Skip to content

Commit 8b95185

Browse files
i80andi80and
committed
DOCS-8620: multi-user authentication
1 parent 82f1c69 commit 8b95185

File tree

3 files changed

+36
-26
lines changed

3 files changed

+36
-26
lines changed

source/core/authentication.txt

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -25,11 +25,7 @@ verified user's access to resources and operations.
2525
Authentication Methods
2626
----------------------
2727

28-
To authenticate a :doc:`user </core/security-users>`, MongoDB provides the
29-
:method:`db.auth()` method.
30-
31-
For the :binary:`~bin.mongo` shell and the MongoDB tools, you can also authenticate
32-
a user by passing in the user authentication information from the command line.
28+
.. include:: /includes/fact-authenticate.rst
3329

3430
.. _available-authentication-mechanisms:
3531

@@ -58,7 +54,7 @@ MongoDB supports multiple authentication mechanisms:
5854
In addition to supporting the aforementioned mechanisms, MongoDB Enterprise
5955
also supports the following mechanisms:
6056

61-
- :ref:`LDAP proxy authentication <security-auth-ldap>`, and
57+
- :ref:`LDAP proxy authentication <security-auth-ldap>`, and
6258

6359
- :ref:`Kerberos authentication <security-auth-kerberos>`.
6460

@@ -82,7 +78,7 @@ authentication and sharded clusters, see :ref:`sharding-security`.
8278
.. class:: hidden
8379

8480
.. toctree::
85-
:titlesonly:
81+
:titlesonly:
8682

8783
/core/security-users
8884
/core/authentication-mechanisms

source/core/security-users.txt

Lines changed: 4 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -42,8 +42,8 @@ Authentication Database
4242
When adding a user, you create the user in a specific database. This
4343
database is the authentication database for the user.
4444

45-
A user can have privileges across different databases; i.e. a user's
46-
privileges are not limited to the authentication database. By assigning
45+
A user can have privileges across different databases; that is, a user's
46+
privileges are not limited to their authentication database. By assigning
4747
to the user roles in other databases, a user created in one database can
4848
have permissions to act on other databases. For more information on
4949
roles, see :doc:`/core/authorization`.
@@ -62,22 +62,7 @@ the user multiple times in different databases.
6262
Authenticate a User
6363
-------------------
6464

65-
To authenticate a user, either
66-
67-
- Use the command line authentication options (e.g. ``-u``, ``-p``,
68-
``--authenticationDatabase``) when connecting to the :binary:`~bin.mongod` or
69-
:binary:`~bin.mongos` instance, or
70-
71-
- Connect first to the :binary:`~bin.mongod` or :binary:`~bin.mongos` instance, and
72-
then run the :dbcommand:`authenticate` command or the :method:`db.auth()`
73-
method against the authentication database.
74-
75-
To authenticate, the client must authenticate the user against the user's
76-
:ref:`authentication database <mongo-shell-authentication-options>`.
77-
78-
For instance, if using the :binary:`~bin.mongo` shell as a client, you can
79-
specify the authentication database for the user with the
80-
``--authenticationDatabase`` option.
65+
.. include:: /includes/fact-authenticate.rst
8166

8267
Centralized User Data
8368
---------------------
@@ -106,7 +91,7 @@ instance and add the users. Clients then authenticate these users through the
10691
:binary:`~bin.mongos` instances.
10792

10893
.. versionchanged:: 2.6
109-
94+
11095
MongoDB stores these sharded cluster user data in the ``admin`` database of
11196
the :term:`config servers <config server>`. Previously, the credentials for
11297
authenticating to a database on a sharded cluster resided on the

source/includes/fact-authenticate.rst

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
To authenticate as a user, you must provide a username, password, and
2+
the :ref:`authentication database <mongo-shell-authentication-options>`
3+
associated with that user.
4+
5+
To authenticate using the :binary:`~bin.mongo` shell, either:
6+
7+
- Use the :binary:`~bin.mongo` command-line authentication options
8+
(:option:`--username <mongo --username>`,
9+
:option:`--password <mongo --password>`, and
10+
:option:`--authenticationDatabase <mongo --authenticationDatabase>`)
11+
when connecting to the :binary:`~bin.mongod` or
12+
:binary:`~bin.mongos` instance, or
13+
14+
- Connect first to the :binary:`~bin.mongod` or :binary:`~bin.mongos`
15+
instance, and then run the :dbcommand:`authenticate` command or the
16+
:method:`db.auth()` method against the :ref:`authentication database
17+
<mongo-shell-authentication-options>`.
18+
19+
.. important::
20+
21+
Authenticating multiple times as different users does **not** drop
22+
the credentials of previously-authenticated users. This may lead to
23+
a connection having more permissions than intended by the user, and
24+
causes operations within a
25+
:doc:`logical session </reference/server-sessions>` to raise an
26+
error.
27+
28+
For examples of authenticating using a MongoDB driver, see the
29+
`driver documentation <https://docs.mongodb.com/ecosystem/drivers/>`__.

0 commit comments

Comments
 (0)