Merge remote-tracking branch 'upstream/v5.3' into v5.3-temp

Author: jeff-allen-mongo

snooty.toml

@@ -209,7 +209,7 @@ package-name-org = "mongodb-org"
 package-name-enterprise = "mongodb-enterprise"
 version = "5.0"
 release = "5.0.5"
-version-dev = "5.2"
+version-dev = "5.3"
 pgp-version = "{+version+}"
 rsa-key = "4B7C549A058F8B6B"
 pgp-fingerprint = "E162F504A20CDF15827F718D4B7C549A058F8B6B"

source/core/security-encryption-at-rest.txt

@@ -111,21 +111,54 @@ transport encryption.
 
 For details, see :ref:`rotate-encryption-keys`.
 
-Logging
-~~~~~~~
+Audit Log
+~~~~~~~~~
 
-.. versionadded:: 3.4 Available in MongoDB Enterprise only
+Available in MongoDB Enterprise only.
 
-The log file is not encrypted as a part of MongoDB's encrypted storage engine.
-A :binary:`~bin.mongod` running with :ref:`logging <monitoring-standard-loggging>`
-may output potentially sensitive information to log files as a part of normal
-operations, depending on the configured :ref:`log verbosity
-<log-messages-configure-verbosity>`.
+.. _security-encryption-at-rest-audit-log:
 
-MongoDB 3.4 Enterprise provides the :setting:`security.redactClientLogData`
-setting to prevent potentially sensitive information from entering the
-:binary:`~bin.mongod` process log. :setting:`~security.redactClientLogData`
-reduces detail in the log and may complicate log diagnostics.
+Use KMIP Server to Manage Keys for Encrypting the MongoDB Audit Log
+```````````````````````````````````````````````````````````````````
+
+Starting in MongoDB 5.3 Enterprise, you can use an external Key
+Management Interoperability Protocol (KMIP) server to securely manage
+the keys for encrypting the MongoDB audit log.
+
+To use a KMIP server with audit log encryption, configure these settings
+and parameters:
+
+- :setting:`auditLog.auditEncryptionKeyIdentifier` setting
+- :setting:`auditLog.compressionMode` setting
+- :parameter:`auditEncryptionHeaderMetadataFile` parameter
+- :parameter:`auditEncryptKeyWithKMIPGet` parameter
+
+For testing audit log encryption, you can also use the
+:setting:`auditLog.localAuditKeyFile` setting.
+
+.. note::
+
+   For audit log encryption, the audit log destination must be a
+   file. :term:`syslog` cannot be used as the destination.
+
+Unencrypted Audit Log and Process Log
+`````````````````````````````````````
+
+This section applies if you are not using an external Key Management
+Interoperability Protocol (KMIP) server to manage keys for encrypting
+the audit log as shown in the previous section.
+
+The audit log file is not encrypted as a part of MongoDB's encrypted
+storage engine. A :binary:`~bin.mongod` running with :ref:`logging
+<monitoring-standard-loggging>` may output potentially sensitive
+information to log files as a part of normal operations, depending on
+the configured :ref:`log verbosity <log-messages-configure-verbosity>`.
+
+Use the :setting:`security.redactClientLogData` setting to prevent
+potentially sensitive information from entering the
+:binary:`~bin.mongod` process log.
+:setting:`~security.redactClientLogData` reduces detail in the log and
+may complicate log diagnostics.
 
 See the :ref:`log redaction <monitoring-log-redaction>` manual entry for
 more information.

source/core/timeseries-collections.txt

@@ -130,6 +130,8 @@ Other options allowed with the ``timeseries`` option are:
 
    :method:`db.createCollection()` and :dbcommand:`create`.
 
