DOCSP-37872: auth (#21)

Author: rustagir

source/tutorials/connect.txt

@@ -7,6 +7,7 @@ Connect to MongoDB
 .. toctree::
 
    /tutorials/connect/tls/
+   /tutorials/connect/auth/
 
 .. contents:: On this page
    :local:

source/tutorials/connect/auth.txt

@@ -0,0 +1,332 @@
+.. _javars-auth:
+
+==============
+Authentication
+==============
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+The driver supports all MongoDB authentication mechanisms,
+including those available only in the MongoDB Enterprise Edition.
+
+MongoCredential
+---------------
+
+Include the following import statements:
+
+.. code-block:: java
+   
+   import com.mongodb.MongoCredential;
+   import com.mongodb.ConnectionString;
+   import com.mongodb.reactivestreams.client.MongoClients;
+   import com.mongodb.reactivestreams.client.MongoClient;
+
+An authentication credential is represented as an instance of the
+``MongoCredential`` class. The ``MongoCredential`` class includes
+static factory methods for each of the supported authentication
+mechanisms.
+
+Default Authentication Mechanism
+--------------------------------
+
+In MongoDB 3.0, MongoDB changed the default authentication mechanism
+from ``MONGODB-CR`` to ``SCRAM-SHA-1``. In MongoDB 4.0, support for
+the deprecated ``MONGODB-CR`` mechanism was removed and ``SCRAM-
+SHA-256`` support was added.
+
+To create a credential that authenticates by using the default
+authentication mechanism, regardless of server version, create a
+credential by using the ``createCredential()`` static factory method:
+
+.. code-block:: java
+   
+   String user;     // the user name
+   String source;   // the source where the user is defined
+   char[] password; // the password as a character array
+   // ...
+   MongoCredential credential = MongoCredential.createCredential(user, source, password);
+    
+   MongoClient mongoClient = MongoClients.create(
+       MongoClientSettings.builder()
+           .applyToClusterSettings(builder -> 
+               builder.hosts(Arrays.asList(new ServerAddress("host1", 27017))))
+           .credential(credential)
+           .build());
+
+Or, you can use a connection string without explicitly specifying the
+authentication mechanism:
+
+.. code-block:: java
+
+   MongoClient mongoClient = MongoClients.create("mongodb://user1:pwd1@host1/?authSource=db1");
+
+For challenge and response mechanisms, using the default
+authentication mechanism is the recommended approach, as it makes
+upgrading from MongoDB 2.6 to MongoDB 3.0 more simple, even after
+upgrading the authentication schema. For MongoDB 4.0 users, using the
+default authentication mechanism is also recommended as the mechanisms are
+checked and the correct hashing algorithm is used.
+
+SCRAM-Based Mechanisms
+----------------------
+
+Salted Challenge-Response Authentication Mechanism (``SCRAM``) has been
+the default authentication mechanism for MongoDB since 3.0. ``SCRAM`` is
+based on the `IETF RFC 5802
+<https://datatracker.ietf.org/doc/html/rfc5802>`__ standard that defines
+best practices for implementation of challenge-response mechanisms for authenticating
+users with passwords.
+
+MongoDB 3.0 introduced support for ``SCRAM-SHA-1``, which uses the
+``SHA-1`` hashing function. MongoDB 4.0 introduced support for ``SCRAM-
+SHA-256`` which uses the ``SHA-256`` hashing function.
+
+SCRAM-SHA-256
+~~~~~~~~~~~~~
+
+Using this mechanism requires MongoDB 4.0 and
+``featureCompatibilityVersion`` to be set to 4.0.
+
+To explicitly create a credential of type ``SCRAM-SHA-256``, use
+the ``createScramSha256Credential()`` method:
+
+.. code-block:: java
+
+   String user;     // the user name
+   String source;   // the source where the user is defined
+   char[] password; // the password as a character array
+   // ...
+   MongoCredential credential = MongoCredential.createScramSha256Credential(user, source, password);
+    
+   MongoClient mongoClient = MongoClients.create(
+       MongoClientSettings.builder()
+           .applyToClusterSettings(builder ->
