Skip to content

DOCS-11202: mongo connections using srv format will prompt for password #3389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 16, 2018
Merged

DOCS-11202: mongo connections using srv format will prompt for password #3389

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1c9781a
minor: paragraph wrapping
schmalliso Jun 29, 2018
0be50aa
DOCS-11202: mongo connections using srv format will prompt for username
schmalliso Jun 29, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
102 changes: 61 additions & 41 deletions source/reference/connection-string.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ The components of this string are:

* - ``?options``

- Connection specific options. See
- A query string that specifies connection specific options. See
:ref:`connections-connection-options` for a full description of
these options.

Expand Down Expand Up @@ -133,89 +133,111 @@ The components of this string are:

.. index:: connections; dns-seedlist
.. _connections-dns-seedlist:


DNS Seedlist Connection Format
------------------------------

.. versionadded:: 3.6

In addition to the standard connection format, MongoDB supports a DNS-constructed
seedlist. Using DNS to construct the available servers list allows more flexibility
of deployment and the ability to change the servers in rotation without reconfiguring
clients.
In addition to the standard connection format, MongoDB supports a
:abbr:`DNS (Domain Name Service)`-constructed seed list. Using DNS to
construct the available servers list allows more flexibility of
deployment and the ability to change the servers in rotation without
reconfiguring clients.

In order to leverage the DNS seedlist, use a connection string prefix of
``mongodb+srv:`` rather than the standard ``mongodb:``. The ``+srv``
indicates to the client that the hostname that follows corresponds to a
DNS SRV record. The driver or :binary:`~bin.mongo` shell will then
query the DNS for the record to determine which hosts are running the
:binary:`~bin.mongod` instances.

In order to leverage the DNS seedlist, use a connection string prefix of ``mongodb+srv:``
in place of the ``mongodb:`` string above.
.. note::

The ``+srv`` indicates to the mongo client that the hostname that follows corresponds to a
DNS SRV record. The client driver will then query the DNS for the record to determine the hosts that
are running the mongod instances.
Use of the ``+srv`` connection string modifier
automatically sets the ``ssl`` option to ``true`` for the connection.
You can override this behavior by explicitly setting the ``ssl``
option to ``false`` with ``ssl=false`` in the query string.

For example, to connect to a DNS-listed hostname:
The following example shows a typical connection string for a DNS
seedlist connection string:

.. code-block:: none

mongodb+srv://server.example.com/
mongodb+srv://server.example.com/

A typical DNS configuration for the connection string above might look something
like this:
The corresponding DNS configuration might resemble:

.. code-block:: none

Record TTL Class Priority Weight Port Target
_mongodb._tcp.server.example.com. 86400 IN SRV 0 5 27317 mongodb1.example.com.
_mongodb._tcp.server.example.com. 86400 IN SRV 0 5 27017 mongodb2.example.com.

.. note::
The hostnames returned in SRV records must share the same parent domain (in this example, ``example.com``)
as the given hostname.
.. important::

The hostnames returned in SRV records must share the same parent
domain (in this example, ``example.com``) as the given hostname. If
the parent domains and hostname do not match, you will not be able to
connect.

The DNS seedlist connection string can also provide options as a query string, with a trailing "/?" as in
the standard connection string above. However, the ``+srv`` appended to the standard connection string
signals the driver to query the DNS for options as a configured TXT record.
Like the standard connection string, the DNS seedlist connection string
supports specifying options as a query string. With a DNS seedlist
connection string, you can *also* specify the following options via a
TXT record:

- ``replicaSet``,
- ``authSource``.

Only two options are available for configuration via a TXT record --
``replicaSet`` and ``authSource``, and only one TXT record
is allowed per server. If multiple TXT records appear in the DNS and/or if the TXT record contains
an option other than ``replicaSet`` or ``authSource``, an error will be thrown by the
driver.
You may only specify one TXT record per :binary:`~bin.mongod` instance.
If multiple TXT records appear in the DNS and/or if the TXT
record contains an option other than ``replicaSet`` or ``authSource``,
the client will return an error.

An example of a properly configured TXT record:
The TXT record for the ``server.example.com`` DNS entry would resemble:

.. code-block:: none

Record TTL Class Text
server.example.com. 86400 IN TXT "replicaSet=mySet&authSource=authDB"

In this case, taking into account both
the DNS SRV records and the options retrieved from the TXT records, the parsed string will look like:
Taken together, the DNS SRV records and the options specified in the TXT
record resolve to the following standard format connection string:

.. code-block:: none

mongodb://mongodb1.example.com:27317,mongodb2.example.com:27017/?replicaSet=mySet&authSource=authDB

Options set in a TXT record can be overridden by passing in a query string with the URI. In the example below,
the query string has provided an override for the ``authSource`` option configured in the TXT record of the DNS
entry above.
You can override the options specified in a TXT record by passing the option
in the query string. In the following example, the query string has provided
an override for the ``authSource`` option configured in the TXT record
of the DNS entry above.

