DOCSP-1834, DOCSP-1714: scram part 1 + mongodbcr data and scram

Author: kay-kim

config/redirects

@@ -1352,6 +1352,7 @@ raw: /master/release-notes/3.0-general-improvements -> ${base}/release-notes/3.0
 [v3.6-*]: /${version}/reference/method/sh.getBalancerLockDetails -> ${base}/${version}/reference/method/js-sharding
 [*-v3.2]: /${version}/reference/method/sh.disableAutoSplit -> ${base}/${version}/reference/program/mongos
 [*-v3.2]: /${version}/reference/method/sh.enableAutoSplit -> ${base}/${version}/reference/program/mongos
+[*-v3.0]: /${version}/core/security-scram-sha-1 -> ${base}/${version}/core/security-scram
 
 [v3.6-*]: /${version}/core/data-modeling-json-schema -> ${base}/${version}/core/schema-validation
 [v3.6-*]: /${version}/core/distributed-write-operations -> ${base}/${version}/core/distributed-queries

source/core/authentication-mechanisms.txt

@@ -14,17 +14,11 @@ Authentication Mechanisms
 
 MongoDB supports the following authentication mechanisms:
 
-- :doc:`SCRAM-SHA-1 </core/security-scram-sha-1>`
+- :doc:`/core/security-scram` (Default authentication mechanism)
 
 - :doc:`MongoDB Challenge and Response (MONGODB-CR)
   </core/security-mongodb-cr>`
 
-  .. versionchanged:: 3.0
-
-     New challenge-response users created in 3.0 will use
-     ``SCRAM-SHA-1``. If using 2.6 user data, MongoDB 3.0 will continue
-     to use ``MONGODB-CR``.
-
 - :doc:`x.509 Certificate Authentication </core/security-x.509>`.
 
 In addition, MongoDB Enterprise also provides supports for additional
@@ -38,9 +32,12 @@ Default Authentication Mechanism
 
 .. versionchanged:: 3.0
 
-MongoDB uses the :ref:`SCRAM-SHA-1 <authentication-scram-sha-1>` as the default
-challenge and response authentication mechanism. Previous versions used :doc:`MONGODB-CR
-</core/security-mongodb-cr>` as the default.
+As of MongoDB 3.0, :ref:`Salted Challenge Response Authentication
+Mechanism (SCRAM) <authentication-scram-sha-1>` is the default
+authentication mechanism for MongoDB.
+
+Previous versions used :doc:`MONGODB-CR </core/security-mongodb-cr>` as
+the default.
 
 Specify Authentication Mechanism
 --------------------------------
@@ -58,6 +55,6 @@ authentication mechanism from the command line.
    .. toctree::
       :titlesonly: 
 
-      /core/security-scram-sha-1
+      /core/security-scram
       /core/security-mongodb-cr
       /core/security-x.509

source/core/authentication.txt

@@ -39,16 +39,11 @@ existing authentication system.
 
 MongoDB supports multiple authentication mechanisms:
 
-- :ref:`SCRAM-SHA-1 <authentication-scram-sha-1>`
+- :ref:`authentication-scram` (Default)
 
 - :ref:`MongoDB Challenge and Response (MONGODB-CR)
   <authentication-mongodb-cr>`
 
-  .. versionchanged:: 3.0
-     New challenge-response users created in 3.0 will use
-     ``SCRAM-SHA-1``. If using 2.6 user data, MongoDB 3.0 will continue
-     to use ``MONGODB-CR``.
-
 - :ref:`x.509 Certificate Authentication <security-auth-x509>`.
 
 In addition to supporting the aforementioned mechanisms, MongoDB Enterprise

source/core/security-internal-authentication.txt

@@ -28,7 +28,7 @@ certificates.
 Keyfiles
 --------
 
-Keyfiles use :doc:`/core/security-scram-sha-1` challenge and response
+Keyfiles use :doc:`/core/security-scram` challenge and response
 authentication mechanism. The contents of the keyfiles serve as the
 shared password for the members. A key's length must be between 6 and
 1024 characters and may only contain characters in the base64 set.

source/core/security-mongodb-cr.txt

@@ -20,12 +20,13 @@ the user's :data:`name <admin.system.users.user>`, :data:`password
 user was created, and the user's database and the user's name together serve to
 identify the user.
 
-``MONGODB-CR`` and ``SCRAM-SHA-1``
-----------------------------------
+``MONGODB-CR`` User Credentials and SCRAM
+-----------------------------------------
 
 .. versionchanged:: 3.0
 
-MongoDB no longer defaults to ``MONGODB-CR`` and instead uses ``SCRAM-SHA-1`` as the
-default authentication mechanism.
+MongoDB no longer defaults to ``MONGODB-CR`` and instead uses
+:ref:`Salted Challenge Response Authentication Mechanism (SCRAM)
+<authentication-scram-sha-1>` as the default authentication mechanism.
 