+.. _timeseries-collections-insert:
+
 Insert Measurements into a Time Series Collection
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

source/core/timeseries/timeseries-limitations.txt

@@ -1,8 +1,8 @@
 .. _manual-timeseries-collection-limitations:
 
-==================================
-Time Series Collection Limitations
-==================================
+============================================
+Time Series Collection Notes and Limitations
+============================================
 
 .. default-domain:: mongodb
 
@@ -59,14 +59,79 @@ To remove all documents from a collection, use the
 
 .. _timeseries-limitations-secondary-indexes:
 
-Secondary Indexes
-~~~~~~~~~~~~~~~~~
+Time Series Secondary Indexes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 You can add :term:`secondary indexes <secondary index>` on the fields
 specified as the ``timeField`` and the ``metaField``. If the field value
 for the ``metaField`` field is a document, you can also create secondary
 indexes on fields inside that document.
 
+The following sections describe:
+
+- Additional secondary indexes you can add.
+
+- Secondary index limitations.
+
+Time Series Secondary Indexes in MongoDB 5.3
+````````````````````````````````````````````
+
+Starting in MongoDB 5.3:
+
+- You can add the following secondary indexes to a :ref:`time series
+  collection <manual-timeseries-collection>`:
+  
+  - :doc:`Partial
+    </core/index-partial>`, :doc:`2d </core/2d>`, and :doc:`2dsphere
+    </core/2dsphere>` indexes to a metadata field. 
+
+  - :doc:`2dsphere </core/2dsphere>` and :doc:`partial
+    </core/index-partial>` indexes to a measurement field.
+
+  - :doc:`Compound index </core/index-compound>` on time, metadata, or
+    measurement fields.
+
+- If you need to downgrade the Feature Compatibility Version (FCV), 
+  you must first drop any indexes that are incompatible with the
+  downgraded FCV. See :dbcommand:`setFeatureCompatibilityVersion`.
+
+- You can use the :query:`$or`, :query:`$in`, and :query:`$geoWithin`
+  operators with :doc:`partial indexes </core/index-partial>` on a time
+  series collection.
+
+- You can use the :pipeline:`$geoNear` pipeline operator with a:
+
+  .. include:: /includes/geoNear-time-series.rst
+
+For example, the following ``sensorData`` collection contains
+temperature readings:
+
+.. code-block:: javascript
+
+   db.sensorData.insertMany( [
+      {
+         "metadata": { "sensorId": 5578, "type": "temperature" },
+         "timestamp": ISODate("2022-01-15T00:00:00.000Z"),
+         "temperatureReading": 12
+      },
+      {
+         "metadata": { "sensorId": 5578, "type": "temperature" },
+         "timestamp": ISODate("2022-01-15T04:00:00.000Z"),
+         "temperatureReading": 11
+      }
+   ] )
+
+The following example creates an ascending secondary index on the
+``metadata.sensorId`` and ``temperatureReading`` fields in the
+``sensorData`` collection:
+
+.. code-block:: javascript
+
+   db.sensorData.createIndex( { "metadata.sensorId": 1, "temperatureReading": 1 } )
+
+Secondary Index Limitations
+```````````````````````````
+
 In MongoDB 5.1, the ``metaField`` doesn't support :doc:`text
 </core/index-text>` indexes.
 
@@ -79,9 +144,12 @@ types:
 
 Secondary indexes don't support the following index properties:
 
+- :doc:`2d </core/2d>` in MongoDB 5.2 and lower
+- :doc:`2dsphere </core/2dsphere>` in MongoDB 5.2 and lower
 - :doc:`TTL </core/index-ttl>`
 - :doc:`Unique </core/index-unique>`
-- :doc:`Partial </core/index-partial>`
+- :doc:`Partial </core/index-partial>` in MongoDB 5.2 and lower
+- :doc:`Multikey index </core/index-multikey>` on a measurement field
 
