Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOCSP-40811 Authentication Mechanisms #22

Merged
merged 11 commits into from
Jul 10, 2024
Merged

DOCSP-40811 Authentication Mechanisms #22

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
13b4d17
workflows
mongoKart Jun 24, 2024
88911c1
first draft authentication pages
jordan-smith721 Jun 26, 2024
faf6ffb
build errors
jordan-smith721 Jun 26, 2024
4be63aa
typos and rst errors:
jordan-smith721 Jun 26, 2024
f7c8a10
another typo
jordan-smith721 Jun 26, 2024
a1128b8
feedback
jordan-smith721 Jun 26, 2024
0c4c508
remove files from master
jordan-smith721 Jun 26, 2024
eebeea8
add refs
jordan-smith721 Jun 27, 2024
55427d9
eng feedback
jordan-smith721 Jul 9, 2024
be2a41a
feedback
jordan-smith721 Jul 10, 2024
71f5a99
Merge branch 'cpp-standardization' into DOCSP-40811-authentication
jordan-smith721 Jul 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions source/includes/authentication.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ mongocxx::client client(uri);
#include <mongocxx/uri.hpp>

auto uri = mongocxx::uri("mongodb://<AWS IAM access key ID>:<AWS IAM secret access key>@<hostname>:<port>/?"
"&authMechanism=MONGODB-AWS");
"authMechanism=MONGODB-AWS");
mongocxx::client client(uri);
// end-aws-connection-uri

Expand All @@ -39,7 +39,7 @@ mongocxx::client client(uri);
#include <mongocxx/uri.hpp>

auto uri = mongocxx::uri("mongodb://<AWS IAM access key ID>:<AWS IAM secret access key>@<hostname>:<port>/?"
"&authMechanism=MONGODB-AWSS&authMechanismProperties=AWS_SESSION_TOKEN:<token>");
"authMechanism=MONGODB-AWSS&authMechanismProperties=AWS_SESSION_TOKEN:<token>");
mongocxx::client client(uri);
// end-aws-connection-uri-session

Expand All @@ -57,7 +57,7 @@ mongocxx::client client(uri);
#include <mongocxx/uri.hpp>

auto uri = mongocxx::uri("mongodb://mongodbuser%40EXAMPLE.COM@<hostname>:<port>/?"
"&authMechanism=GSSAPI"
"authMechanism=GSSAPI"
"&authMechanismProperties=SERVICE_NAME:<authentication service name>");
mongocxx::client client(uri);
// end-kerberos
Expand All @@ -67,6 +67,6 @@ mongocxx::client client(uri);
#include <mongocxx/uri.hpp>

auto uri = mongocxx::uri("mongodb://<username>:<password>@<hostname>:<port>/?"
"&authMechanism=PLAIN&tls=true");
"authMechanism=PLAIN&tls=true");
mongocxx::client client(uri);
// end-plain
31 changes: 31 additions & 0 deletions source/security/authentication.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ retrieve your AWS credentials from the following sources, in the order listed:

1. Named parameters passed to the Connection URI
#. Environment variables
#. AWS EKS AssumeRoleWithWebIdentity request
#. ECS container metadata
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest noting EKS. As of DRIVERS-1746, drivers also check for environment variables set in EKS environments. See: the auth spec section AssumeRoleWithWebIdentity for a description.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a section on AssumeRoleWithWebIdentity

#. EC2 instance metadata

Expand Down Expand Up @@ -189,6 +190,36 @@ following example:
:start-after: // start-aws-environment
:end-before: // end-aws-environment

AssumeRoleWithWebIdentity Request
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If your application authenticates users for your EKS cluster from an OpenID Connect (OIDC)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"from" an OIDC identity provider or "with" an OIDC identity provider?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sticking with "from" since this wording is taken from the AWS docs link at the bottom of the section

identity provider, {+driver-short+} can make an ``AssumeRoleWithWebIdentity`` request
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
identity provider, {+driver-short+} can make an ``AssumeRoleWithWebIdentity`` request
identity provider, the {+driver-short+} can make an ``AssumeRoleWithWebIdentity`` request

to exchange the OIDC token for temporary AWS credentials for your application.

To authenticate with temporary AWS IAM credentials returned by an
``AssumeRoleWithWebIdentity`` request, ensure that the AWS config file exists in your
environment and is configured with the ``AWS_WEB_IDENTITY_TOKEN_FILE``
and ``AWS_ROLE_ARN`` environment variables. To learn how to create and configure
an AWS config file, see `Configuration <https://docs.aws.amazon.com/sdkref/latest/guide/creds-config-files.html>`__
in the AWS documentation.

After you configure your environment for an ``AssumeRoleWithWebIdentity`` request,
set the ``authMechanism`` parameter in your connection URI to ``"MONGODB-AWS"``,
as shown in the following example:

.. literalinclude:: /includes/authentication.cpp
:language: cpp
:copyable: true
:start-after: // start-aws-environment
:end-before: // end-aws-environment

For more information about using an ``AssumeRoleWithWebIdentity`` request to
authenticate your application, see the following AWS documentation:

- `AssumeRoleWithWebIdentity <https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>`__
- `Authenticating users for your cluster from an OpenID Connect identity provider <https://docs.aws.amazon.com/eks/latest/userguide/authenticate-oidc-identity-provider.html>`__

ECS Metadata
~~~~~~~~~~~~

Expand Down
2 changes: 1 addition & 1 deletion source/security/enterprise-authentication.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ authentication.

.. note::

To authenticate with GSSAPI, you must build the driver with SASL support.
To authenticate with GSSAPI, you must build the MongoDB C driver with SASL support.
If you are building the driver from source, you can enable SASL support with
the ``ENABLE_SASL`` ``cmake`` option.

Expand Down