-.. include:: /includes/fact-scram-sha-1-protocol.rst
+.. include:: /includes/fact-mongodb-cr-users.rst

source/core/security-scram-sha-1.txt

@@ -0,0 +1,77 @@
+.. _authentication-scram:
+
+.. _authentication-scram-sha-1:
+
+=====
+SCRAM
+=====
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+.. versionadded:: 3.0
+
+Salted Challenge Response Authentication Mechanism (SCRAM) is the
+default authentication mechanism for MongoDB. SCRAM is based on the
+IETF `RFC 5802 <https://tools.ietf.org/html/rfc5802>`_ standard that
+defines best practices for implementation of challenge-response
+mechanisms for authenticating users with passwords.
+
+Using SCRAM, MongoDB verifies the supplied user credentials against the
+user's :data:`name <admin.system.users.user>`, :data:`password
+<admin.system.users.credentials>` and :data:`authentication database
+<admin.system.users.db>`. The authentication database is the database
+where the user was created, and together with the user's name, serves
+to identify the user.
+
+MongoDB's implementation of SCRAM uses the SHA-1 hashing function.
+
+.. _scram-advantages:
+
+SCRAM Advantages
+----------------
+
+MongoDB's implementation of SCRAM represents an improvement in security
+over the MongoDB challenge response authentication mechanism, providing:
+
+- A tunable work factor (``iterationCount``),
+- Per-user random salts rather than server-wide salts,
+- A cryptographically stronger hash function (``SHA-1`` rather than ``MD5``),
+  and
+- Authentication of the server to the client as well as the client to the
+  server.
+
+MongoDB-CR User Credentials and SCRAM
+-------------------------------------
+
+.. include:: /includes/fact-mongodb-cr-users.rst
+
+Driver Support
+--------------
+
+To use the SCRAM, you must upgrade your driver if your current driver
+version does not support ``SCRAM``.
+
+The minimum driver versions that support ``SCRAM`` are:
+
+.. |driver-compatibility-heading| replace:: Version
+
+.. include:: /includes/list-table-3.0-driver-compatibility.rst
+
+Additional Information
+----------------------
+
+- `Blog Post: Improved Password-Based Authentication in MongoDB 3.0: SCRAM
+  Explained (Part 1)
+  <https://www.mongodb.com/blog/post/improved-password-based-authentication-mong
+  odb-30-scram-explained-part-1?jmp=docs>`_
+
+- `Blog Post: Improved Password-Based Authentication in MongoDB 3.0: SCRAM
+  Explained (Part 2)
+  <https://www.mongodb.com/blog/post/improved-password-based-authentication-mong
+  odb-30-scram-explained-part-2?jmp=docs>`_

source/core/security-scram.txt

@@ -0,0 +1,9 @@
+For older versions of drivers that do not support MongoDB 3.0+
+features, you will continue to use MONGODB-CR.
+
+For drivers that support MongoDB 3.0+ features (see
+:ref:`compatibility-driver-versions`), the default behavior is to
+temporarily convert the credentials to SCRAM during authentication;
+this temporary conversion does not affect how the credentials are
+stored. If you choose to use ``MONGODB-CR``, you must explicitly
+specify ``MONGODB-CR`` as the authentication mechanism.

source/includes/fact-mongodb-cr-users-drivers.rst

@@ -0,0 +1,21 @@
+After you upgrade a deployment that already has MongoDB Challenge
+and Response (``MONGODB-CR``) user credentials, if you have not
+upgraded the authentication schema, you can continue to use
+``MONGODB-CR``:
+
+- For older versions of drivers that do not support MongoDB 3.0+
+  features, you will continue to use ``MONGODB-CR``.
+
+- For drivers that support MongoDB 3.0+ features (see
+  :ref:`compatibility-driver-versions`), you must explicitly specify
+  ``MONGODB-CR`` as the authentication mechanism. Otherwise, the
+  credentials are temporarily converted to use SCRAM during
+  authentication; this temporary conversion does not affect how the
+  credentials are stored.
+
+To upgrade the authentication schema model to SCRAM, see
+:doc:`/release-notes/3.0-scram`.
+
+.. warning::
+
+   .. include:: /includes/fact-upgrade-scram-irreversible.rst

source/includes/fact-mongodb-cr-users.rst

@@ -1,6 +1,6 @@
-The procedure to upgrade to ``SCRAM-SHA-1`` **discards** the
-``MONGODB-CR`` credentials used by 2.6. As such, the procedure is
-**irreversible**, short of restoring from backups.
+The procedure to upgrade to SCRAM **discards** the ``MONGODB-CR``
+credentials used by 2.6. As such, the procedure is **irreversible**,
+short of restoring from backups.
 
 The procedure also disables ``MONGODB-CR`` as an authentication
 mechanism.

source/includes/fact-scram-sha-1-protocol.rst

@@ -1,6 +1,6 @@
 This tutorial covers creating the minimum number of administrative
 users on the ``admin`` database *only*. For the user authentication,
-the tutorial uses the default :doc:`/core/security-scram-sha-1`
+the tutorial uses the default :doc:`/core/security-scram`
 authentication mechanism. Challenge-response security mechanisms are
 best suited for testing or development environments. For production
 environments, we recommend using :doc:`x.509