From 970a753c33cb942f48c4c25cfe44188b13e3278f Mon Sep 17 00:00:00 2001 From: Michael Paik Date: Fri, 6 Feb 2015 14:54:35 -0500 Subject: [PATCH] DOCS-4056, DOCS-4319, DOCS-2940 - SCRAM fixes --- source/core/authentication.txt | 66 +++++++-- .../apiargs-method-db.auth-param.yaml | 13 +- source/includes/options-conf.yaml | 31 +++-- source/includes/options-shared.yaml | 29 ++-- ...steps-3.0-upgrade-mongodb-cr-to-scram.yaml | 53 ++++++++ .../reference/command/authSchemaUpgrade.txt | 14 +- source/reference/connection-string.txt | 15 +- source/reference/parameters.txt | 28 ++-- source/reference/system-users-collection.txt | 19 ++- source/release-notes/3.0-compatibility.txt | 7 + source/release-notes/3.0-scram.txt | 128 ++++++++++++++++++ source/release-notes/3.0-upgrade.txt | 8 +- source/release-notes/3.0.txt | 3 +- ...b-windows-with-kerberos-authentication.txt | 15 +- ...o-mongodb-with-kerberos-authentication.txt | 15 +- 15 files changed, 376 insertions(+), 68 deletions(-) create mode 100644 source/includes/steps-3.0-upgrade-mongodb-cr-to-scram.yaml create mode 100644 source/release-notes/3.0-scram.txt diff --git a/source/core/authentication.txt b/source/core/authentication.txt index 9963485da12..e3d51be2fa8 100644 --- a/source/core/authentication.txt +++ b/source/core/authentication.txt @@ -61,9 +61,11 @@ database. Authentication Mechanisms ------------------------- +.. versionchanged:: 3.0 + MongoDB supports multiple authentication mechanisms. MongoDB's default authentication method is a :ref:`challenge and response mechanism -(MONGODB-CR) `. MongoDB also supports +(SCRAM-SHA-1) `. MongoDB also supports :ref:`x509 certificate authentication `, :ref:`LDAP proxy authentication `, and :ref:`Kerberos authentication `. @@ -73,20 +75,66 @@ This section introduces the mechanisms available in MongoDB. To specify the authentication mechanism to use, see :parameter:`authenticationMechanisms`. +.. _authentication-scram-sha-1: + +``SCRAM-SHA-1`` Authentication +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: 3.0 + +``SCRAM-SHA-1`` is an IETF standard, +`RFC 5802 `_, that defines best practice +methods for implementation of challenge-response mechanisms for authenticating +users with passwords. + +``SCRAM-SHA-1`` verifies supplied user credentials against the user's +:data:`name `, :data:`password +` and :data:`database +`. The user's database is the database where +the user was created, and the user's database and the user's name +together serves to identify the user. + +MongoDB's implementation of ``SCRAM-SHA-1`` represents an improvement +in security over the previously-used ``MONGODB-CR``, providing: + +- A tunable work factor (``iterationCount``), +- Per-user random salts rather than server-wide salts, +- A cryptographically stronger hash function (``SHA-1`` rather than ``MD5``), + and +- Authentication of the server to the client as well as the client to the + server. + +.. versionchanged:: 3.0 + + ``SCRAM-SHA-1`` is the default mechanism for MongoDB versions + beginning with the 3.0 series. Legacy ``MONGODB-CR`` credentials + from databases created with older server versions will still work + under 3.0 but must be upgraded with :dbcommand:`authSchemaUpgrade` + in order to take advantage of many of the improvements. The server + will continue to use the legacy credentials until it undergoes this + upgrade. Clients and drivers compatible with 3.0 will use the + ``SCRAM`` communication protocol even while using the legacy + credentials. + .. _authentication-mongodb-cr: ``MONGODB-CR`` Authentication ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ``MONGODB-CR`` is a challenge-response mechanism that authenticates -users through passwords. ``MONGODB-CR`` is the default mechanism. +users through passwords. + +.. versionchanged:: 3.0 + Versions of MongoDB prior to 3.0 use ``MONGODB-CR`` as the default + mechanism. As of version 3.0, MongoDB uses ``SCRAM-SHA-1`` by + default. -When you use ``MONGODB-CR`` authentication, ``MONGODB-CR`` verifies the -user against the user's :data:`name `, -:data:`password ` and :data:`database -`. The user's database is the database where the -user was created, and the user's database and the user's name together -serves to identify the user. +``MONGODB-CR`` verifies supplied user credentials against the user's +:data:`name `, :data:`password +` and :data:`database +`. The user's database is the database where +the user was created, and the user's database and the user's name +together serve to identify the user. Using :setting:`key files `, you can also use ``MONGODB-CR`` authentication for the :ref:`internal member @@ -266,7 +314,7 @@ exception allows connections from the localhost interface to create the first user on the ``admin`` database. The exception applies only when there are no users created in the MongoDB instance. -.. versionchanged:: 3.0.0 +.. versionchanged:: 2.8.0 The localhost exception changed so that these connections *only* have access to create the first user on the ``admin`` database. In previous versions, connections that gained access diff --git a/source/includes/apiargs-method-db.auth-param.yaml b/source/includes/apiargs-method-db.auth-param.yaml index c655cd3e4c0..662c8bbbe24 100644 --- a/source/includes/apiargs-method-db.auth-param.yaml +++ b/source/includes/apiargs-method-db.auth-param.yaml @@ -20,7 +20,18 @@ type: string --- arg_name: param description: |- - Specifies the authentication mechanism used. Defaults to ``MONGODB-CR``. ``PLAIN`` is used for :doc:`SASL/LDAP authentication `, available only in MongoDB Enterprise. + Specifies the authentication mechanism used. + + .. versionchanged:: 3.0 + + Defaults to ``SCRAM-SHA-1`` on new 3.0 installations and on 2.6 + databases that have been upgraded to 3.0 and have undergone + :dbcommand:`authSchemaUpgrade`. Defaults to ``MONGODB-CR`` + otherwise. + + ``PLAIN`` is used for :doc:`SASL/LDAP authentication + `, available only in MongoDB + Enterprise. interface: method name: mechanism operation: db.auth diff --git a/source/includes/options-conf.yaml b/source/includes/options-conf.yaml index 11a88977f51..8078daea6d8 100644 --- a/source/includes/options-conf.yaml +++ b/source/includes/options-conf.yaml @@ -732,13 +732,19 @@ post: | program: conf name: security.authenticationMechanisms # the equivalent command-line option is set via setParameter. -type: strings +# disabled pending server-12892, see /reference/configuration-options.txt +type: string +default: SCRAM-SHA-1 directive: setting description: | .. versionchanged:: 2.6 Added support for the ``PLAIN`` and ``MONGODB-X509`` authentication mechanisms. + .. versionchanged:: 3.0 + Added support for the ``SCRAM-SHA-1`` authentication mechanism. Changed + default mechanism to ``SCRAM-SHA-1``. + Specifies the list of authentication mechanisms the server accepts. Set this to one or more of the following values. If you specify multiple values, use a comma-separated list and no spaces. For descriptions @@ -752,15 +758,27 @@ description: | - Description - * - MONGODB-CR + * - :ref:`SCRAM-SHA-1 ` + + - `RFC 5802 `_ standard + Salted Challenge Response Authentication Mechanism using the SHA1 + hash function. + + * - :ref:`MONGODB-CR ` - MongoDB challenge/response authentication. - * - MONGODB-X509 + * - :ref:`MONGODB-X509 ` - MongoDB SSL certificate authentication. - * - PLAIN + * - :ref:`GSSAPI ` (Kerberos) + + - External authentication using Kerberos. This mechanism is + available only in `MongoDB Enterprise + `_. + + * - :ref:`PLAIN ` (LDAP SASL) - External authentication using LDAP. You can also use ``PLAIN`` for authenticating in-database users. ``PLAIN`` transmits @@ -768,11 +786,6 @@ description: | `MongoDB Enterprise `_. - * - GSSAPI - - - External authentication using Kerberos. This mechanism is - available only in `MongoDB Enterprise - `_. # Per DOCS-2940, combine this with similar info in # /includes/options-shared # /reference/connection-string diff --git a/source/includes/options-shared.yaml b/source/includes/options-shared.yaml index c5927c724a2..cedd5df7cf0 100644 --- a/source/includes/options-shared.yaml +++ b/source/includes/options-shared.yaml @@ -282,7 +282,7 @@ name: authenticationMechanism # This describes the authenticationMechanism option that is used by the # various client tools. args: -default: MONGODB-CR +default: SCRAM-SHA-1 directive: option description: | .. versionadded:: 2.4 @@ -291,6 +291,10 @@ description: | Added support for the ``PLAIN`` and ``MONGODB-X509`` authentication mechanisms. + .. versionchanged:: 3.0 + Added support for the ``SCRAM-SHA-1`` authentication mechanism. Changed + default mechanism to ``SCRAM-SHA-1``. + Specifies the authentication mechanism the {{program}} instance uses to authenticate to the :program:`mongod` or :program:`mongos`. @@ -302,15 +306,27 @@ description: | - Description - * - MONGODB-CR + * - :ref:`SCRAM-SHA-1 ` + + - `RFC 5802 `_ standard + Salted Challenge Response Authentication Mechanism using the SHA1 + hash function. + + * - :ref:`MONGODB-CR ` - MongoDB challenge/response authentication. - * - MONGODB-X509 + * - :ref:`MONGODB-X509 ` - MongoDB SSL certificate authentication. - * - PLAIN + * - :ref:`GSSAPI ` (Kerberos) + + - External authentication using Kerberos. This mechanism is + available only in `MongoDB Enterprise + `_. + + * - :ref:`PLAIN ` (LDAP SASL) - External authentication using LDAP. You can also use ``PLAIN`` for authenticating in-database users. ``PLAIN`` transmits @@ -318,11 +334,6 @@ description: | `MongoDB Enterprise `_. - * - GSSAPI - - - External authentication using Kerberos. This mechanism is - available only in `MongoDB Enterprise - `_. # Per DOCS-2940, combine this with similar info in # /includes/options-conf # /reference/connection-string diff --git a/source/includes/steps-3.0-upgrade-mongodb-cr-to-scram.yaml b/source/includes/steps-3.0-upgrade-mongodb-cr-to-scram.yaml new file mode 100644 index 00000000000..42df62146c2 --- /dev/null +++ b/source/includes/steps-3.0-upgrade-mongodb-cr-to-scram.yaml @@ -0,0 +1,53 @@ +title: + text: Connect to the MongoDB instance. + character: '`' +stepnum: 1 +ref: connect +content: | + Connect and authenticate to the :program:`mongod` instance for a + single deployment, the primary ``mongod`` for a replica set, or a + :program:`mongos` for a sharded cluster as an ``admin`` database + user with the role :authrole:`userAdminAnyDatabase`. +--- +title: + text: Upgrade authentication schema. + character: '`' +ref: upgrade-auth-schema +stepnum: 2 +pre: | + Use the :dbcommand:`authSchemaUpgrade` command in the ``admin`` + database to update the user data using the :program:`mongo` shell. +action: + - heading: + text: Run ``authSchemaUpgrade`` command. + character: "'" + language: javascript + code: | + db.adminCommand({authSchemaUpgrade: 1}); + post: | + In case of error, you may safely rerun the + :dbcommand:`authSchemaUpgrade` command. + - heading: + text: Sharded cluster ``authSchemaUpgrade`` consideration. + character: "'" + pre: | + For a sharded cluster *without* :ref:`shard local users + <_sharding-security>`, :dbcommand:`authSchemaUpgrade` will, by + default, upgrade the authorization data of the shards as well, + completing the upgrade. + + You can, however, override this behavior by including + ``upgradeShards: false`` in the command, as in the following + example: + language: javascript + code: | + db.adminCommand( + {authSchemaUpgrade: 1, upgradeShards: false } + ); + post: | + If you override the default behavior or your