DOCSP-34392 Expands auth config (#6568) (#9429)

kennethdyer · web-flow · commit 9df6f433da40 · 2024-09-19T12:58:17.000-05:00
* DOCSP-34392 Convert Standalone to RS with Auth
diff --git a/source/includes/configure-rs-members.rst b/source/includes/configure-rs-members.rst
@@ -0,0 +1,111 @@
+
+Configure member authentication for each server in the replica set.
+
+.. tabs::
+
+   .. tab:: X.509 Authentication
+      :tabid: convert-config-rs-x509
+
+      Configure the replica set to use X.509 certificates for internal member
+      authentication.
+
+      .. list-table::
+         :header-rows: 1
+
+         * - Setting
+           - Option
+           - Description
+
+         * - :setting:`net.tls.mode`
+           - :option:`--tlsMode <mongod --tlsMode>`
+           - Sets the TLS mode to use in authentication.  To configure the server
+             to require X.509 certificate authentication, set this option to
+             ``requireTLS``.
+         * - :setting:`net.tls.certificateKeyFile`
+           - :option:`--tlsCertificateKeyFile <mongod --tlsCertificateKeyFile>`
+           - Sets the path to the ``.pem`` file that contains the TLS certificate
+             for client connections.
+         * - :setting:`net.tls.CAFile`
+           - :option:`--tlsCAFile <mongod --tlsCAFile>`
+           - Sets the path to the file that contains the root certificate chain
+             for the Certificate Authority (CA).
+         * - :setting:`net.tls.clusterFile`
+           - :option:`--tlsClusterFile <mongod --tlsClusterFile>`
+           - Sets the path to the ``.pem`` file that contains the TLS certificate
+             for cluster member connections.
+         * - :setting:`security.clusterAuthMode`
+           - :option:`--clusterAuthMode <mongod --clusterAuthMode>`
+           - Sets the mode used to authenticate cluster members. To use X.509
+             authentication, set this option to ``x509``.
+
+      For example:
+
+      .. code-block:: yaml
+
+         replication:
+           replSetName: "rs0"
+         security:
+           clusterAuthMode: x509
+         net:
+           tls:
+             mode: requireTLS
+             certificateKeyFile: /etc/mongodb/client.pem
+             CAFile: /etc/mongodb/ca.pem
+             clusterFile: /etc/mongodb/member.pem
+
+   .. tab:: Keyfile Authentication
+      :tabid: config-rs-keyfile
+
+      Configure the replica set to use keyfiles for internal member authentication.
+      To authenticate, each member must have a copy of the same keyfile.
+
+      .. list-table::
+         :header-rows: 1
+
+         * - Setting
+           - Option
+           - Description
+         * - :setting:`security.keyFile`
+           - :option:`--keyFile <mongod --keyFile>`
+           - Sets the path to the replica set keyfile.
+
+      For example:
+
+      .. code-block:: yaml
+
+        replication:
+           replSetName: "rs0"
+        security:
+            keyFile: /etc/mongodb/keyfile
+
+   .. tab:: No Authentication
+      :tabid: config-rs-noauth
+
+      Configures a replica set without authorization.
+
+      .. warning::
+
+         You should only use this configuration for internal replica sets that
+         are **not** accessible through the network.
+
+      .. list-table::
+         :header-rows: 1
+
+         * - Setting
+           - Option
+           - Description
+
+         * - :setting:`net.bindIp`
+           - :option:`--bind_ip <mongod --bind_ip>`
+           - Sets the hostnames or IP addresses that MongoDB listens on for client
+             connections. To block network access to the server, set this option
+             to ``localhost``.
+
+      For example:
+
+      .. code-block:: yaml
+
+         replication:
+           replSetName: "rs0"
+         net:
+            bindIp: localhost
diff --git a/source/tutorial/convert-standalone-to-replica-set.txt b/source/tutorial/convert-standalone-to-replica-set.txt
@@ -27,6 +27,9 @@ production, convert the standalone server to a replica set first.
 Before You Begin
 ----------------
 
+Cluster Type
+~~~~~~~~~~~~
+
 Before you convert your standalone instance, consider whether a
 :ref:`replica set <replication>` or a :ref:`sharded cluster
 <sharding-background>` is more appropriate for your workload.
@@ -36,6 +39,17 @@ provides redundancy and availability; it also distributes data across
 :ref:`shards <shards-concepts>`. Shards are usually hosted on multiple
 servers and allow for horizontal scaling.
 
+Authorization
+~~~~~~~~~~~~~
+
+To use authorization with a replica set, you must also configure
+replica set members to use X.509 certificates or keyfiles to
+perform internal authentication.
+
+For more information, see:
+
+- :ref:`x509-internal-authentication`
+- :ref:`deploy-repl-set-with-keyfile`
 
 Procedure
 ---------
@@ -64,56 +78,23 @@ Procedure
             }
          )      
 
-   .. step:: Name the replica set. 
-        
-      If you configure your ``mongod`` instance from the command line,
-      use the :option:`--replSet <mongod --replSet>` option to set a
-      name for your replica set.
+   .. step:: Configure Replica Set Members
 
-      A typical command line invocation might include:
+      Update the configuration file on each server and to set
+      the :setting:`~replication.replSetName` setting.
 
-      .. list-table::
-         :header-rows: 1
-
-         * - Purpose
-           - Option
-
-         * - Cluster name
-           - :option:`--replSet <mongod --replSet>`
-      
-         * - Network details
-           -  :option:`--port <mongod --port>`
-      
-         * - Data path
-           - :option:`--dbpath <mongod --dbpath>`
-       
-         * - Authentication details 
-           - :option:`--authenticationDatabase <mongosh
-             --authenticationDatabase>`, :option:`--username
-             <mongosh --username>`, :option:`--password <mongosh
-             --password>`
-      
-      Update the example code with the settings for your deployment.
+      .. code-block:: yaml
 
-      .. code-block:: shell
-
-         mongod --replSet rs0 \
-                --port 27017 \ 
-                --dbpath /path/to/your/mongodb/dataDirectory \
-                --authenticationDatabase "admin" \
-                --username "adminUserName" \
-                --password
-
-      If you use a configuration file to start ``mongodb``, add a
-      ``replication`` section to your configuration file. Edit the
-      ``replSetName`` value to set the name of your replica set. 
+         replication:
+           replSetName: "rs0"
 
-      .. code-block:: shell
+   .. step:: Configure Member Authentication
 
-         replication:
-            replSetName: rs0   
+      .. include:: /includes/configure-rs-members 
 
-      .. include:: /includes/tip-repl-set-config.rst           
+   .. step:: Start MongoDB
+   
+      Start :program:`mongod` for each member.
 
    .. step:: Initialize the replica set.
     
