DOCSP-19652 X509 connection (#213)

* added X509 steps

Author: kyuan-mongodb

source/includes/fact-read-read-write-actions.rst

@@ -0,0 +1,41 @@
+When applied to a collection, the ``read`` and ``readWrite`` roles in
+|service| differ slightly from the
+:manual:`built-in </reference/built-in-roles/>` MongoDB ``read`` and
+``readWrite`` roles.
+
+In |service|, ``read`` provides the following collection-level
+:manual:`actions </reference/privilege-actions/>`:
+
+- :manual:`collStats </reference/privilege-actions/#collStats/>`
+
+- :manual:`dbHash </reference/privilege-actions/#dbHash>`
+
+- :manual:`find </reference/privilege-actions/#find/>`
+
+- :manual:`listIndexes </reference/privilege-actions/#listIndexes>`
+
+In |service|, ``readWrite`` provides the same actions
+as ``read``, as well as the following
+additional collection-level
+:manual:`actions </reference/privilege-actions/>`:
+
+- :manual:`convertToCapped
+  </reference/privilege-actions/#convertToCapped>`
+
+- :manual:`createCollection
+  </reference/privilege-actions/#createCollection>`
+
+- :manual:`createIndex
+  </reference/privilege-actions/#createIndex>`
+
+- :manual:`dropCollection
+  </reference/privilege-actions/#dropCollection>`
+
+- :manual:`dropIndex
+  </reference/privilege-actions/#dropIndex>`
+
+- :manual:`insert <reference/privilege-actions/#insert>`
+
+- :manual:`remove </reference/privilege-actions/#remove>`
+
+- :manual:`update </reference/privilege-actions/#update>`

source/includes/steps-add-self-managed-x509-user.yaml

@@ -0,0 +1,93 @@
+title: "Open the :guilabel:`Add New Database User` dialog."
+level: 4
+ref: go-users-view
+content: |
+   a. In the :guilabel:`Security` section of the left navigation, click
+      :guilabel:`Database Access`. The :guilabel:`Database Users` tab
+      displays.
+
+   #. Click :icon-fa5:`plus` :guilabel:`Add New Database User`.
+
+---
+title: "Select :guilabel:`CERTIFICATE`."
+level: 4
+ref: select-self-managed
+
+---
+title: "Enter user information."
+level: 4
+ref: enter-self-managed-user-info
+content: |
+  .. list-table::
+     :widths: 20 80
+     :header-rows: 1
+
+     * - Field
+
+       - Description
+
+     * - :guilabel:`Common Name`
+
+       - The user's Common Name (CN) protected by the TLS/SSL
+         certificate. For more information, see  
+         `RFC 2253 <https://tools.ietf.org/html/rfc2253>`_.
+       
+         .. example::
+
+            If your common name is "Jane Doe", your organization is
+            "MongoDB", and your country is "US", insert the following
+            into the :guilabel:`Common Name` field:
+
+            .. code-block:: none
+               :copyable: false
+
+               CN=Jane Doe,O=MongoDB,C=US
+
+     * - :guilabel:`User Privileges`
+
+       - You can assign roles in one of the following ways:
+
+         - Select :atlasrole:`Atlas admin`, which provides the user
+           with :atlasrole:`readWriteAnyDatabase` as well as a number
+           of administrative privileges.
+
+         - Select :atlasrole:`Read and write to any database`, which
+           provides the user with privileges to read and write to any
+           database.
+
+         - Select :atlasrole:`Only read any database` which provides
+           the user with privileges to read any database.
+
+         - Select :guilabel:`Select Custom Role` to select a custom 
+           role previously created in |service|. You can create custom 
+           roles for database users in cases where the 
+           :manual:`built-in database user roles </reference/built-in-roles/#database-user-roles>` 
+           cannot describe the desired set of 
+           privileges. For more information on custom roles, see 
+           :ref:`mongodb-roles`.
+
+         - Click :guilabel:`Add Default Privileges`. When you
+           click this option, you can select
+           individual roles and specify the database on which the
+           roles apply. Optionally, for the ``read`` and ``readWrite``
+           roles, you can also specify a collection. If you do not
+           specify a collection for ``read`` and ``readWrite``, the
+           role applies to all non-``system`` collections in the
+           database.
+
+           .. note::
+
+              .. include:: /includes/fact-read-read-write-actions.rst
+
+         For information on the built-in |service| privileges, see
+         :ref:`atlas-user-privileges`.
+
+         For more information on authorization, see :manual:`Role-Based
+         Access Control </core/authorization>` and :manual:`Built-in
+         Roles </core/security-built-in-roles>` in the MongoDB manual.
+
+---
+title: "Click :guilabel:`Add User`."
+level: 4
+ref: save-user
+...