cluster has shard + local users, after running :dbcommand:`authSchemaUpgrade` on a + :program:`mongos` instance, you will need to connect to the + primary for each shard and repeat the upgrade process after + upgrading on the :program:`mongos`. +... diff --git a/source/reference/command/authSchemaUpgrade.txt b/source/reference/command/authSchemaUpgrade.txt index d48bd0bf3fd..fb82fdf1a15 100644 --- a/source/reference/command/authSchemaUpgrade.txt +++ b/source/reference/command/authSchemaUpgrade.txt @@ -8,11 +8,11 @@ authSchemaUpgrade .. dbcommand:: authSchemaUpgrade - :dbcommand:`authSchemaUpgrade` supports the upgrade from 2.4 to 2.6 - process for existing systems that use :term:`authentication` and - :term:`authorization`. Between 2.4 and 2.6 the schema for user - credential documents changed requiring the - :dbcommand:`authSchemaUpgrade` process. + .. versionchanged:: 3.0 - See :doc:`/release-notes/2.6-upgrade-authorization` for more - information. + :dbcommand:`authSchemaUpgrade` supports the upgrade process for + existing systems that use :term:`authentication` and + :term:`authorization` between: + + - 2.4 and 2.6 (See :doc:`/release-notes/2.6-upgrade-authorization`) + - 2.6 and 3.0 (See :doc:`/release-notes/2.8-scram`) diff --git a/source/reference/connection-string.txt b/source/reference/connection-string.txt index d84b9f155bf..4287d887417 100644 --- a/source/reference/connection-string.txt +++ b/source/reference/connection-string.txt @@ -322,7 +322,11 @@ Authentication Options .. versionadded:: 2.4 .. versionchanged:: 2.6 - Support for the ``PLAIN`` and ``MONGODB-X509`` authentication mechanisms. + Added support for the ``PLAIN`` and ``MONGODB-X509`` authentication + mechanisms. + + .. versionchanged:: 3.0 + Added support for the ``SCRAM-SHA-1`` authentication mechanism. Specify the authentication mechanism that MongoDB will use to authenticate the connection. Possible values include: @@ -330,10 +334,11 @@ Authentication Options .. these options should link to a reference page for authentication mechanisms. DOCS-2940 - - MONGODB-CR - - MONGODB-X509 - - GSSAPI - - PLAIN + - :ref:`SCRAM-SHA-1 ` + - :ref:`MONGODB-CR ` + - :ref:`MONGODB-X509 ` + - :ref:`GSSAPI ` (Kerberos) + - :ref:`PLAIN ` (LDAP SASL) Only MongoDB Enterprise :program:`mongod` and :program:`mongos` instances provide ``GSSAPI`` (Kerberos) and ``PLAIN`` (LDAP) diff --git a/source/reference/parameters.txt b/source/reference/parameters.txt index ba33a975471..3e53375be24 100644 --- a/source/reference/parameters.txt +++ b/source/reference/parameters.txt @@ -467,6 +467,10 @@ Parameters Added support for the ``PLAIN`` and ``MONGODB-X509`` authentication mechanisms. + .. versionchanged:: 3.0 + Added support for the ``SCRAM-SHA-1`` authentication mechanism. + + Specifies the list of authentication mechanisms the server accepts. Set this to one or more of the following values. If you specify multiple values, use a comma-separated list and no spaces. For descriptions @@ -480,15 +484,27 @@ Parameters - Description - * - MONGODB-CR + * - :ref:`SCRAM-SHA-1 ` + + - `RFC 5802 `_ standard + Salted Challenge Response Authentication Mechanism using the SHA-1 + hash function. + + * - :ref:`MONGODB-CR ` - MongoDB challenge/response authentication. - * - MONGODB-X509 + * - :ref:`MONGODB-X509 ` - MongoDB SSL certificate authentication. - * - PLAIN + * - :ref:`GSSAPI ` (Kerberos) + + - External authentication using Kerberos. This mechanism is + available only in `MongoDB Enterprise + `_. + + * - :ref:`PLAIN ` (LDAP SASL) - External authentication using LDAP. You can also use ``PLAIN`` for authenticating in-database users. ``PLAIN`` transmits @@ -496,12 +512,6 @@ Parameters `MongoDB Enterprise `_. - * - GSSAPI - - - External authentication using Kerberos. This mechanism is - available only in `MongoDB Enterprise - `_. - .. todo:: Per