 ``reIndex``
 ~~~~~~~~~~~

source/includes/audit-compression-mode-option.rst

@@ -0,0 +1,23 @@
+.. versionadded:: 5.3
+
+Specifies the compression mode for :ref:`audit log encryption
+<security-encryption-at-rest-audit-log>`. You must also enable audit log
+encryption using either |audit-encryption-key-identifier-option| or
+|audit-local-keyfile-option|.
+
+|audit-compression-mode-option| can be set to one of these values:
+   
+.. list-table::
+   :header-rows: 1
+   :widths: 15 50
+   
+   * - Value
+     - Description
+   
+   * - ``zstd``
+     - Use the :term:`zstd` algorithm to compress the audit log.
+      
+   * - ``none`` *(default)*
+     - Do not compress the audit log.
+
+.. include:: /includes/note-audit-in-enterprise.rst

source/includes/audit-encryption-key-identifier-option.rst

@@ -0,0 +1,10 @@
+.. versionadded:: 5.3
+
+Specifies the unique identifier of the Key Management
+Interoperability Protocol (KMIP) key for :ref:`audit log encryption
+<security-encryption-at-rest-audit-log>`.
+
+You cannot use |audit-encryption-key-identifier-option| and
+|audit-local-keyfile-option| together.
+
+.. include:: /includes/note-audit-in-enterprise.rst

source/includes/audit-local-key-file-option.rst

@@ -0,0 +1,16 @@
+.. versionadded:: 5.3
+
+Specifies the path and file name for a local audit key file for
+:ref:`audit log encryption <security-encryption-at-rest-audit-log>`.
+
+.. note::
+
+   Only use |audit-local-keyfile-option| for testing because the key is
+   not secured. To secure the key, use
+   |audit-encryption-key-identifier-option| and an external Key
+   Management Interoperability Protocol (KMIP) server.
+   
+You cannot use |audit-local-keyfile-option| and
+|audit-encryption-key-identifier-option| together.
+
+.. include:: /includes/note-audit-in-enterprise.rst

source/includes/geoNear-time-series.rst

@@ -0,0 +1,5 @@
+- :doc:`2dsphere </core/2dsphere>` index on a :ref:`time series
+  collection <manual-timeseries-collection>`.
+
+- Query on any field in a time series collection, including
+  metadata fields. 

source/includes/note-audit-in-enterprise.rst

@@ -0,0 +1,6 @@
+.. note::
+   
+   Available only in `MongoDB Enterprise
+   <http://www.mongodb.com/products/mongodb-enterprise-advanced?tck=docs_server>`_.
+   MongoDB Enterprise and Atlas have different configuration
+   requirements.

source/reference/configuration-file-settings-command-line-options-mapping.txt

@@ -17,6 +17,13 @@ and :binary:`~bin.mongos` command-line options.
    * - Configuration File Setting
      - ``mongod`` and ``mongos`` Command-Line Options
 
+   * - :setting:`auditLog.auditEncryptionKeyIdentifier`
+     - | :option:`mongod --auditEncryptionKeyUID`
+       | :option:`mongos --auditEncryptionKeyUID`
+
+   * - :setting:`auditLog.compressionMode`
+     - | :option:`mongod --auditCompressionMode`
+       | :option:`mongos --auditCompressionMode`
 
    * - :setting:`auditLog.destination`
      - | :option:`mongod --auditDestination`
@@ -30,6 +37,10 @@ and :binary:`~bin.mongos` command-line options.
      - | :option:`mongod --auditFormat`
        | :option:`mongos --auditFormat`
 
+   * - :setting:`auditLog.localAuditKeyFile`
+     - | :option:`mongod --auditLocalKeyFile`
+       | :option:`mongos --auditLocalKeyFile`
+
    * - :setting:`auditLog.path`
      - | :option:`mongod --auditPath`
        | :option:`mongos --auditPath`

source/reference/configuration-options.txt

@@ -4305,6 +4305,24 @@ LDAP Parameters
       path: <string>
       filter: <string>
 
+.. |audit-compression-mode-option| replace:: :setting:`auditLog.compressionMode`
