DOCSP-38206: authentication (#23)

rustagir · web-flow · commit f0cb9708c380 · 2024-04-17T13:13:35.000-04:00
* DOCSP-38206: authentication * CC fix
diff --git a/source/tutorials/connect.txt b/source/tutorials/connect.txt
@@ -14,8 +14,8 @@ Connect to MongoDB
 .. toctree::
 
    /tutorials/connect/tls/
+   /tutorials/connect/authentication/
 
-..    /tutorials/connect/auth/
 ..    /tutorials/connect/compression/
 
 .. contents:: On this page
@@ -246,7 +246,11 @@ with programmatic configuration:
        .applyConnectionString(connectionString)
        .build())
 
+Connection Tutorials
+--------------------
+
 To learn how to implement other connection features, see the following
 tutorials:
 
-- :ref:`scala-tls`
+- :ref:`scala-tls`
+- :ref:`scala-auth`
diff --git a/source/tutorials/connect/authentication.txt b/source/tutorials/connect/authentication.txt
@@ -0,0 +1,327 @@
+.. _scala-auth:
+
+==============
+Authentication
+==============
+
+.. facet::
+   :name: genre
+   :values: reference
+
+.. meta::
+   :keywords: code example, verify, AWS, Kerberos
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+The driver supports all MongoDB authentication mechanisms,
+including those available only in the MongoDB Enterprise Edition.
+
+MongoCredential
+---------------
+
+Include the following import statements:
+
+.. code-block:: scala
+   
+   import org.mongodb.scala._
+   import scala.collection.JavaConverters._
+
+An authentication credential is represented as an instance of the
+``MongoCredential`` class. The ``MongoCredential`` class includes
+helper methods for each of the supported authentication
+mechanisms.
+
+Default Authentication Mechanism
+--------------------------------
+
+In MongoDB 3.0, MongoDB changed the default authentication mechanism
+from ``MONGODB-CR`` to ``SCRAM-SHA-1``. In MongoDB 4.0, support for
+the deprecated ``MONGODB-CR`` mechanism was removed and
+``SCRAM-SHA-256`` support was added.
+
+To create a credential that authenticates by using the default
+authentication mechanism, regardless of server version, create a
+credential by using the ``createCredential()`` helper method:
+
+.. code-block:: scala
+   
+   val user: String = ...          // the user name
+   val source: String = ...        // the source where the user is defined
+   val password: Array[Char] = ... // the password as a character array
+   // ...
+   val credential = MongoCredential.createCredential(user, source, password)
+   
+   val mongoClient: MongoClient = MongoClient(
+     MongoClientSettings.builder()
+       .applyToClusterSettings((builder: ClusterSettings.Builder) => builder.hosts(List(new ServerAddress("host1", 27017)).asJava))
+       .credential(credential)
+       .build())
+
+Or, you can use a connection string without explicitly specifying the
+authentication mechanism:
+
+.. code-block:: scala
+
+   val mongoClient: MongoClient = MongoClient("mongodb://user1:pwd1@host1/?authSource=db1")
+
+For challenge and response mechanisms, using the default
+authentication mechanism is the recommended approach, as it makes
+upgrading from MongoDB 2.6 to MongoDB 3.0 more simple, even after
+upgrading the authentication schema. For MongoDB 4.0 users, using the
+default authentication mechanism is also recommended as the mechanisms are
+checked and the correct hashing algorithm is used.
+
+SCRAM-Based Mechanisms
+----------------------
+
+Salted Challenge-Response Authentication Mechanism (``SCRAM``) has been
+the default authentication mechanism for MongoDB since 3.0. ``SCRAM`` is
+based on the `IETF RFC 5802
+<https://datatracker.ietf.org/doc/html/rfc5802>`__ standard that defines
+best practices for implementation of challenge-response mechanisms for authenticating
+users with passwords.
+
+MongoDB 3.0 introduced support for ``SCRAM-SHA-1``, which uses the
+``SHA-1`` hashing function. MongoDB 4.0 introduced support for
+``SCRAM-SHA-256`` which uses the ``SHA-256`` hashing function.
+
+SCRAM-SHA-256
+~~~~~~~~~~~~~
+
+Using this mechanism requires MongoDB 4.0 and
+``featureCompatibilityVersion`` to be set to 4.0.
+
+To explicitly create a credential of type ``SCRAM-SHA-256``, use
+the ``createScramSha256Credential()`` method:
+
+.. code-block:: scala
