DOCSP-12069 Require HTTPS for HTTP stores (by default) (#72)

* DOCSP-12069 Require HTTPS for HTTP stores (by default)

DOCSP-12069 updates

* DOCSP-12069 update for tech review feedback

DOCSP-12069 minor fix

DOCSP-12069 minor fix

DOCSP-12069 minor fix

DOCSP-12069 minor fix

* DOCSP-12069 updates for review feedback

DOCSP-12069 minor fixes

Author: kanchana-mongodb

source/includes/extracts-common-cli-params.yaml

@@ -14,4 +14,27 @@ content: |
 
   If omitted, {+data-lake-short+} attempts to detect the file type by 
   processing a few bytes of the file.
+---
+ref: cli-param-allow-insecure
+content: | 
+
+  Validates the scheme in the specified |url|\s. Value can be one of the 
+  following: 
+
+  - ``true`` to allow insecure |http| scheme 
+  - ``false`` to only allow secure |https| scheme (default)
+
+  If true, {+adl+}: 
+
+  - Does not verify the server's certificate chain and hostname.
+  - Accepts any certificate with any hostname presented by the server.
+
+  .. warning:: 
+
+     If you set this to ``true``, your data might become vulnerable to a 
+     man-in-the-middle attack, which can compromise the confidentiality 
+     and integrity of your data. Set this to ``true`` only for testing 
+     and getting started with {+adl+}.
+
+  If omitted, defaults to ``false``.
 ...

source/includes/extracts-common-conf-params.yaml

@@ -23,4 +23,34 @@ content: |
   *Optional.*  Maximum number of wildcard ``*`` collections in the database. 
   Each wildcard collection can have only one data source. Value can be between 
   ``1`` and ``1000``, inclusive. If omitted, defaults to ``100``. 
+---
+ref: param-allow-insecure
+content: | 
+
+  *Optional.* Validates the scheme in the specified |url|\s. Value can be one 
+  of the following: 
+
+  - ``true`` to allow insecure |http| scheme 
+  - ``false`` to only allow secure |https| scheme (default)
+
+  If true, {+adl+}: 
+
+  - Does not verify the server's certificate chain and hostname.
+  - Accepts any certificate with any hostname presented by the server.
+
+  .. warning:: 
+
+     If you set this to ``true``, your data might become vulnerable to a 
+     man-in-the-middle attack, which can compromise the confidentiality 
+     and integrity of your data. Set this to ``true`` only for testing 
+     and getting started with {+adl+}.
+
+  If omitted, defaults to ``false``. If set to ``false``, {+dl+} returns an 
+  error similar to the following if a specified URL contains insecure |http| 
+  scheme: 
+    
+  .. code-block:: sh
+     :copyable: false 
+
+     The insecure HTTP scheme is not supported by default - please add a "allowInsecure: true" flag to query from such URLs.
 ...

source/query/query-data-lake.txt

@@ -179,6 +179,7 @@ define:
             "provider": "http",
             "urls": ["<url>"],
             "defaultFormat" : "<string>"
+            "allowInsecure": <boolean>,
           }
         ],
         "databases" : [
@@ -192,6 +193,7 @@ define:
                     "storeName" : "<store-name>",
                     "urls" : ["<url>"],
                     "defaultFormat" : "<string>"
+                    "allowInsecure" : <boolean>,
                   }
                 ]
               }
@@ -247,6 +249,7 @@ contain the settings that define:
             "provider": "http",
             "urls": ["<url>"],
             "defaultFormat" : "<string>"
+            "allowInsecure": <boolean>,
           }
         ],
         "databases" : [
@@ -269,6 +272,7 @@ contain the settings that define:
                     "storeName" : "<store-name>",
                     "urls" : ["<url>"],
                     "defaultFormat" : "<string>"
+                    "allowInsecure" : <boolean>,
                   }
                 ]
               }

source/reference/cli/collections/create-collections-views.txt

@@ -97,7 +97,7 @@ Syntax
 
             .. code-block:: sh 
 
-               db.runCommand({ "create" : "<collection-name>", "dataSources" : [{ "storeName" : "<store-name>", "urls" : [ "<url>" ], "defaultFormat" :  "<file-extension>" }]})
+               db.runCommand({ "create" : "<collection-name>", "dataSources" : [{ "storeName" : "<store-name>", "allowInsecure" : true|false, "urls" : [ "<url>" ], "defaultFormat" :  "<file-extension>" }]})
 
    .. tab:: Views 
       :tabid: views
@@ -240,6 +240,11 @@ Parameters
 
             .. list-table::
 
+               * - ``dataSources.allowInsecure``
+                 - boolean
+                 - .. include:: /includes/extracts/cli-param-allow-insecure.rst
+                 - no
+
                * - ``dataSources.urls``
                  - array of strings or empty array
                  - The |url|\s of the publicly accessible data files. You 
@@ -500,13 +505,14 @@ Examples
          .. tab:: HTTP Example 
             :tabid: http
 
-            The ``http-collection`` collection includes a partition for 
-            each |url| in the collection.
+            The ``airbnb`` collection includes a partition for 
+            each |url| in the collection. The ``allowInsecure`` flag is 
+            not set and defaults to ``false``.
 
