DOCS-4769: Note gotcha with localhost authentication on clusters

source/core/authentication.txt

@@ -314,7 +314,7 @@ exception allows connections from the localhost interface to create
 the first user on the ``admin`` database. The exception applies only
 when there are no users created in the MongoDB instance.
 
-.. versionchanged:: 2.8.0
+.. versionchanged:: 3.0
    The localhost exception changed so that these connections *only*
    have access to create the first user on the ``admin``
    database. In previous versions, connections that gained access
@@ -328,15 +328,15 @@ with privileges to create other users, such as a user with the
 :doc:`/tutorial/enable-authentication` and
 :doc:`/tutorial/add-user-administrator` for more information.
 
-In the case of a sharded cluster, the localhost exception can apply to
-the cluster as a whole or separately to each shard. If there are no
-user information stored on the config servers *and*
-clients access via :program:`mongos` instances, the localhost
-exception applies to the cluster. if there is no user information
-stored on the shard itself and clients connect to the shard directly,
-the localhost exception applies to each shard.
-
-To prevent unauthorized access to a cluster's shards, you must either
-create an administrator on each shard or disable the localhost exception.
-To disable the localhost exception, use :setting:`setParameter` to set the
-:parameter:`enableLocalhostAuthBypass` parameter to ``0`` during startup.
+In the case of a sharded cluster, the localhost exception applies to each shard
+individually as well as to the cluster as a whole. Once you create a sharded
+cluster and add an administrator to the :program:`mongos` instance, you must
+still prevent unauthorized access to the individual shards. Follow one of the
+following steps for each shard in your cluster:
+
+- Create an administrative user, or
+- Disable the localhost exception at startup.  To disable the localhost
+  exception, use :setting:`setParameter` in your
+  :doc:`configuration file </reference/configuration-options>`, or
+  :option:`--setParameter` on the command line to set
+  the :parameter:`enableLocalhostAuthBypass` parameter to ``0``.

source/reference/parameters.txt

@@ -8,7 +8,7 @@ Synopsis
 --------
 
 MongoDB provides a number of configuration options that are accessible
-via the :option:`--setParameter <mongod --setParameter>` option to
+via the :option:`--setParameter` option to
 :program:`mongod`. This document documents all of these options.
 
 For additional run time configuration options, see
@@ -627,7 +627,7 @@ Parameters
 
    Available for the MMAPv1 storage engine only.
 
-   .. deprecated:: 3.0.0 
+   .. deprecated:: 3.0.0
 
       MongoDB deprecates the
       :parameter:`newCollectionsUsePowerOf2Sizes` parameter such that

source/tutorial/enable-authentication-in-sharded-cluster.txt

@@ -10,7 +10,7 @@ Enable Authentication in a Sharded Cluster
 Overview
 --------
 
-When authentication is enabled on a sharded cluster every client that
+When authentication is enabled on a sharded cluster, every client that
 accesses the cluster must provide credentials. This includes MongoDB
 instances that access each other within the cluster.
 
@@ -24,12 +24,16 @@ Authentication requires an authentication mechanism and, in most cases, a
 :setting:`key file <keyFile>`. The content of the key file must be the
 same on all cluster members.
 
-Consideration
--------------
+Considerations
+--------------
 
 It is not possible to convert an existing sharded cluster that does
 not enforce access control to require authentication without taking
-all components of the cluster offline for a short period of time. 
+all components of the cluster offline for a short period of time.
+
+As described in :ref:`localhost-exception`, the localhost exception will apply
+to the individual shards unless you either create an administrative user or
+disable the localhost exception on each shard.
 
 Procedure
 ---------