+
+   val user: String = ...          // the user name
+   val source: String = ...        // the source where the user is defined
+   val password: Array[Char] = ... // the password as a character array
+   // ...
+   val credential = MongoCredential.createScramSha256Credential(user, source, password)
+   
+   val mongoClient: MongoClient = MongoClient(
+     MongoClientSettings.builder()
+       .applyToClusterSettings((builder: ClusterSettings.Builder) => builder.hosts(List(new ServerAddress("host1", 27017)).asJava))
+       .credential(credential)
+       .build())
+
+Or, you can use a connection string that explicitly specifies
+``authMechanism=SCRAM-SHA-256``:
+
+.. code-block:: scala
+
+   val mongoClient: MongoClient = MongoClient("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=SCRAM-SHA-256")
+
+SCRAM-SHA-1
+~~~~~~~~~~~
+
+To explicitly create a credential of type ``SCRAM-SHA-1``, use the
+``createScramSha1Credential()`` method:
+
+.. code-block:: scala
+
+   val user: String = ...          // the user name
+   val source: String = ...        // the source where the user is defined
+   val password: Array[Char] = ... // the password as a character array
+   // ...
+   val credential = MongoCredential.createScramSha1Credential(user, source, password)
+   
+   val mongoClient: MongoClient = MongoClient(
+     MongoClientSettings.builder()
+       .applyToClusterSettings((builder: ClusterSettings.Builder) => builder.hosts(List(new ServerAddress("host1", 27017)).asJava))
+       .credential(credential)
+       .build())
+
+Or, you can use a connection string that explicitly specifies
+``authMechanism=SCRAM-SHA-1``:
+
+.. code-block:: scala
+
+   val mongoClient: MongoClient = MongoClient("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=SCRAM-SHA-1")
+
+MONGODB-CR
+----------
+
+.. important::
+
+   Starting in version 4.0, MongoDB removes support for the deprecated
+   MongoDB Challenge-Response (``MONGODB-CR``) authentication mechanism.
+   
+   If your deployment has user credentials stored in a ``MONGODB-CR`` schema,
+   you must upgrade to use a ``SCRAM``-based mechanism before you
+   upgrade to version 4.0.
+
+To explicitly create a credential of type ``MONGODB-CR`` use the
+``createMongCRCredential()`` helper method:
+
+.. code-block:: scala
+
+   val user: String = ...          // the user name
+   val source: String = ...        // the source where the user is defined
+   val password: Array[Char] = ... // the password as a character array
+   // ...
+   val credential = MongoCredential.createMongoCRCredential(user, database, password)
+   
+   val mongoClient: MongoClient = MongoClient(
+     MongoClientSettings.builder()
+       .applyToClusterSettings((builder: ClusterSettings.Builder) => builder.hosts(List(new ServerAddress("host1", 27017)).asJava))
+       .credential(credential)
+       .build())
+
+Or, you can use a connection string that explicitly specifies
+``authMechanism=MONGODB-CR``:
+
+.. code-block:: scala
+
+   val mongoClient: MongoClient = MongoClient("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=MONGODB-CR")
+
+.. note::
+
+   After you upgrade the authentication schema from ``MONGODB-CR`` to ``SCRAM``,
+   ``MONGODB-CR`` credentials will fail to authenticate.
+
+X.509
+-----
+
+With the ``X.509`` mechanism, MongoDB uses the X.509 certificate presented
+during SSL negotiation to authenticate a user whose name is derived
+from the distinguished name of the X.509 certificate.
+
+X.509 authentication requires the use of SSL connections with
+certificate validation. To create a credential of this type use the
+``createMongoX509Credential()`` helper method:
+
+.. code-block:: scala
+
+   val user: String = ...     // The X.509 certificate derived user name, e.g. "CN=user,OU=OrgUnit,O=myOrg,..."
+   // ...
+   val credential = MongoCredential.createMongoX509Credential(user)
+   
+   val mongoClient: MongoClient = MongoClient(
+     MongoClientSettings.builder()
+       .applyToClusterSettings((builder: ClusterSettings.Builder) => builder.hosts(List(new ServerAddress("host1", 27017)).asJava))
+       .credential(credential)
+       .build())
+
+Or, you can use a connection string that explicitly specifies
