection to your MongoDB deployment, see the + :ref:`ruby-get-started-connect-to-mongodb` guide. + +MongoDB Edition Compatibility +----------------------------- + +The following table lists the authentication mechanisms supported by MongoDB and +the {+mdb-server+} editions that each mechanism is compatible with. Click the name of +a mechanism to learn more about how to use it with your application. + +.. list-table:: + :header-rows: 1 + :stub-columns: 1 + + * - Authentication Mechanism + - Atlas + - Enterprise Advanced + - Community + * - :ref:`` + - Yes + - Yes + - Yes + * - :ref:`` + - Yes + - Yes + - Yes + * - :ref:`` + - Yes + - No + - No + * - :ref:`` + - Yes + - Yes + - No + * - :ref:`Kerberos (GSSAPI) ` + - No + - Yes + - No \ No newline at end of file