+               builder.hosts(Arrays.asList(new ServerAddress("host1", 27017))))
+           .credential(credential)
+           .build());
+
+Or, you can use a connection string that explicitly specifies
+``authMechanism=SCRAM-SHA-256``:
+
+.. code-block:: java
+
+   MongoClient mongoClient = MongoClients.create("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=SCRAM-SHA-256");
+
+SCRAM-SHA-1
+~~~~~~~~~~~
+
+To explicitly create a credential of type ``SCRAM-SHA-1``, use the
+``createScramSha1Credential()`` method:
+
+.. code-block:: java
+
+   String user;     // the user name
+   String source;   // the source where the user is defined
+   char[] password; // the password as a character array
+   // ...
+   MongoCredential credential = MongoCredential.createScramSha1Credential(user, source, password);
+    
+   MongoClient mongoClient = MongoClients.create(
+       MongoClientSettings.builder()
+           .applyToClusterSettings(builder -> 
+               builder.hosts(Arrays.asList(new ServerAddress("host1", 27017))))
+           .credential(credential)
+           .build());
+
+Or, you can use a connection string that explicitly specifies
+``authMechanism=SCRAM-SHA-1``:
+
+
+.. code-block:: java
+
+   MongoClient mongoClient = MongoClients.create("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=SCRAM-SHA-1");
+
+MONGODB-CR
+----------
+
+.. important::
+
+   Starting in version 4.0, MongoDB removes support for the deprecated
+   MongoDB Challenge-Response (``MONGODB-CR``) authentication mechanism.
+   
+   If your deployment has user credentials stored in a ``MONGODB-CR`` schema,
+   you must upgrade to use a ``SCRAM``-based mechanism before you
+   upgrade to version 4.0.
+
+To explicitly create a credential of type ``MONGODB-CR`` use the
+``createMongCRCredential()`` static factory method:
+
+.. code-block:: java
+
+   String user; // the user name
+   String database; // the name of the database in which the user is defined
+   char[] password; // the password as a character array
+   // ...
+   MongoCredential credential = MongoCredential.createMongoCRCredential(user, database, password);
+    
+   MongoClient mongoClient = MongoClients.create(
+       MongoClientSettings.builder()
+           .applyToClusterSettings(builder -> 
+               builder.hosts(Arrays.asList(new ServerAddress("host1", 27017))))
+           .credential(credential)
+           .build());
+
+Or, you can use a connection string that explicitly specifies
+``authMechanism=MONGODB-CR``:
+
+.. code-block:: java
+
+   MongoClient mongoClient = MongoClients.create("mongodb://user1:pwd1@host1/?authSource=db1&authMechanism=MONGODB-CR");
+
+.. note::
+
+   After you upgrade the authentication schema from ``MONGODB-CR`` to ``SCRAM``,
+   ``MONGODB-CR`` credentials will fail to authenticate.
+
+X.509
+-----
+
+With the ``X.509`` mechanism, MongoDB uses the X.509 certificate presented
+during SSL negotiation to authenticate a user whose name is derived
+from the distinguished name of the X.509 certificate.
+
+X.509 authentication requires the use of SSL connections with
+certificate validation. To create a credential of this type use the
+``createMongoX509Credential()`` static factory method:
+
+.. code-block:: java
+
+   String user;     // The X.509 certificate derived user name, e.g. "CN=user,OU=OrgUnit,O=myOrg,..."
+   // ...
+   MongoCredential credential = MongoCredential.createMongoX509Credential(user);
+    
+   MongoClient mongoClient = MongoClients.create(
+       MongoClientSettings.builder()
+           .applyToClusterSettings(builder ->
+               builder.hosts(Arrays.asList(new ServerAddress("host1", 27017))))
+           .credential(credential)
+           .build());
+
+Or, you can use a connection string that explicitly specifies
+``authMechanism=MONGODB-X509``:
+
+.. code-block:: java
+
+   MongoClient mongoClient = MongoClients.create("mongodb://subjectName@host1/?authMechanism=MONGODB-X509&ssl=true");
+