.. code-block:: none

mongodb+srv://server.example.com/?connectTimeoutMS=300000&authSource=aDifferentAuthDB

The rest of the option string will remain, and we can expect that the resulting URI
would look like this (after parse).
Given the override for the ``authSource``, the equivalent connection
string in the standard format would be:

.. code-block:: none

mongodb://mongodb1.example.com:27317,mongodb2.example.com:27017/?connectTimeoutMS=300000&replicaSet=mySet&authSource=aDifferentAuthDB

.. note::
The ``mongodb+srv`` option will fail if there is no available DNS with records that correspond to the
hostname identified in the connection string. In addition, use of the ``+srv`` connection string modifier
sets the ``ssl`` option to ``true`` automatically for the connection. This can be overridden by explicitly setting
the ``ssl`` option to ``false`` with ``ssl=false`` in the query string.
The ``mongodb+srv`` option will fail if there is no available DNS
with records that correspond to the hostname identified in the
connection string. In addition, use of the ``+srv`` connection string
modifier automatically sets the ``ssl`` option to ``true`` for the
connection. You can override this behavior by explicitly setting the
``ssl`` option to ``false`` with ``ssl=false`` in the query string.

.. see::

:ref:`example-connect-mongo-using-srv` provides an example of
connecting the :binary:`~bin.mongo` shell to a replica set using
the DNS Seedlist Connection Format.

.. index:: connections; options
.. _connections-connection-options:
Expand Down Expand Up @@ -844,5 +866,3 @@ The following connects to a sharded cluster with three :binary:`~bin.mongos` ins
.. code-block:: none

mongodb://router1.example.com:27017,router2.example2.com:27017,router3.example3.com:27017/


44 changes: 44 additions & 0 deletions source/reference/program/mongo.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -377,6 +377,9 @@ Typically users invoke the shell with the :binary:`~bin.mongo` command at
the system prompt. Consider the following examples for other
scenarios.

Connect to a :binary:`~bin.mongod` Instance with Access Control
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To connect to a database on a remote host using authentication and a
non-standard port, use the following form:

Expand All @@ -394,6 +397,44 @@ Replace ``<user>``, ``<pass>``, and ``<host>`` with the appropriate
values for your situation and substitute or omit the :option:`--port <mongo --port>`
as needed.

.. _example-connect-mongo-using-srv:

Connect to a Replica Set Using the DNS Seedlist Connection Format
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. versionadded:: 3.6

To connect to a replica set described using the
:ref:`connections-dns-seedlist`, use the :option:`~mongo.--host` option
to specify the connection string to the :binary:`~bin.mongo` shell. In
the following example, the DNS configuration resembles:

.. code-block:: none

Record TTL Class Priority Weight Port Target
_mongodb._tcp.server.example.com. 86400 IN SRV 0 5 27317 mongodb1.example.com.
_mongodb._tcp.server.example.com. 86400 IN SRV 0 5 27017 mongodb2.example.com.

The TXT record for the DNS entry includes the ``replicaSet`` and ``authSource`` options:

.. code-block:: none

Record TTL Class Text
server.example.com. 86400 IN TXT "replicaSet=rs0&authSource=admin"

The following command then connects the :binary:`~bin.mongo` shell to
the replica set:

.. code-block:: none

mongo --host "mongodb+srv://server.example.com/?username=allison"

The :binary:`~bin.mongo` shell will automatically prompt you to provide
the password for the user specified in the ``username`` option.

Execute JavaScript Against the :binary:`~bin.mongo` Shell
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To execute a JavaScript file without evaluating the :file:`~/.mongorc.js`
file before starting a shell session, use the following form:

Expand All @@ -408,6 +449,9 @@ rather than provided on the command-line, use the following form:

mongo script-file.js -u <user> -p

Use :option:`--eval <mongo --eval>` to Print Query Results as JSON
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To print return a query as :term:`JSON`, from the system prompt using
the :option:`--eval <mongo --eval>` option, use the following form:

Expand Down
5 changes: 5 additions & 0 deletions source/release-notes/4.0.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -932,6 +932,11 @@ Miscellaneous
- Resolves ``localhost`` IP address as configured instead of assuming
``127.0.0.1``.

- When using the :ref:`connections-dns-seedlist` to connect to the
:binary:`~bin.mongo` shell with authentication, the
:binary:`~bin.mongo` shell will now prompt the user to
provide their password when starting up.

Changes Affecting Compatibility
-------------------------------

Expand Down