source/includes/steps-configure-self-managed-x509.yaml

@@ -0,0 +1,40 @@
+title: "Turn on Self-Managed X.509 Authentication."
+level: 4
+ref: toggle-on-self-managed-x509
+content: |
+   a. In the :guilabel:`Security` section of |service|'s left
+      navigation panel, click :guilabel:`Advanced`.
+
+   b. Toggle :guilabel:`Self-Managed X.509 Authentication` to
+      :guilabel:`ON`.
+
+---
+title: "Provide a PEM-encoded Certificate Authority."
+level: 4
+ref: add-pem
+content: |
+
+   You can provide a Certificate Authority (CA) by:
+    
+   - Clicking :guilabel:`Upload` and selecting a ``.pem`` file from
+     your filesystem.
+
+   - Copying the contents of a ``.pem`` file into the provided text
+     area.
+
+   You can concatenate multiple CAs in the same ``.pem`` file or in the
+   text area. Users can authenticate with certificates generated by any
+   of the provided CAs.
+
+   When you upload a CA, a project-level alert is
+   automatically created to send a notification 30 days before
+   the CA expires, repeating every 24 hours. You can view and
+   edit this alert from |service|'s :guilabel:`Alert Settings` page. For
+   more information on configuring alerts, see 
+   :ref:`<configure-alerts>`.
+
+---
+title: "Click :guilabel:`Save`."
+level: 4
+ref: save-pem
+...

source/includes/steps-source-privatelink.yaml

@@ -19,7 +19,7 @@ ref: create-private-endpoint
 title: "Click the :guilabel:`Private Endpoint` tab and then the 
        following tab for the resource."
 replacement: 
-  
+
   dedicatedCluster: |
     Click :guilabel:`Dedicated Cluster` to manage the private endpoint 
     for your dedicated |service| cluster. (default)
@@ -52,6 +52,7 @@ title: "Configure your private endpoint."
 content: |
 
   a. Enter the following details about your |aws| |vpc|:
+
      .. list-table::
         :widths: 20 80
 
@@ -73,7 +74,7 @@ content: |
 
   #. Copy the command the dialog displays and run it using the |aws| 
      CLI.
-            
+
   #. Click :guilabel:`Next`.
 
 ...

source/index.txt

@@ -112,10 +112,9 @@ Privilege actions define the operations that you can perform on your
 Authentication Options 
 ----------------------
 
-|data-lake| uses :manual:`SCRAM-SHA </core/security-scram/>` for 
-authentication. It doesn't support :atlas:`x509 
-</security-self-managed-x509/>` or :atlas:`LDAP 
-</security-ldaps/>`.
+|data-lake| uses :manual:`SCRAM-SHA </core/security-scram/>` or
+:ref:`x509 <self-managed-x509-adl>` for authentication. It doesn't
+support :atlas:`LDAP </security-ldaps/>`.
 
 .. _atlas-data-lake-regions:
 

source/tutorial/configure-connection.txt

@@ -33,3 +33,4 @@ data lake <gst-connect-adl>`.
    /tutorial/add-ip-address
    /tutorial/config-private-endpoint
    /tutorial/create-mongodb-user
+   /tutorial/security-self-managed-x509

source/tutorial/security-self-managed-x509.txt

@@ -0,0 +1,38 @@
+.. _self-managed-x509-adl:
+
+========================================
+Set up Self-Managed X.509 Authentication
+========================================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+Self-managed X.509 certificates provide database users access to the 
+database deployments in their project. Database users are separate from |service| 
+users. Database users have access to MongoDB databases, while |service| 
+users have access to the |service| application itself.
+
+Prerequisites
+-------------
+
+In order to use self-managed X.509 certificates, you must have a
+Public Key Infrastructure to integrate with |service-fullname|.
+
+Configure a Project to use a Public Key Infrastructure
+------------------------------------------------------
+
+.. include:: /includes/steps/configure-self-managed-x509.rst
+
+To edit your CA once uploaded, click the 
+:guilabel:`Self-Managed X.509 Authentication Settings` 
+:icon-fa5:`pencil-alt` icon.
+
+Add a Database User using Self-Managed X.509 Authentication
+-----------------------------------------------------------
+
+.. include:: /includes/steps/add-self-managed-x509-user.rst