DOCSP-11391: deprecate MongoDB-CR

Author: kay-kim

source/core/authentication-mechanisms.txt

@@ -14,10 +14,10 @@ Authentication Mechanisms
 
 MongoDB supports the following authentication mechanisms:
 
-- :doc:`/core/security-scram` (Default authentication mechanism)
+- :doc:`/core/security-scram` (*Default*)
 
 - :doc:`MongoDB Challenge and Response (MONGODB-CR)
-  </core/security-mongodb-cr>`
+  </core/security-mongodb-cr>` (*Deprecated as of MongoDB 3.6*)
 
 - :doc:`x.509 Certificate Authentication </core/security-x.509>`.
 
@@ -36,8 +36,6 @@ As of MongoDB 3.0, :ref:`Salted Challenge Response Authentication
 Mechanism (SCRAM) <authentication-scram>` is the default
 authentication mechanism for MongoDB.
 
-Previous versions used :doc:`MONGODB-CR </core/security-mongodb-cr>` as
-the default.
 
 Specify Authentication Mechanism
 --------------------------------

source/core/authentication.txt

@@ -39,10 +39,10 @@ existing authentication system.
 
 MongoDB supports multiple authentication mechanisms:
 
-- :ref:`authentication-scram` (Default)
+- :ref:`authentication-scram` (*Default*)
 
 - :ref:`MongoDB Challenge and Response (MONGODB-CR)
-  <authentication-mongodb-cr>`
+  <authentication-mongodb-cr>` (*Deprecated as of MongoDB 3.6*)
 
 - :ref:`x.509 Certificate Authentication <security-auth-x509>`.
 

source/core/security-mongodb-cr.txt

@@ -6,11 +6,10 @@ MONGODB-CR
 
 .. default-domain:: mongodb
 
-.. contents:: On this page
-   :local:
-   :backlinks: none
-   :depth: 1
-   :class: singlecol
+.. admonition:: Deprecated
+   :class: important
+
+   .. include:: /includes/fact-mongodb-cr-deprecated.rst
 
 ``MONGODB-CR`` is a challenge-response mechanism that authenticates users
 through passwords. ``MONGODB-CR`` verifies supplied user credentials against

source/core/security-scram.txt

@@ -54,7 +54,7 @@ MongoDB-CR User Credentials and SCRAM
 Driver Support
 --------------
 
-To use the SCRAM, you must upgrade your driver if your current driver
+To use SCRAM, you must upgrade your driver if your current driver
 version does not support ``SCRAM``.
 
 The minimum driver versions that support ``SCRAM`` are:

source/includes/apiargs-method-db.auth-param.yaml

@@ -23,14 +23,13 @@ description: |
   Specifies the :ref:`authentication mechanism
   <mongo-shell-authentication-mechanisms>` used. Defaults to either:
 
-  - ``SCRAM-SHA-1`` on new 3.0 installations and on 3.0 databases that
+  - ``SCRAM-SHA-1`` on new 3.0+ installations and on 3.0+ databases that
     have been :ref:`upgraded from 2.6 with authSchemaUpgrade
     <upgrade-scram-scenarios>`; or
 
   - ``MONGODB-CR`` otherwise.
 
-  .. versionchanged:: 3.0
-     In previous version, defaulted to ``MONGODB-CR``.
+    .. include:: /includes/fact-mongodb-cr-deprecated.rst
 
   For available mechanisms, see :ref:`authentication mechanisms
   <mongo-shell-authentication-mechanisms>`.

source/includes/apiargs-method-db.copyDatabase-param.yaml

@@ -51,9 +51,11 @@ type: string
 arg_name: param
 description: |
   The mechanism to authenticate the ``username`` and ``password`` on
-  the ``fromhost``. Specify either :ref:`MONGODB-CR
-  <authentication-mongodb-cr>` or :ref:`SCRAM-SHA-1
-  <authentication-scram-sha-1>`. 
+  the ``fromhost``. Specify either:
+     
+  - :ref:`SCRAM-SHA-1 <authentication-scram-sha-1>`, or
+  
+  - :ref:`MONGODB-CR <authentication-mongodb-cr>` (Deprecated in MongoDB 3.6).
   
   :method:`db.copyDatabase` defaults to :ref:`SCRAM-SHA-1
   <authentication-scram-sha-1>` if the wire protocol version

source/includes/extracts-fact-copydb-behavior.yaml

@@ -58,9 +58,9 @@ content: |
 ref: fact-copydb-method-authentication-mechanism-change
 content: |
   When authenticating to the ``fromhost`` instance,
-  :method:`db.copyDatabase()` supports :ref:`MONGODB-CR
-  <authentication-mongodb-cr>` and :ref:`SCRAM-SHA-1
-  <authentication-scram-sha-1>` mechanisms to authenticate the
+  :method:`db.copyDatabase()` supports  :ref:`SCRAM-SHA-1
+  <authentication-scram-sha-1>` and :ref:`MONGODB-CR
+  <authentication-mongodb-cr>` mechanisms to authenticate the
   ``fromhost`` user.
 ---
 ref: fact-copydb-method-authentication-mechanism

source/includes/fact-mongodb-cr-deprecated.rst

@@ -0,0 +1,3 @@
+As of MongoDB 3.6, ``MONGODB-CR`` authentication mechanisem is
+deprecated. If you have not upgraded your ``MONGODB-CR`` authentication
+schema to SCRAM, see :doc:`/release-notes/3.0-scram`.

source/includes/fact-mongodb-cr-users.rst

@@ -7,15 +7,14 @@ upgraded the authentication schema, you can continue to use
   features, you will continue to use ``MONGODB-CR``.
 