+.. |audit-encryption-key-identifier-option| replace:: :setting:`auditLog.auditEncryptionKeyIdentifier`
+.. |audit-local-keyfile-option| replace:: :setting:`auditLog.localAuditKeyFile`
+
+.. setting:: auditLog.auditEncryptionKeyIdentifier
+
+   *Type*: string
+
+   .. include:: /includes/audit-encryption-key-identifier-option.rst
+
+.. setting:: auditLog.compressionMode
+
+   *Type*: string
+
+   .. |option-1| replace:: :setting:`auditLog.compressionMode`
+
+   .. include:: /includes/audit-compression-mode-option.rst
+
 .. setting:: auditLog.destination
 
    *Type*: string
@@ -4402,6 +4420,12 @@ LDAP Parameters
 
    .. include:: /includes/note-audit-in-enterprise-only.rst
 
+.. setting:: auditLog.localAuditKeyFile
+
+   *Type*: string
+
+   .. include:: /includes/audit-local-key-file-option.rst
+
 .. setting:: auditLog.path
 
    *Type*: string

source/reference/operator/aggregation/geoNear.txt

@@ -201,13 +201,18 @@ When using :pipeline:`$geoNear`, consider that:
 
 - .. include:: /includes/extracts/views-unsupported-geoNear.rst
 
-- Starting in version 4.2, :pipeline:`$geoNear` no longer has a default
+- Starting in MongoDB 4.2, :pipeline:`$geoNear` no longer has a default
   limit of 100 documents.
 
 - Starting in MongoDB 5.1, the ``near`` parameter supports the 
   :ref:`let option <geoNear_let_example>` and
   :ref:`bound let option <geoNear_bounded_let_example>`.
 
+- Starting in MongoDB 5.3, you can use the :pipeline:`$geoNear` pipeline
+  operator with a:
+
+  .. include:: /includes/geoNear-time-series.rst
+
 Examples
 --------
 

source/reference/parameters.txt

@@ -4191,6 +4191,58 @@ Auditing Parameters
       Using the default value of 300 seconds, non-config nodes may lag up
       to 5 minutes behind a setAuditConfig command.
 
+.. parameter:: auditEncryptionHeaderMetadataFile
+
+   .. versionadded:: 5.3
+
+   *Type*: string
+
+   .. include:: /includes/note-audit-in-enterprise.rst
+
+   |both|
+
+   Path and file name for logging metadata audit headers for :ref:`audit
+   log encryption <security-encryption-at-rest-audit-log>`. A header is
+   placed at the top of each audit log file and contains metadata for
+   decrypting the audit log. The headers are also stored in the
+   :doc:`audit log </core/auditing>`.
+
+   You can only set :parameter:`auditEncryptionHeaderMetadataFile`
+   during startup in the :setting:`configuration file <setParameter>` or
+   with the ``--setParameter`` option on the command line. For example,
+   the following sets the path and file for
+   :parameter:`auditEncryptionHeaderMetadataFile`:
+
+   .. code-block:: bash
+
+      mongod --setParameter auditEncryptionHeaderMetadataFile=/auditFiles/auditHeadersMetadataFile.log
+
+.. parameter:: auditEncryptKeyWithKMIPGet
+
+   .. versionadded:: 5.3
+
+   *Type*: boolean
+
+   *Default*: false
+
+   .. include:: /includes/note-audit-in-enterprise.rst
+
+   |both|
+
+   Enables :ref:`audit log encryption
+   <security-encryption-at-rest-audit-log>` for Key Management
+   Interoperability Protocol (KMIP) servers that only support KMIP
+   protocol version 1.0 or 1.1.
+
+   You can only set :parameter:`auditEncryptKeyWithKMIPGet` during
+   startup in the :setting:`configuration file <setParameter>` or with
+   the ``--setParameter`` option on the command line. For example, the
+   following sets :parameter:`auditEncryptKeyWithKMIPGet` to ``true``:
+
+   .. code-block:: bash
+
+      mongod --setParameter auditEncryptKeyWithKMIPGet=true
+
 Transaction Parameters
 ~~~~~~~~~~~~~~~~~~~~~~