DOCSP-40811 Authentication Mechanisms #22
Conversation
| - ``username``: The AWS IAM access key ID to authenticate. | ||
| - ``password``: The AWS IAM secret access key. | ||
| - ``authMechanism``: Set to ``"MONGODB-AWS"``. |
There was a problem hiding this comment.
Clarification for my sake: Because the third list item here is in imperative form and therefore warrants a period, the style guide dictates that a period follows all items in this list – am I correct?
There was a problem hiding this comment.
Yep, exactly
| You must replace the ``@`` symbol in the URI string with ``%40``, as shown | ||
| in the preceding example. |
There was a problem hiding this comment.
Looks like there are two @ symbols, only one of which gets encoded to %40. This might make it more clear.
| You must replace the ``@`` symbol in the URI string with ``%40``, as shown | |
| in the preceding example. | |
| You must replace the first ``@`` symbol in the URI string with ``%40``, as shown | |
| in the preceding example. |
There was a problem hiding this comment.
I reworded to refer to the principal instead of the URI, which I think is more accurate
|
|
||
| 1. Named parameters passed to the Connection URI | ||
| #. Environment variables | ||
| #. ECS container metadata |
There was a problem hiding this comment.
Suggest noting EKS. As of DRIVERS-1746, drivers also check for environment variables set in EKS environments. See: the auth spec section AssumeRoleWithWebIdentity for a description.
There was a problem hiding this comment.
Added a section on AssumeRoleWithWebIdentity
source/includes/authentication.cpp
Outdated
| auto uri = mongocxx::uri("mongodb://<AWS IAM access key ID>:<AWS IAM secret access key>@<hostname>:<port>/?" | ||
| "&authMechanism=MONGODB-AWS"); |
There was a problem hiding this comment.
| auto uri = mongocxx::uri("mongodb://<AWS IAM access key ID>:<AWS IAM secret access key>@<hostname>:<port>/?" | |
| "&authMechanism=MONGODB-AWS"); | |
| auto uri = mongocxx::uri("mongodb://<AWS IAM access key ID>:<AWS IAM secret access key>@<hostname>:<port>/?" | |
| "authMechanism=MONGODB-AWS"); |
Remove extra & to prevent error: URI option "" contains no "=" sign: an invalid MongoDB URI was provided
There was a problem hiding this comment.
Good catch, thanks!
source/includes/authentication.cpp
Outdated
| #include <mongocxx/uri.hpp> | ||
|
|
||
| auto uri = mongocxx::uri("mongodb://<AWS IAM access key ID>:<AWS IAM secret access key>@<hostname>:<port>/?" | ||
| "&authMechanism=MONGODB-AWSS&authMechanismProperties=AWS_SESSION_TOKEN:<token>"); |
There was a problem hiding this comment.
| "&authMechanism=MONGODB-AWSS&authMechanismProperties=AWS_SESSION_TOKEN:<token>"); | |
| "authMechanism=MONGODB-AWSS&authMechanismProperties=AWS_SESSION_TOKEN:<token>"); |
source/includes/authentication.cpp
Outdated
| #include <mongocxx/uri.hpp> | ||
|
|
||
| auto uri = mongocxx::uri("mongodb://mongodbuser%40EXAMPLE.COM@<hostname>:<port>/?" | ||
| "&authMechanism=GSSAPI" |
There was a problem hiding this comment.
| "&authMechanism=GSSAPI" | |
| "authMechanism=GSSAPI" |
source/includes/authentication.cpp
Outdated
| #include <mongocxx/uri.hpp> | ||
|
|
||
| auto uri = mongocxx::uri("mongodb://<username>:<password>@<hostname>:<port>/?" | ||
| "&authMechanism=PLAIN&tls=true"); |
There was a problem hiding this comment.
| "&authMechanism=PLAIN&tls=true"); | |
| "authMechanism=PLAIN&tls=true"); |
|
|
||
| .. note:: | ||
|
|
||
| To authenticate with GSSAPI, you must build the driver with SASL support. |
There was a problem hiding this comment.
| To authenticate with GSSAPI, you must build the driver with SASL support. | |
| To authenticate with GSSAPI, you must build the C driver with SASL support. |
Suggest clarifying the ENABLE_SASL option is intended for the C driver (not C++ driver). The C++ driver wraps the C driver. Auth is performed within the C driver.
| AssumeRoleWithWebIdentity Request | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| If your application authenticates users for your EKS cluster from an OpenID Connect (OIDC) |
There was a problem hiding this comment.
"from" an OIDC identity provider or "with" an OIDC identity provider?
There was a problem hiding this comment.
Sticking with "from" since this wording is taken from the AWS docs link at the bottom of the section
source/security/authentication.txt
Outdated
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| If your application authenticates users for your EKS cluster from an OpenID Connect (OIDC) | ||
| identity provider, {+driver-short+} can make an ``AssumeRoleWithWebIdentity`` request |
There was a problem hiding this comment.
| identity provider, {+driver-short+} can make an ``AssumeRoleWithWebIdentity`` request | |
| identity provider, the {+driver-short+} can make an ``AssumeRoleWithWebIdentity`` request |
Pull Request Info
PR Reviewing Guidelines
JIRA - https://jira.mongodb.org/browse/DOCSP-40811
Staging -
https://preview-mongodbjordansmith721.gatsbyjs.io/cpp-driver/DOCSP-40811-authentication/security/authentication/
https://preview-mongodbjordansmith721.gatsbyjs.io/cpp-driver/DOCSP-40811-authentication/security/enterprise-authentication/
Self-Review Checklist