DOCSP-37510 - Enterprise Authentication (#57)

mongoKart · jordan-smith721 · web-flow · commit 646ea1efa7df · 2024-04-02T16:33:49.000-05:00
Co-authored-by: Jordan Smith &lt;45415425+jordan-smith721@users.noreply.github.com&gt;
diff --git a/source/fundamentals.txt b/source/fundamentals.txt
@@ -14,7 +14,6 @@ Fundamentals
    /fundamentals/collations
    /fundamentals/databases-and-collections
    /fundamentals/dates-and-times
-   /fundamentals/enterprise-authentication
    /fundamentals/gridfs
    /fundamentals/indexes
    /fundamentals/type-hints
@@ -23,7 +22,6 @@ Fundamentals
 - :ref:`pymongo-collations`
 - :ref:`pymongo-databases-collections`
 - :ref:`pymongo-dates-times`
-- :ref:`pymongo-enterprise-auth`
 - :ref:`pymongo-gridfs`
 - :ref:`pymongo-indexes`
 - :ref:`pymongo-type-hints`
diff --git a/source/fundamentals/enterprise-authentication.txt b/source/fundamentals/enterprise-authentication.txt
diff --git a/source/security.txt b/source/security.txt
@@ -12,7 +12,9 @@ Secure Your Data
    :maxdepth: 1
 
    /security/authentication
+   /security/enterprise-authentication
    /security/in-use-encryption
 