DOCS-2940, combine this with similar info in /includes/options-conf /includes/options-shared diff --git a/source/reference/system-users-collection.txt b/source/reference/system-users-collection.txt index 857a0e216a0..08051aa447e 100644 --- a/source/reference/system-users-collection.txt +++ b/source/reference/system-users-collection.txt @@ -100,21 +100,30 @@ Each ``system.users`` document has the following fields: Example ------- +.. versionchanged:: 3.0.0 + Consider the following document in the ``system.users`` collection: .. code-block:: javascript { - _id: "home.Kari", - user: "Kari", - db: "home", - credentials: { "MONGODB-CR" :"" }, + _id : "home.Kari", + user : "Kari", + db : "home", + credentials : { + "SCRAM-SHA-1" : { + "iterationCount" : 10000, + "salt" : nkHYXEZTTYmn+hrY994y1Q==", + "storedKey" : "wxWGN3ElQ25WbPjACeXdUmN4nNo=", + "serverKey" : "h7vBq5tACT/BtrIElY2QTm+pQzM=" + } + }, roles : [ { role: "read", db: "home" }, { role: "readWrite", db: "test" }, { role: "appUser", db: "myApp" } ], - customData: { zipCode: "64157" } + customData : { zipCode: "64157" } } The document shows that a user ``Kari`` is associated with the ``home`` diff --git a/source/release-notes/3.0-compatibility.txt b/source/release-notes/3.0-compatibility.txt index fc4070d9b86..4ab354b13b5 100644 --- a/source/release-notes/3.0-compatibility.txt +++ b/source/release-notes/3.0-compatibility.txt @@ -277,6 +277,13 @@ If your deployment still uses the 2.4 user model, see :doc:`/release-notes/2.6-upgrade-authorization` to upgrade to the 2.6 user model before upgrading to 3.0. +After upgrading to 3.0 from 2.6, if you wish to make use of the new +``SCRAM-SHA-1`` challenge-response mechanism, you will need to upgrade +the authentication schema a second time. The upgrade from the 2.4 to +the 2.6 user model does not encompass the necessary changes to use +``SCRAM-SHA-1`` under 3.0. See :doc:`/release-notes/2.8-scram` for +further details. + .. _3.0-compatibility-localhost: Localhost Exception Changed diff --git a/source/release-notes/3.0-scram.txt b/source/release-notes/3.0-scram.txt new file mode 100644 index 00000000000..b4c3c00b55c --- /dev/null +++ b/source/release-notes/3.0-scram.txt @@ -0,0 +1,128 @@ +.. _3.0-scram: + +=========================== +MongoDB 3.0 and SCRAM-SHA-1 +=========================== + +.. default-domain:: mongodb + +MongoDB 3.0 includes support for the :ref:`SCRAM-SHA-1 +` challenge-response user authentication +mechanism. This changes how user credentials are stored and used. If +your deployment uses authentication and authorization, you must +upgrade the authentication schema in addition to upgrading MongoDB +processes if you wish to make use of ``SCRAM-SHA-1``. + +You may, alternatively, opt to continue to use the ``MONGODB-CR`` +challenge-response mechanism and skip this upgrade. See the +:ref:`SCRAM-SHA-1 ` documentation for +further information on its advantages. + +.. note:: + + ``SCRAM-SHA-1`` represents a significant improvement in security + over ``MONGODB-CR``, the previous default authentication mechanism, + and you are strongly urged to upgrade. The next major version of + MongoDB is likely to remove support for ``MONGODB-CR`` entirely. + +The following scenarios are possible when upgrading from 2.6 to 3.0: + +- If you are starting with a new 3.0 installation without any users + or upgrading from a 2.6 database that has no users and wish to use + ``SCRAM-SHA-1``, **no action is required**. All new users created in + this situation will be created using the appropriate format for + ``SCRAM-SHA-1``. + +- If you are upgrading from a 2.6 database with existing data, + including users, and wish to continue to use ``MONGODB-CR``, **no + action is required**. All new users created under 3.0 will continue to + use the same authentication model as users already