+See the :manual:`Use x.509 Certificates to Authenticate Clients </tutorial/configure-x509-client-authentication/>`
+tutorial in the Server manual to learn more about
+determining the subject name from the certificate.
+
+Kerberos (GSSAPI)
+-----------------
+
+MongoDB Enterprise supports proxy authentication through the Kerberos
+service. To create a credential of type Kerberos (GSSAPI), use the
+``createGSSAPICredential()`` static factory method:
+
+.. code-block:: java
+
+   String user;   // The Kerberos user name, including the realm, e.g. "[email protected]"
+   // ...
+   MongoCredential credential = MongoCredential.createGSSAPICredential(user);
+    
+   MongoClient mongoClient = MongoClients.create(
+       MongoClientSettings.builder()
+           .applyToClusterSettings(builder ->
+               builder.hosts(Arrays.asList(new ServerAddress("host1", 27017))))
+           .credential(credential)
+           .build());
+
+Or, you can use a connection string that explicitly specifies
+``authMechanism=GSSAPI``:
+
+.. code-block:: java
+
+   MongoClient mongoClient = MongoClients.create("mongodb://username%40REALM.ME@host1/?authMechanism=GSSAPI");
+
+.. note::
+
+   The method refers to the ``GSSAPI`` authentication mechanism instead of
+   ``Kerberos`` because the driver authenticates by using the ``GSSAPI`` SASL mechanism.
+
+To successfully authenticate by using Kerberos, the application typically
+must specify several system properties so that the underlying GSSAPI
+Java libraries can acquire a Kerberos ticket:
+
+.. code-block:: none
+
+   java.security.krb5.realm=MYREALM.ME
+   java.security.krb5.kdc=mykdc.myrealm.me
+
+Depending on the Kerberos setup, additional property specifications
+might be required, either within the application code or, in some cases,
+by using the ``withMechanismProperty()`` method of the ``MongoCredential``
+instance:
+
+- ``SERVICE_NAME``
+- ``CANONICALIZE_HOST_NAME``
+- ``JAVA_SUBJECT``
+- ``JAVA_SASL_CLIENT_PROPERTIES``
+
+The following code shows how to specify the ``SERVICE_NAME`` property within the
+``MongoCredential`` object:
+
+.. code-block:: java
+
+   credential = credential.withMechanismProperty(MongoCredential.SERVICE_NAME_KEY, "othername");
+
+Or, you can specify the ``SERVICE_NAME`` property within the ``ConnectionString``:
+
+.. code-block:: java
+
+   uri = "mongodb://username%40MYREALM.com@myserver/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:othername"
+
+.. note::
+
+   On Windows, Oracles JRE uses `LSA
+   <https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326.aspx>`__
+   rather than `SSPI
+   <https://msdn.microsoft.com/en-us/library/windows/desktop/aa380493.aspx>`__
+   in its implementation of GSSAPI, which limits interoperability with Windows
+   Active Directory and in particular the ability to implement single
+   sign-on.
+
+LDAP (PLAIN)
+------------
+
+MongoDB Enterprise supports proxy authentication through a
+Lightweight Directory Access Protocol (LDAP) service. To create a
+credential of type ``LDAP`` use the ``createPlainCredential()`` static
+factory method:
+
+.. code-block:: java
+
+   String user;          // The LDAP user name
+   char[] password;      // The LDAP password
+   // ...
+   MongoCredential credential = MongoCredential.createPlainCredential(user, "$external", password);
+   
+   MongoClient mongoClient = MongoClients.create(
+       MongoClientSettings.builder()
+           .applyToClusterSettings(builder ->
+               builder.hosts(Arrays.asList(new ServerAddress("host1", 27017))))
+           .credential(credential)
+           .build());
+
+Or, you can use a connection string that explicitly specifies
+``authMechanism=PLAIN``:
+
+.. code-block:: java
+
+   MongoClient mongoClient = MongoClients.create("mongodb://user1@host1/?authSource=$external&authMechanism=PLAIN");
+
+.. note::
+
+   The method refers to the ``PLAIN`` authentication mechanism instead of
+   ``LDAP`` because the driver authenticates by using the ``PLAIN``
+   SASL mechanism.