 - :ref:`pymongo-auth`
+- :ref:`pymongo-enterprise-auth`
 - :ref:`pymongo-in-use-encryption`
diff --git a/source/security/enterprise-authentication.txt b/source/security/enterprise-authentication.txt
@@ -0,0 +1,204 @@
+.. _pymongo-enterprise-auth:
+
+Enterprise Authentication Mechanisms
+====================================
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+.. facet::
+   :name: genre
+   :values: reference
+ 
+.. meta::
+   :keywords: ldap, encryption, principal, tls
+
+Overview
+--------
+
+MongoDB Enterprise Edition includes the following authentication mechanisms that aren't
+available in MongoDB Community Edition: 
+
+- :ref:`GSSAPI/Kerberos <pymongo-kerberos>`
+- :ref:`LDAP (Plain) <pymongo-sasl>`
+
+In this guide, you can learn how to authenticate to MongoDB by using these
+authentication mechanisms. To learn about the other authentication mechanisms available
+in MongoDB, see :ref:`<pymongo-auth>`.
+
+.. _pymongo-kerberos:
+
+GSSAPI (Kerberos)
+-----------------
+
+The Generic Security Services API (GSSAPI) provides an interface for Kerberos
+authentication. Select the tab that corresponds to your operating system to learn how
+to use GSSAPI to authenticate.
+
+.. tabs::
+
+   .. tab:: Unix
+      :tabid: unix
+
+      First, use pip or easy_install to install the Python
+      `kerberos <http://pypi.python.org/pypi/kerberos>`__ or
+      `pykerberos <https://pypi.python.org/pypi/pykerberos>`__ module.
+
+      After installing one of these modules, run the ``kinit`` command to obtain and cache
+      an initial ticket-granting ticket. The following example uses the
+      ``knit`` command to obtain a ticket-granting ticket for the principal
+      ``mongodbuser@EXAMPLE.COM``. It then uses the ``klist``
+      command to display the principal and ticket in the credentials cache.
+
+      .. code-block:: sh
+         :copyable: false
+      
+         $ kinit mongodbuser@EXAMPLE.COM
+         mongodbuser@EXAMPLE.COM's Password:
+         $ klist
+         Credentials cache: FILE:/tmp/krb5cc_1000
+                 Principal: mongodbuser@EXAMPLE.COM
+
+           Issued                Expires               Principal
+         Feb  9 13:48:51 2013  Feb  9 23:48:51 2013  krbtgt/mongodbuser@EXAMPLE.COM
+
+      After you obtain a ticket-granting ticket, set the following connection options:
+
+      - ``username``: The Kerbos principal to authenticate. Percent-encode this value
+        before including it in a connection URI.
+      - ``authMechanism``: Set to ``"GSSAPI"``.
+      - ``authMechanismProperties``: Optional. By default, MongoDB uses ``mongodb`` as
+        the authentication service name. To specify a different service name, set
+        this option to ``"SERVICE_NAME:<authentication service name>"``.
+
+      You can set these options in two ways: by passing arguments to the
+      ``MongoClient`` constructor or through parameters in your connection string.
+
+      .. tabs::
+
+         .. tab:: MongoClient
+            :tabid: mongoclient
+
+            .. code-block:: python
+
+               client = pymongo.MongoClient("mongodb://<hostname>:<port>",
+                                            username="mongodbuser@EXAMPLE.COM",
+                                            authMechanism="GSSAPI",
+                                            authMechanismProperties="SERVICE_NAME:<authentication service name>")
+
+         .. tab:: Connection String
+            :tabid: connectionstring
+
+            .. code-block:: python
+
+               uri = ("mongodb://mongodbuser%40EXAMPLE.COM@<hostname>:<port>/?"
+                      "&authMechanism=GSSAPI"
+                      "&authMechanismProperties=SERVICE_NAME:<authentication service name>")
+               client = pymongo.MongoClient(uri)
+
+   .. tab:: Windows (SSPI)
+      :tabid: windows
+       
+      First, install the `winkerberos <https://pypi.python.org/pypi/winkerberos/>`__ module.
+      Then, set the following connection options:
+
+      - ``username``: The Kerbos principal to authenticate. Percent-encode this value before including
+        it in a connection URI.
+      - ``authMechanism``: Set to ``"GSSAPI"``.
+      - ``password``: Optional. If the user to authenticate is different from the user
+        that owns the application process, set this option to the authenticating user's
+        password.
+      - ``authMechanismProperties``: Optional. This option includes multiple
+        authentication properties. To specify more than one of the following properties,
+        use a comma-delimited list.
+        
+        - ``SERVICE_NAME:`` By default, MongoDB uses ``mongodb`` as
+          the authentication service name. Use this option to specify a different service name.
+        - ``CANONICALIZE_HOST_NAME``: Whether to use the fully qualified domain name (FQDN)
+          of the MongoDB host for the server principal.
+        - ``SERVICE_REALM``: The service realm. Use this option when the user's
+          realm is different from the service's realm.
+      
+      You can set these options in two ways: by passing arguments to the
+      ``MongoClient`` constructor or through parameters in your connection string.
+
+      .. tabs::
+
+         .. tab:: MongoClient
+            :tabid: mongoclient
+
+            .. code-block:: python
+
+               client = pymongo.MongoClient("mongodb://<hostname>:<port>",
+                                            username="mongodbuser@EXAMPLE.COM",
+                                            authMechanism="GSSAPI",
+                                            password="<user password>",
+                                            authMechanismProperties="SERVICE_NAME:<authentication service name>,
+                                                CANONICALIZE_HOST_NAME:true,
+                                                SERVICE_REALM:<service realm>")
+
+         .. tab:: Connection String
+            :tabid: connectionstring
+
+            .. code-block:: python
+
+               uri = ("mongodb://mongodbuser%40EXAMPLE.COM:<percent-encoded user password>"
+                      "@<hostname>:<port>/?"
+                      "&authMechanism=GSSAPI"
+                      "&authMechanismProperties="
+                        "SERVICE_NAME:<authentication service name>,"
+                        "CANONICALIZE_HOST_NAME:true,"
+                        "SERVICE_REALM:<service realm>")
+               client = pymongo.MongoClient(uri)
+
+.. _pymongo-sasl:
+
+PLAIN SASL
+----------
+
+The PLAIN Simple Authentication and Security Layer (SASL), as defined
+by `RFC 4616 <https://www.rfc-editor.org/rfc/rfc4616>`__, is a username-password
+authentication mechanism often used with TLS or another encryption layer.
+
+.. important::
+
+   PLAIN SASL is a clear-text authentication mechanism. We strongly recommend that you
+   use TLS/SSL with certificate validation when using PLAIN SASL to authenticate to MongoDB.
+
+   To learn more about how to enable TLS for your connection, see :ref:`<pymongo-tls>`.
+
+To authenticate with SASL, set the ``authMechanism`` connection option to ``PLAIN``.
+You can set this option in two ways: by passing an argument to the
+``MongoClient`` constructor or through a parameter in your connection string.
+
+.. tabs::
+
+   .. tab:: MongoClient
+      :tabid: mongoclient
+
+      .. code-block:: python
+
+         client = pymongo.MongoClient("mongodb://<hostname>:<port>",
+                                      authMechanism="PLAIN",
+                                      tls=True)
+
+   .. tab:: Connection String
+      :tabid: connectionstring
+
+      .. code-block:: python
+
+         uri = ("mongodb://<hostname>:<port>/?"
+                "&authMechanism=PLAIN"
+                "&tls=true")
+         client = pymongo.MongoClient(uri)
+
+API Documentation
+-----------------
+
+To learn more about using enterprise authentication mechanisms with {+driver-short+},
+see the following API documentation:
+
+- `MongoClient <{+api-root+}pymongo/mongo_client.html#pymongo.mongo_client.MongoClient>`__