 - For drivers that support MongoDB 3.0+ features (see
-  :ref:`compatibility-driver-versions`), you must explicitly specify
-  ``MONGODB-CR`` as the authentication mechanism. Otherwise, the
-  credentials are temporarily converted to use SCRAM during
-  authentication; this temporary conversion does not affect how the
+  :ref:`compatibility-driver-versions`), you can explicitly specify
+  ``MONGODB-CR`` as the authentication mechanism to use ``MONGODB-CR``.
+  Otherwise, the credentials are temporarily converted to use SCRAM
+  during authentication to provide improved protection from passive
+  eavesdroppers; this temporary conversion does not affect how the
   credentials are stored.
 
-To upgrade the authentication schema model to SCRAM, see
-:doc:`/release-notes/3.0-scram`.
+.. note::
 
-.. warning::
+   .. include:: /includes/fact-mongodb-cr-deprecated.rst
 
-   .. include:: /includes/fact-upgrade-scram-irreversible.rst

source/includes/options-conf.yaml

@@ -903,7 +903,7 @@ description: |
 
      * - :ref:`MONGODB-CR <authentication-mongodb-cr>`
 
-       - MongoDB challenge/response authentication.
+       - MongoDB challenge/response authentication. (*Deprecated in MongoDB 3.6*)
 
      * - :ref:`MONGODB-X509 <security-auth-x509>`
 

source/includes/options-shared.yaml

@@ -332,7 +332,7 @@ description: |
 
      * - :ref:`MONGODB-CR <authentication-mongodb-cr>`
 
-       - MongoDB challenge/response authentication.
+       - MongoDB challenge/response authentication. (*Deprecated in MongoDB 3.6*)
 
      * - :ref:`MONGODB-X509 <security-auth-x509>`
 

source/includes/steps-starting-compass.yaml

@@ -15,7 +15,7 @@ action:
     c. Authentication: The authentication mechanism to connect to the target
        host. Supported authentication mechanisms include:
 
-       - MongoDB-CR
+       - MongoDB-CR (*Deprecated in MongoDB 3.6*)
        - SCRAM-SHA-1
        - Kerberos
        - LDAP

source/reference/connection-string.txt

@@ -573,7 +573,7 @@ Authentication Options
           authenticate the connection. Possible values include:
 
        - :ref:`SCRAM-SHA-1 <authentication-scram-sha-1>`
-       - :ref:`MONGODB-CR <authentication-mongodb-cr>`
+       - :ref:`MONGODB-CR <authentication-mongodb-cr>` (*Deprecated in MongoDB 3.6*)
        - :ref:`MONGODB-X509 <security-auth-x509>`
        - :ref:`GSSAPI <security-auth-kerberos>` (Kerberos)
        - :ref:`PLAIN <security-auth-ldap>` (LDAP SASL)

source/reference/method/db.copyDatabase.txt

@@ -142,7 +142,7 @@ Copy Database from a ``mongod`` Instances that Enforce Authentication
    MongoDB 3.0 supports passing the authentication mechanism to use for the ``fromhost``.
 
 The following operation copies a database named ``reporting`` from a
-version 2.6 :binary:`~bin.mongod` instance that runs on ``example.net`` and enforces
+version 3.4 :binary:`~bin.mongod` instance that runs on ``example.net`` and enforces
 access control.
 
 .. code-block:: javascript
@@ -153,7 +153,7 @@ access control.
       "example.net",
       "reportUser",
       "abc123",
-      "MONGODB-CR"
+      "SCRAM-SHA-1"
    )
 
 .. seealso:: :dbcommand:`clone`

source/reference/parameters.txt

@@ -84,9 +84,9 @@ Authentication Parameters
           Salted Challenge Response Authentication Mechanism using the SHA-1
           hash function.
 
-      * - :ref:`MONGODB-CR <authentication-mongodb-cr>`
+      * - :ref:`MONGODB-CR <authentication-mongodb-cr>` 
 
-        - MongoDB challenge/response authentication.
+        - MongoDB challenge/response authentication. (*Deprecated in MongoDB 3.6*)
 
       * - :ref:`MONGODB-X509 <security-auth-x509>`
 

source/release-notes/3.0-scram.txt

@@ -34,9 +34,14 @@ authentication schema to SCRAM.
 
