DOCSP-23785 auth writeblock (#69) (#76)

kennethdyer · web-flow · commit 2b8d9e789e56 · 2022-07-20T14:49:59.000-04:00
* DOCSP-23785 Blocks roles include into an admonition * DOCSP-23785 authaction links * DOCSP-23785 Adds roles to prem to prem connections * DOCSP-23785 Adds roles to prem to prem connections * DOCSP-23785 changes link for on-prem to Server Docs * DOCSP-23785 Fixes include * DOCSP-23785 Updates include * DOCSP-23785 Fixes per Joe * DOCSP-23785 Fixes per Joe * DOCSP-23785 Fixes per Joe * DOCSP-23785 Updates per Ali * DOCSP-23785 Updates per Ali * DOCSP-23785 Updates per Ali * DOCSP-23785 Updates per Ali
diff --git a/source/connecting/onprem-to-onprem.txt b/source/connecting/onprem-to-onprem.txt
@@ -28,6 +28,11 @@ Authentication
 
 .. include:: /includes/fact-onprem-auth
 
+Roles
+-----
+
+.. include:: /includes/fact-onprem-roles
+
 Behavior
 --------
 
diff --git a/source/includes/fact-atlas-roles.rst b/source/includes/fact-atlas-roles.rst
@@ -1,15 +1,17 @@
-The user specified in the connection string must have the
+The user specified in the connection string must have, at a minimum, the
 :atlasrole:`atlasAdmin` role.
 
-To use ``mongosync`` in the :ref:`reverse direction <c2c-api-reverse>`,
-you must `create a custom role
-</atlas/reference/api/custom-roles-create-a-role/>`__ that grants the
-following ActionTypes:
+.. note:: 
 
-- setUserWriteBlockMode
-- bypassWriteBlockingMode
-
-The ``setUserWriteBlockMode`` and ``bypassWriteBlockingMode``
-ActionTypes are available starting in MongoDB 6.0. To create the custom
-roles, all clusters in a project must be on MongoDB 6.0 or higher.
+   To use ``mongosync`` in the :ref:`reverse direction <c2c-api-reverse>`,
+   you must :atlas:`create a custum role 
+   </reference/api/custom-roles-create-a-role>` that grants the
+   following ActionTypes:
+   
+   - :authaction:`setUserWriteBlockMode`
+   - :authaction:`bypassWriteBlockingMode`
+   
+   The ``setUserWriteBlockMode`` and ``bypassWriteBlockingMode``
+   ActionTypes are available starting in MongoDB 6.0. To create the custom
+   roles, all clusters in a project must be on MongoDB 6.0 or higher.
 
diff --git a/source/includes/fact-onprem-roles.rst b/source/includes/fact-onprem-roles.rst
@@ -0,0 +1,17 @@
+
+The user specified in the connection string must have, at a minimum, the
+:authrole:`readAnyDatabase`, :authrole:`clusterMonitor`, and
+:authrole:`backup` roles.
+
+.. note:: 
+
+   To use ``mongosync`` in the :ref:`reverse direction <c2c-api-reverse>`,
+   you must create a custom role (using the :dbcommand:`createRole` command)
+   that grants the following ActionTypes:
+   
+   - :authaction:`setUserWriteBlockMode`
+   - :authaction:`bypassWriteBlockingMode`
+   
+   The ``setUserWriteBlockMode`` and ``bypassWriteBlockingMode``
+   ActionTypes are available starting in MongoDB 6.0. To create the custom
+   roles, all clusters in a project must be on MongoDB 6.0 or higher.
diff --git a/source/includes/fact-write-blocking-requirement.rst b/source/includes/fact-write-blocking-requirement.rst
@@ -1,3 +1,11 @@
 To set ``enableUserWriteBlocking``, the ``mongosync`` user must have a
-role that includes the ``setUserWriteBlockMode`` and
-``bypassWriteBlockingMode`` ActionTypes.
+role that includes the :authaction:`setUserWriteBlockMode` and
+:authaction:`bypassWriteBlockingMode` ActionTypes. 
+
+.. note:: 
+    
+   When using ``enableUserWriteBlocking``, writes are only blocked for users
+   that do not have the :authaction:`bypassWriteBlockingMode` ActionType. Users
+   who have this ActionType are able to perform writes.
+
+
diff --git a/source/reference/api/start.txt b/source/reference/api/start.txt
@@ -21,11 +21,45 @@ Starts the synchronization between a source and destination cluster.
 Requirements
 ------------
 
+State
+~~~~~
+
 To use the ``start`` endpoint, ``mongosync`` must be in the ``IDLE``
 state.
 
+User Write Blocking
+~~~~~~~~~~~~~~~~~~~
+
 .. include:: /includes/fact-write-blocking-requirement.rst
+
+To set a custom role for the ``mongosync`` user:
+ 
+#. To create a custom role, use the :dbcommand:`createRole` command:
+
+   .. code-block:: javascript
+   
+      db.adminCommand( {
+         createRole: "reverseSync",
+         privileges: [ {
+             resource: { db: "", collection: "" },
+             actions: [ "setUserWriteBlockMode", "bypassWriteBlockingMode" ]
+         } ],
+         roles: []
+      } )
  
+#. To grant the custom role to the ``mongosync`` user, use the :dbcommand:`grantRolesToUser` command:
+
+   .. code-block:: javascript
+
+      db.adminCommand( {
+         grantRolesToUser: "mongosync-user",
+         roles: [ { role: "reverseSync", db: "admin" } ]
+      } )
+
+Ensure that you use this configured ``mongosync`` user in the connection 
+strings for the :setting:`cluster0` or :setting:`cluster1` settings when
+you start ``mongosync``. 
+
 Request
 -------
 
