Auth example 2756

source/administration/configuration.txt

@@ -145,7 +145,7 @@ Consider the following explanation for these configuration decisions:
   access on the local system. This is desirable when running MongoDB
   on systems with shared access, but in most situations has minimal impact.
 
-- ":setting:`~security.authentication`" is ``true`` enables the authentication
+- ":setting:`~security.authorization`" is ``true`` enables the authentication
   system within MongoDB. If enabled you will need to log in by
   connecting over the ``localhost`` interface for the first time to
   create user credentials.

source/administration/production-notes.txt

@@ -84,7 +84,7 @@ access, such as application servers, monitoring services, and other MongoDB
 components.
 
 .. note::
-   By default, :setting:`~security.authentication` is not enabled and :program:`mongod`
+   By default, :setting:`~security.authorization` is not enabled and :program:`mongod`
    assumes a trusted environment. You can enable :doc:`security/auth
    </core/security/>` mode if you need it.
 

source/core/authentication.txt

@@ -52,7 +52,7 @@ apply ``MONGODB-CR`` by setting it as the value of
 :parameter:`authenticationMechanisms`.
 
 When you enable ``MONGODB-CR`` authentication using the
-:setting:`~security.authentication` setting, MongoDB uses the credentials stored in the
+:setting:`~security.authorization` setting, MongoDB uses the credentials stored in the
 ``admin`` database's :data:`system.users <admin.system.users>` collection.
 
 When you enable ``MONGODB-CR`` authentication using the :setting:`~security.keyFile`

source/core/master-slave.txt

@@ -185,7 +185,7 @@ documentation of the relevant section of output.
 Security
 --------
 
-When running with :setting:`~security.authentication` enabled, in
+When running with :setting:`~security.authorization` enabled, in
 :term:`master`\-:term:`slave` deployments configure a
 :setting:`~security.keyFile` so that slave :program:`mongod` instances can
 authenticate and communicate with the master :program:`mongod`