+``authMechanism=MONGODB-X509``:
+
+.. code-block:: scala
+
+   val mongoClient: MongoClient = MongoClient("mongodb://subjectName@host1/?authMechanism=MONGODB-X509&ssl=true")
+
+See the :manual:`Use x.509 Certificates to Authenticate Clients </tutorial/configure-x509-client-authentication/>`
+tutorial in the Server manual to learn more about
+determining the subject name from the certificate.
+
+Kerberos (GSSAPI)
+-----------------
+
+MongoDB Enterprise supports proxy authentication through the Kerberos
+service. To create a credential of type Kerberos (GSSAPI), use the
+``createGSSAPICredential()`` helper method:
+
+.. code-block:: scala
+
+   val user: String = ...   // The Kerberos user name, including the realm, e.g. "user1@MYREALM.ME"
+   // ...
+   val credential = MongoCredential.createGSSAPICredential(user)
+   
+   val mongoClient: MongoClient = MongoClient(
+     MongoClientSettings.builder()
+       .applyToClusterSettings((builder: ClusterSettings.Builder) => builder.hosts(List(new ServerAddress("host1", 27017)).asJava))
+       .credential(credential)
+       .build())
+
+Or, you can use a connection string that explicitly specifies
+``authMechanism=GSSAPI``:
+
+.. code-block:: scala
+
+   val mongoClient: MongoClient = MongoClient("mongodb://username%40REALM.ME@host1/?authMechanism=GSSAPI")
+
+.. note::
+
+   The method refers to the ``GSSAPI`` authentication mechanism instead of
+   ``Kerberos`` because the driver authenticates by using the ``GSSAPI`` SASL mechanism.
+
+To successfully authenticate by using Kerberos, the application typically
+must specify several system properties so that the underlying GSSAPI
+Java libraries can acquire a Kerberos ticket:
+
+.. code-block:: none
+
+   java.security.krb5.realm=MYREALM.ME
+   java.security.krb5.kdc=mykdc.myrealm.me
+
+Depending on the Kerberos setup, additional property specifications
+might be required, either within the application code or, in some cases,
+by using the ``withMechanismProperty()`` method of the ``MongoCredential``
+instance:
+
+- ``SERVICE_NAME``
+- ``CANONICALIZE_HOST_NAME``
+- ``JAVA_SUBJECT``
+- ``JAVA_SASL_CLIENT_PROPERTIES``
+
+The following code shows how to specify the ``SERVICE_NAME`` property within the
+``MongoCredential`` object:
+
+.. code-block:: scala
+
+   val credentialWithProperty = credential.withMechanismProperty(MongoCredential.SERVICE_NAME_KEY, "othername")
+
+Or, you can specify the ``SERVICE_NAME`` property within the ``ConnectionString``:
+
+.. code-block:: scala
+
+   val uri = "mongodb://username%40MYREALM.com@myserver/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:othername"
+
+.. note::
+
+   On Windows, Oracles JRE uses `LSA
+   <https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326.aspx>`__
+   rather than `SSPI
+   <https://msdn.microsoft.com/en-us/library/windows/desktop/aa380493.aspx>`__
+   in its implementation of GSSAPI, which limits interoperability with Windows
+   Active Directory and in particular the ability to implement single
+   sign-on.
+
+LDAP (PLAIN)
+------------
+
+MongoDB Enterprise supports proxy authentication through a
+Lightweight Directory Access Protocol (LDAP) service. To create a
+credential of type ``LDAP`` use the ``createPlainCredential()`` helper method:
+
+.. code-block:: scala
+
+   val user: String = ...            // The LDAP user name
+   val password: Array[Char] = ...   // The LDAP password
+   // ...
+   val credential = MongoCredential.createPlainCredential(user, "$external", password)
+   val mongoClient: MongoClient = MongoClient(
+     MongoClientSettings.builder()
+       .applyToClusterSettings((builder: ClusterSettings.Builder) => builder.hosts(List(new ServerAddress("host1", 27017)).asJava))
+       .credential(credential)
+       .build())
+
+Or, you can use a connection string that explicitly specifies
+``authMechanism=PLAIN``:
+
+.. code-block:: scala
+
+   val mongoClient: MongoClient = MongoClient("mongodb://user1@host1/?authSource=$external&authMechanism=PLAIN")
+
+.. note::
+
+   The method refers to the ``PLAIN`` authentication mechanism instead of
+   ``LDAP`` because the driver authenticates by using the ``PLAIN``
+   SASL mechanism.