in the database. You can + execute the upgrade to ``SCRAM-SHA-1`` at any point in the future. + +- If you are upgrading from a 2.6 database with existing data, + including users, and wish to upgrade to ``SCRAM-SHA-1``, you may + follow the steps under the heading :ref:`Upgrade a 2.6 Database to + Use SCRAM-SHA-1 on 3.0 <2.8-upgrade-mongodb-cr-to-scram>`. + +Upgrade a 2.6 Database to Use ``SCRAM-SHA-1`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. important:: + + This procedure **discards** the ``MONGODB-CR`` credentials used by + 2.6, and therefore is irreversible short of restoring from + backups. + + This procedure disables ``MONGODB-CR`` as an authentication + mechanism. + +Considerations +`````````````` + +Before upgrading the authentication model, you should +first upgrade MongoDB binaries to 3.0. For sharded clusters, ensure +that **all** cluster components are 3.0. + +Timing +`````` + +Because downgrades are more difficult after you upgrade the user +authentication model, once you upgrade the MongoDB binaries to +version 3.0, allow your MongoDB deployment to run for a day or two +before following this procedure. + +This allows 3.0 some time to "burn in" and decreases the likelihood +of downgrades occurring after the user privilege model upgrade. The +user authentication and access control will continue to work as +it did in 2.6. + +If you decide to upgrade the user authentication +model immediately instead of waiting the recommended "burn in" +period, then for sharded clusters, you must wait at least 10 seconds +after upgrading the sharded clusters to run the authentication +upgrade command. + +Replica Sets +```````````` + +For a replica set, it is only necessary to run the upgrade process on +the :term:`primary` as the changes will automatically replicate to +the secondaries. + +Sharded Clusters +```````````````` + +For a sharded cluster, connect to a :program:`mongos` and run the +upgrade procedure to upgrade the cluster's authentication data. By +default, the procedure will upgrade the authentication data of the +shards as well. + +To override this behavior, run the upgrade command with the +additional parameter ``upgradeShards: false``. If you choose to +override, you must run the upgrade procedure on the :program:`mongos` +first, and then run the procedure on the :term:`primary` members of +each shard. + +For a sharded cluster, do **not** run the upgrade process directly +against the :doc:`config servers +`. Instead, perform the upgrade +process using one :program:`mongos` instance to interact with the +config database. + +Requirements +```````````` + +To upgrade the authentication model, you must have a user in the +``admin`` database with the role :authrole:`userAdminAnyDatabase`. + +Procedure +````````` + +.. include:: /includes/steps/2.8-upgrade-mongodb-cr-to-scram.rst + +Result +`````` + +After this procedure is complete, all users in the database will have +``SCRAM-SHA-1``-style credentials, and any subsequently-created users +will also have this type of credentials. diff --git a/source/release-notes/3.0-upgrade.txt b/source/release-notes/3.0-upgrade.txt index 8c0989952a1..6b4a84fa378 100644 --- a/source/release-notes/3.0-upgrade.txt +++ b/source/release-notes/3.0-upgrade.txt @@ -51,7 +51,9 @@ Downgrade Limitations .. include:: /includes/fact-3.0-downgrade-path.rst If you upgrade to 3.0 and have run :dbcommand:`authSchemaUpgrade`, you -**cannot** downgrade to 2.6 without disabling :option:`--auth`. +**cannot** downgrade to 2.6 without disabling :option:`--auth` or +restoring a pre-upgrade backup, as :dbcommand:`authSchemaUpgrade` +discards the ``MONGODB-CR`` credentials used in 2.6. Package Upgrades ~~~~~~~~~~~~~~~~ @@ -265,6 +267,10 @@ WiredTiger. .. |version-new| replace:: 3.0 .. |version-stop| replace:: 2.6 +Upgrade Authentication Schema to