source/core/replica-set-arbiter.txt

@@ -43,7 +43,7 @@ Security
 Authentication
 ~~~~~~~~~~~~~~
 
-When running with :setting:`~security.authentication`, arbiters exchange credentials with
+When running with :setting:`~security.authorization`, arbiters exchange credentials with
 other members of the set to authenticate. MongoDB encrypts the
 authentication process. The MongoDB authentication exchange is
 cryptographically secure.

source/core/security-interface.txt

@@ -70,7 +70,7 @@ by default, and is not recommended for production use.
 
 If you must use the REST API, please control and limit access to the
 REST API. The REST API does not include any support for
-authentication, even when running with :setting:`~security.authentication`
+authentication, even when running with :setting:`~security.authorization`
 enabled.
 
 See the following documents for instructions on restricting access to

source/includes/options-conf.yaml

@@ -401,13 +401,14 @@ inherit:
   file: options-mongod.yaml
 ---
 program: conf
-name: security.authentication
-# The equivalent command-line option (auth) does not take string values as
-# this option does.
+name: security.authorization
 type: string
+default: disabled
 directive: setting
 description: |
-  Requires database authentication for users connecting from remote hosts.
+  Enables Role-Based Access Control (RBAC) to govern each user's access to
+  database resources and operations.
+
   Set this option to one of the following:
 
   .. list-table::
@@ -418,25 +419,16 @@ description: |
 
        - Description
 
-     * - ``optional``
-
-       - A client connect with or without authentication.
-
-     * - ``allowSSL``
-
-       - Connections between servers do not use SSL. For incoming
-         connections, the server accepts both SSL and non-SSL.
+     * - ``enabled``
 
-     * - ``required``
+       - A user can access only the database resources and actions for
+         which they have been granted privileges.
 
-       - Clients must use authentication.
+     * - ``disabled``
 
-  Configure users via the :doc:`mongo shell </reference/program/mongo>`.
-  If no users exist, the localhost interface will continue to have access
-  to the database until the you create the first user.
+       - A user can access any database and perform any action.
 
-  See :doc:`Security and Authentication </core/security>`
-  for more information.
+  See :doc:`/core/authorization` for more information.
 post: |
   The {{role}} option is available only for :program:`mongod`.
 ---

source/includes/steps-create-admin-then-enable-authentication.yaml

@@ -3,7 +3,7 @@ stepnum: 1
 ref: start-without-auth
 pre: |
   Start the :program:`mongod` or :program:`mongos` instance *without* the
-  :setting:`~security.authentication` or :setting:`~security.keyFile` setting. For example:
+  :setting:`~security.authorization` or :setting:`~security.keyFile` setting. For example:
 action:
   language: javascript
   code: |
@@ -23,13 +23,13 @@ stepnum: 3
 ref: restart-with-auth
 pre: |
   Re-start the :program:`mongod` or :program:`mongos` instance with
-  the :setting:`~security.authentication` or :setting:`~security.keyFile` setting. Use
-  :setting:`~security.authentication` on a standalone instance. Use :setting:`~security.keyFile` on
+  the :setting:`~security.authorization` or :setting:`~security.keyFile` setting. Use
+  :setting:`~security.authorization` on a standalone instance. Use :setting:`~security.keyFile` on
   an instance in a :term:`replica set` or :term:`sharded cluster`.
 action:
   pre: |
     The following example enables authentication on a standalone
-    :program:`mongod` using the :setting:`~security.authentication` command-line option:
+    :program:`mongod` using the :setting:`~security.authorization` command-line option:
   language: javascript
   code: |
     mongod --auth --config /etc/mongodb/mongodb.conf

source/includes/steps-enable-authentication-in-sharded-cluster.yaml

@@ -26,8 +26,8 @@ action:
       option, which is an option for both :program:`mongos` instances and
       :program:`mongod` instances. Set the :option:`--keyFile <mongos --keyFile>`
       to the key file's path. The :setting:`~security.keyFile` setting implies the
-      :setting:`~security.authentication` setting, which means in most cases you do not need
-      to set :setting:`~security.authentication` explicitly.
+      :setting:`~security.authorization` setting, which means in most cases you do not need
+      to set :setting:`~security.authorization` explicitly.
 ---
 title: Add users.
 stepnum: 3

source/includes/steps-enable-authentication.yaml

@@ -1,18 +1,26 @@
 title: Start the MongoDB instance with authentication enabled.
 stepnum: 1
-ref: start-mongodb-without-auth
+ref: start
 pre: |
   Start the :program:`mongod` or :program:`mongos` instance with the
-   :setting:`~security.authentication` or :setting:`~security.keyFile` setting. Use :setting:`~security.authentication`
-   on a standalone instance. Use :setting:`~security.keyFile` on an instance in a
-   :term:`replica set` or :term:`sharded cluster`.