    SCRAM represents a significant improvement in security over MongoDB
    Challenge and Response (MONGODB-CR), the previous default
-   authentication mechanism: you are strongly urged to upgrade from the
-   MONGODB-CR authentication schema to SCRAM. For advantages of using
-   SCRAM over MONGODB-CR, see :ref:`scram-advantages`.
+   authentication mechanism. For advantages of using SCRAM over
+   MONGODB-CR, see :ref:`scram-advantages`.
+
+   As of MongoDB 3.6, MONGODB-CR authentication mechanisem is
+   deprecated.
+
+   You are strongly urged to upgrade from the MONGODB-CR
+   authentication schema to SCRAM. 
 
 .. _upgrade-scram-scenarios:
 

source/release-notes/3.6-compatibility.txt

@@ -417,6 +417,11 @@ Platform Support
 General Compatibility Changes
 -----------------------------
 
+``MONGODB-CR`` Deprecation
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/fact-mongodb-cr-deprecated.rst
+
 .. _3.6-compatibility-arbiter-priority:
 
 Arbiter and Priority

source/release-notes/3.6.txt

@@ -110,6 +110,11 @@ Default Bind to Localhost
 
 .. include:: /includes/fact-default-bind-ip-change.rst
 
+``MONGODB-CR`` Deprecation
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/fact-mongodb-cr-deprecated.rst
+   
 .. _3.6-authentication-restrictions:
 
 Authentication Restrictions

source/tutorial/configure-fips.txt

@@ -72,7 +72,7 @@ MongoDB's FIPS support covers the way that MongoDB uses OpenSSL for
 network encryption, SCRAM authentication, and x.509
 authentication. If you use Kerberos or LDAP authentication, you must
 ensure that these external mechanisms are FIPS-compliant.
-``MONGODB-CR`` authentication is **not** FIPS compliant.
+The 3.6 deprecated ``MONGODB-CR`` authentication is **not** FIPS compliant.
 
 Procedure
 ---------

source/tutorial/control-access-to-mongodb-windows-with-kerberos-authentication.txt

@@ -92,13 +92,22 @@ Incorporate Additional Authentication Mechanisms
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Kerberos authentication (:ref:`GSSAPI <security-auth-kerberos>` (Kerberos))
-can work alongside MongoDB's challenge/response authentication mechanisms
-(:ref:`SCRAM-SHA-1 <authentication-scram>` and
-:ref:`MONGODB-CR <authentication-mongodb-cr>`), MongoDB's
-authentication mechanism for LDAP (:ref:`PLAIN <security-auth-ldap>`
-(LDAP SASL)), and MongoDB's authentication mechanism for x.509 (
-:ref:`MONGODB-X509 <security-auth-x509>`). Specify the
-mechanisms as follows:
+can work alongside:
+
+- MongoDB's challenge/response authentication mechanisms:
+
+  - :ref:`SCRAM-SHA-1 <authentication-scram>` 
+  - :ref:`MONGODB-CR <authentication-mongodb-cr>` (*Deprecated in MongoDB 3.6*)
+  
+- MongoDB's authentication mechanism for LDAP:
+
+  - :ref:`PLAIN <security-auth-ldap>` (LDAP SASL)
+ 
+- MongoDB's authentication mechanism for x.509:
+
+  - :ref:`MONGODB-X509 <security-auth-x509>`)
+
+Specify the mechanisms as follows:
 
 .. code-block:: sh
 

source/tutorial/control-access-to-mongodb-with-kerberos-authentication.txt

@@ -167,13 +167,22 @@ Incorporate Additional Authentication Mechanisms
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Kerberos authentication (:ref:`GSSAPI <security-auth-kerberos>` (Kerberos))
-can work alongside MongoDB's challenge/response authentication mechanisms
-(:ref:`SCRAM-SHA-1 <authentication-scram>` and
-:ref:`MONGODB-CR <authentication-mongodb-cr>`), MongoDB's
-authentication mechanism for LDAP (:ref:`PLAIN <security-auth-ldap>`
-(LDAP SASL)), and MongoDB's authentication mechanism for x.509 (
-:ref:`MONGODB-X509 <security-auth-x509>`). Specify the
-mechanisms as follows:
+can work alongside:
+
+- MongoDB's challenge/response authentication mechanisms:
+
+  - :ref:`SCRAM-SHA-1 <authentication-scram>` 
+  - :ref:`MONGODB-CR <authentication-mongodb-cr>` (*Deprecated in MongoDB 3.6*)
+  
+- MongoDB's authentication mechanism for LDAP:
+
+  - :ref:`PLAIN <security-auth-ldap>` (LDAP SASL)
+ 
+- MongoDB's authentication mechanism for x.509:
+
+  - :ref:`MONGODB-X509 <security-auth-x509>`)
+
+Specify the mechanisms as follows:
 
 .. code-block:: sh