Enable ``SCRAM-SHA-1`` +``````````````````````````````````````````````````````` +See :ref:`2.8-scram` for details on ``SCRAM-SHA-1`` upgrade scenarios. + .. include:: /includes/2.6-3.0-upgrade-downgrade-procedure.rst .. _`MongoDB Download Page`: http://www.mongodb.org/downloads diff --git a/source/release-notes/3.0.txt b/source/release-notes/3.0.txt index 758a45f58a4..e9870d673fe 100644 --- a/source/release-notes/3.0.txt +++ b/source/release-notes/3.0.txt @@ -224,7 +224,8 @@ Security Improvements MongoDB 3.0 includes the following security enhancements: -- Adds a new ``SCRAM-SHA-1`` password authentication mechanism. +- Adds a new :ref:`SCRAM-SHA-1 ` + challenge-response user authentication mechanism. - Increases restrictions when using the :ref:`localhost-exception` to access MongoDB. For details, see :ref:`3.0-compatibility-localhost`. diff --git a/source/tutorial/control-access-to-mongodb-windows-with-kerberos-authentication.txt b/source/tutorial/control-access-to-mongodb-windows-with-kerberos-authentication.txt index a8c8a6908fd..86adee5f8c2 100644 --- a/source/tutorial/control-access-to-mongodb-windows-with-kerberos-authentication.txt +++ b/source/tutorial/control-access-to-mongodb-windows-with-kerberos-authentication.txt @@ -81,15 +81,18 @@ For example, if :program:`mongod.exe` runs as a service named Incorporate Additional Authentication Mechanisms ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Kerberos authentication (``GSSAPI``) can work alongside MongoDB's -challenge/response authentication mechanism (``MONGODB-CR``), MongoDB's -authentication mechanism for LDAP (``PLAIN``), and MongoDB's -authentication mechanism for x.509 (``MONGODB-X509``). Specify the -mechanisms, as follows: +Kerberos authentication (:ref:`GSSAPI ` (Kerberos)) +can work alongside MongoDB's challenge/response authentication mechanisms +(:ref:`SCRAM-SHA-1 ` and +:ref:`MONGODB-CR `), MongoDB's +authentication mechanism for LDAP (:ref:`PLAIN ` +(LDAP SASL)), and MongoDB's authentication mechanism for x.509 ( +:ref:`MONGODB-X509 `). Specify the +mechanisms as follows: .. code-block:: sh - --setParameter authenticationMechanisms=GSSAPI,MONGODB-CR + --setParameter authenticationMechanisms=GSSAPI,SCRAM-SHA-1 Only add the other mechanisms if in use. This parameter setting does not affect MongoDB's internal authentication of cluster members. diff --git a/source/tutorial/control-access-to-mongodb-with-kerberos-authentication.txt b/source/tutorial/control-access-to-mongodb-with-kerberos-authentication.txt index dcb45b756bf..a50425afd53 100644 --- a/source/tutorial/control-access-to-mongodb-with-kerberos-authentication.txt +++ b/source/tutorial/control-access-to-mongodb-with-kerberos-authentication.txt @@ -145,15 +145,18 @@ If you encounter problems when starting :program:`mongod` or Incorporate Additional Authentication Mechanisms ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Kerberos authentication (``GSSAPI``) can work alongside MongoDB's -challenge/response authentication mechanism (``MONGODB-CR``), MongoDB's -authentication mechanism for LDAP (``PLAIN``), and MongoDB's -authentication mechanism for x.509 (``MONGODB-X509``). Specify the -mechanisms, as follows: +Kerberos authentication (:ref:`GSSAPI ` (Kerberos)) +can work alongside MongoDB's challenge/response authentication mechanisms +(:ref:`SCRAM-SHA-1 ` and +:ref:`MONGODB-CR `), MongoDB's +authentication mechanism for LDAP (:ref:`PLAIN ` +(LDAP SASL)), and MongoDB's authentication mechanism for x.509 ( +:ref:`MONGODB-X509 `). Specify the +mechanisms as follows: .. code-block:: sh - --setParameter authenticationMechanisms=GSSAPI,MONGODB-CR + --setParameter authenticationMechanisms=GSSAPI,SCRAM-SHA-1 Only add the other mechanisms if in use. This parameter setting does not affect MongoDB's internal authentication of cluster members.