+  :setting:`~security.authorization` or :setting:`~security.keyFile`
+  setting. Use :setting:`~security.authorization` on a standalone
+  instance. Use :setting:`~security.keyFile` on an instance in a
+  :term:`replica set` or :term:`sharded cluster`.
 action:
-  pre: |
-    The following example enables authentication on a :program:`mongod`
-    using the :setting:`~security.authentication` command-line option:
-  language: javascript
-  code: |
-    mongod --auth --config /etc/mongodb/mongodb.conf
+  - pre: |
+      For example, to start a :program:`mongod` with authentication
+      enabled and a key file stored in ``/private/var``, first set the
+      following option in the :program:`mongod`'s configuration file:
+    language: yaml
+    code: |
+      security:
+        keyFile: /private/var/key.pem
+  - pre: |
+      Then start the :program:`mongod` and specify the config file. For example:
+    language: sh
+    code: |
+      mongod --config /etc/mongodb/mongodb.conf
 post: |
   After you enable authentication, only the user administrator can
   connect to the MongoDB instance. The user administrator must log in

source/reference/command/cleanupOrphaned.txt

@@ -99,7 +99,7 @@ x: minKey } --> { x: 25 }`` to delete orphaned data.
 Required Access
 ---------------
 
-On systems running with :setting:`~security.authentication`, you must have
+On systems running with :setting:`~security.authorization`, you must have
 :authrole:`clusterAdmin` privileges to run :dbcommand:`cleanupOrphaned`.
 
 .. _cleanupOrphaned-output:

source/reference/command/copydb.txt

@@ -44,7 +44,7 @@ Required Access
 
 .. versionchanged:: 2.6
 
-On systems running with :setting:`~security.authentication`, the :dbcommand:`copydb`
+On systems running with :setting:`~security.authorization`, the :dbcommand:`copydb`
 command requires the following authorization on the target and source
 databases.
 
@@ -176,9 +176,9 @@ To copy from a remote host that enforces authentication, include the
 ``fromhost``, ``username``, ``nonce`` and ``key`` fields.
 
 The following command copies the ``test`` database from a remote host
-``example.net`` that runs with :setting:`~security.authentication` to a new ``records``
+``example.net`` that runs with :setting:`~security.authorization` to a new ``records``
 database on the local :program:`mongod` instance. Because the
-``example.net`` has :setting:`~security.authentication` enabled, the command includes the
+``example.net`` has :setting:`~security.authorization` enabled, the command includes the
 ``username``, ``nonce`` and ``key`` fields:
 
 .. code-block:: javascript

source/reference/command/count.txt

@@ -119,4 +119,4 @@ the command status ``ok`` is ``1``:
 
 .. code-block:: javascript
 
-   { "n" : 1, "ok" : 1 }
+   { "n" : 1, "ok" : 1 }

source/reference/command/planCacheClear.txt

@@ -38,7 +38,7 @@ Definition
 Required Access
 ---------------
 
-On systems running with :setting:`~security.authentication`, a user must have access that
+On systems running with :setting:`~security.authorization`, a user must have access that
 includes the :authaction:`planCacheWrite` action.
 
 Examples

source/reference/command/planCacheListPlans.txt

@@ -41,7 +41,7 @@ Definition
 Required Access
 ---------------
 
-On systems running with :setting:`~security.authentication`, a user must have access that
+On systems running with :setting:`~security.authorization`, a user must have access that
 includes the :authaction:`planCacheRead` action.
 
 Example

source/reference/command/planCacheListQueryShapes.txt

@@ -38,7 +38,7 @@ Definition
 Required Access
 ---------------
 
-On systems running with :setting:`~security.authentication`, a user must have access that
+On systems running with :setting:`~security.authorization`, a user must have access that
 includes the :authaction:`planCacheRead` action.
 
 Example

source/reference/command/removeShard.txt

@@ -20,7 +20,7 @@ You *must* run :dbcommand:`removeShard` while connected to a
 :program:`mongos`. Issue the command against the ``admin`` database or
 use the :method:`sh._adminCommand()` helper.
 
-If you have :setting:`~security.authentication` enabled, you must have the
+If you have :setting:`~security.authorization` enabled, you must have the
 :authrole:`clusterManager` role or any role that
 includes the :authaction:`removeShard` action.
 

source/reference/configuration-options.txt

@@ -5,37 +5,50 @@ Configuration File Options
 .. default-domain:: mongodb
 
 .. versionchanged:: 2.6
-   MongoDB introduces a YAML-based configuration file format; however
-   the :v2.4:`2.4 configuration file format
+   MongoDB introduces a YAML-based configuration file format.
+   The :v2.4:`2.4 configuration file format
    </reference/configuration-options>` remains for backward
    compatibility.
 
-Synopsis
+Overview
 --------
 
-Administrators and users can control :program:`mongod` or
-:program:`mongos` instances at runtime either directly from
-:doc:`mongod's command line arguments </reference/program/mongod>` or using a
-configuration file.
+You can control :program:`mongod` and :program:`mongos` instances at
+runtime using a configuration file. The configuration file contains
+settings that are functionally equivalent to the :program:`mongod` and
+:program:`mongos` command-line arguments but are easier to manage,
+especially on large-scale deployments. Configuration files allow
+commenting to describe the reasoning behind a server's settings.
 
-While both methods are functionally equivalent and all settings are
-similar, the configuration file method is preferable. If you
-installed from a package and have started MongoDB using your system's
-:term:`control script`, you're already using a configuration file.
+If you installed from a package and have started MongoDB using
+your system's :term:`control script`, you are already using a configuration
+file.
+
+Specifying the Configuration File when Starting MongoDB
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 To start :program:`mongod` or :program:`mongos` using a config file,
-use one of the following forms:
+specify the config file with the :option:`--config` option.
+
+For example, the following specifies a config file for a
+:program:`mongod`:
 
 .. code-block:: sh
 
    mongod --config /etc/mongodb.conf
-   mongod -f /etc/mongodb.conf
-   mongos --config /srv/mongodb/mongos.conf
-   mongos -f /srv/mongodb/mongos.conf
 
-The configuration file is in `YAML <http://www.yaml.org>`_ format:
-specify a single YAML document or record with options describe
-below. Consider the following configuration file fragment:
+The following specifies a config file for a :program:`mongos` using the
+``-f`` alias:
+
+.. code-block:: sh
+
+   mongos -f /etc/mongodb.conf
+
+Config File Format
+~~~~~~~~~~~~~~~~~~
+
+The configuration file is in `YAML <http://www.yaml.org>`_ format.
+The following is an example of several settings in a configuration file:
 
 .. code-block:: yaml
 
@@ -138,7 +151,7 @@ Core Options
 
 .. include:: /includes/option/setting-conf-security.clusterAuthMode.rst
 
-.. include:: /includes/option/setting-conf-security.authentication.rst
+.. include:: /includes/option/setting-conf-security.authorization.rst
 
 .. include:: /includes/option/setting-conf-security.authenticationMechanisms.rst
 

source/reference/local-database.txt

@@ -24,7 +24,7 @@ data for each member of a :term:`replica set`. The ``local`` stores the
 following collections:
 
 .. versionchanged:: 2.4
-   When running with authentication (i.e. :setting:`~security.authentication`),
+   When running with authentication (i.e. :setting:`~security.authorization`),
    authenticating to the ``local`` database is **not** equivalent to
    authenticating to the ``admin`` database. In previous versions,
    authenticating to the ``local`` database provided access to all databases.

source/reference/method/PlanCache.clear.txt

@@ -27,7 +27,7 @@ Definition
 Required Access
 ---------------
 
-On systems running with :setting:`~security.authentication`, a user must have access that
+On systems running with :setting:`~security.authorization`, a user must have access that
 includes the :authaction:`planCacheWrite` action.
 
 .. seealso::

source/reference/method/PlanCache.clearPlansByQuery.txt

@@ -29,7 +29,7 @@ Definition
 Required Access
 ---------------
 
-On systems running with :setting:`~security.authentication`, a user must have access that
+On systems running with :setting:`~security.authorization`, a user must have access that
 includes the :authaction:`planCacheWrite` action.
 
 Example

source/reference/method/PlanCache.getPlansByQuery.txt

@@ -34,7 +34,7 @@ Definition
 Required Access
 ---------------
 
-On systems running with :setting:`~security.authentication`, a user must have access that
+On systems running with :setting:`~security.authorization`, a user must have access that
 includes the :authaction:`planCacheRead` action.
 
 Example

source/reference/method/PlanCache.listQueryShapes.txt

@@ -28,7 +28,7 @@ Definition
 Required Access
 ---------------
 
-On systems running with :setting:`~security.authentication`, a user must have access that
+On systems running with :setting:`~security.authorization`, a user must have access that
 includes the :authaction:`planCacheRead` action.
 
 Example

source/reference/method/db.upgradeCheck.txt

@@ -57,7 +57,7 @@ Behavior
 Required Access
 ---------------
 
-On systems running with :setting:`~security.authentication`, a user must have access that
+On systems running with :setting:`~security.authorization`, a user must have access that
 includes the :authaction:`find` action on all collections, including
 the :doc:`system collections </reference/system-collections>`.
 

source/reference/method/db.upgradeCheckAllDBs.txt

@@ -46,7 +46,7 @@ Behavior
 Required Access
 ---------------
 
-On systems running with :setting:`~security.authentication`, a user must have access that
+On systems running with :setting:`~security.authorization`, a user must have access that
 includes the :authaction:`listDatabases` action on all databases and
 the :authaction:`find` action on all collections, including the
 :doc:`system collections </reference/system-collections>`.