             .. code-block:: json 
 
                use sampleDB
-               db.runCommand({ "create" : "http-collection", "dataSources" : [{ "storeName" : "http-store", "urls" : [ "https://atlas-data-lake.s3.amazonaws.com/json/sample_airbnb/listingsAndReviews.json","https://atlas-data-lake.s3.amazonaws.com/json/sample_weatherdata/data.json" ], "defaultFormat" : ".json"  }]})
+               db.runCommand({ "create" : "airbnb", "dataSources" : [{ "storeName" : "http-store", "urls": ["https://atlas-data-lake.s3.amazonaws.com/json/sample_airbnb/listingsAndReviews.json","https://atlas-data-lake.s3.amazonaws.com/json/sample_weatherdata/data.json"], "defaultFormat" : ".json" }]})
 
             The previous command returns the following output:
 
@@ -522,7 +528,7 @@ Examples
                :copyable: false 
 
                > show collections
-               http-collection
+               airbnb
                > db.runCommand({"storageGetConfig":1})
                {
 	              "ok" : 1,
@@ -540,10 +546,10 @@ Examples
 		             ],
 		             "databases" : [
 			            {
-				           "name" : "http-db",
+				           "name" : "sampleDb",
 				           "collections" : [
 					          {
-						         "name" : "http-collection",
+						         "name" : "airbnb",
 						         "dataSources" : [
 							        {
 								       "storeName" : "http-store",

source/reference/cli/stores/create-store.txt

@@ -67,7 +67,7 @@ Syntax
 
       .. code-block:: sh
 
-         db.runCommand({ createStore: <store-name>, provider: <storage-provider>, urls: [ <url> ], defaultFormat: <file-extension> })
+         db.runCommand({ createStore: <store-name>, provider: <storage-provider>, allowInsecure: true|false, urls: [ <url> ], defaultFormat: <file-extension> })
 
 .. _dl-create-store-cmd-params:
 
@@ -179,6 +179,11 @@ Parameters
       .. list-table::
          :widths: 10 10 70 10 
 
+         * - ``allowInsecure`` 
+           - boolean 
+           - .. include:: /includes/extracts/cli-param-allow-insecure.rst
+           - no
+
          * - ``urls`` 
            - array of strings or an empty array
            - One or more publicly accessible |url|\s. You 
@@ -253,6 +258,7 @@ fails, see :ref:`dl-create-store-cmd-errors` for recommended solutions.
 	         "store" : {
 		         "name" : "<store-name>",
 		         "provider" : "<storage-provider>",
+		         "allowInsecure" : true|false,
 		         "urls" : [
 			         "<url>"
 		         ],
@@ -329,7 +335,7 @@ The following example uses the ``createStore`` command to create a new
       .. code-block:: json 
 
          use sample 
-         db.runCommand({ createStore: "myStore", provider: "http", urls: ["https://atlas-data-lake.s3.amazonaws.com/json/sample_airbnb/listingsAndReviews.json"], defaultFormat: ".json" })
+         db.runCommand({ createStore: "myStore", provider: "http", urls: ["https://atlas-data-lake.s3.amazonaws.com/json/sample_airbnb/listingsAndReviews","http://example.mongodb.com/sampleData"], allowInsecure: true, defaultFormat: ".json" })
 
       The previous command prints the following: 
 
@@ -342,9 +348,11 @@ The following example uses the ``createStore`` command to create a new
 		       "name" : "http-store",
 		       "provider" : "http",
 		       "urls" : [
-			      "https://atlas-data-lake.s3.amazonaws.com/json/sample_airbnb/listingsAndReviews.json"
+			       "https://atlas-data-lake.s3.amazonaws.com/json/sample_airbnb/listingsAndReviews",
+			       "http://example.mongodb.com/sampleData"
 		       ],
 		       "defaultFormat" : ".json"
+		       "allowInsecure" : true
 	        }
          }
 
@@ -383,3 +391,32 @@ If the command fails, it returns one of the following errors.
    }
 
 **Solution:** Ensure that you specify a valid storage provider.
+
+.. tabs:: 
+   :hidden:
+
+   .. tab:: S3 Configuration 
+      :tabid: s3
+
+   .. tab:: Atlas Configuration 
+      :tabid: atlas 
+
+   .. tab:: HTTP Configuration 
+      :tabid: http
+
+      **Reason:** One or more given |url|\s contain insecure |http| scheme. 
+
+      .. code-block:: json 
+         :copyable: false 
+
+         {
+	         "ok" : 0,
+	         "errmsg" : "store 'httpStore': the insecure HTTP scheme is not supported by default - please add a 'allowInsecure: true' flag to the store or datasource to query from such URLs, correlationID = 16332c6eddf7b32776fde638",
+	         "code" : 72,
+	         "codeName" : "InvalidOptions"
+         }
+
+      **Solution:** Specify |url|\s with the secure |https| scheme. If the 
+      specified |url|\s have the insecure |http| scheme, set the ``allowInsecure`` flag to ``true``. Note that setting the 
+      ``allowInsecure`` flag to ``true`` leaves your data vulnerable to 
+      man-in-the-middle attacks.

source/reference/format/data-lake-configuration.txt

@@ -205,6 +205,7 @@ Click on the tab below to learn more about the {+dl+} configuration for that dat
              {
                "name" : "httpStore",
                "provider" : "http",
+               "allowInsecure" : false,
                "urls" : [
                  "https://www.datacenter-hardware.com/data.json",
                  "https://www.datacenter-software.com/data.json"
@@ -221,6 +222,7 @@ Click on the tab below to learn more about the {+dl+} configuration for that dat
                    "dataSources" : [
                      {
                        "storeName" : "httpStore",
+                       "allowInsecure" : false,
                        "urls" : [
                          "https://www.datacenter-metrics.com/data"
                        ],
@@ -274,7 +276,8 @@ to run federated queries.
           {
             "name" : "httpStore",
             "provider" : "http",
-            "urls": [
+            "allowInsecure" : false,
+            "urls" [
               "https://www.datacenter-hardware.com/data.json",
               "https://www.datacenter-software.com/data.json"
             ],
@@ -299,6 +302,7 @@ to run federated queries.
                   },
                   {
                     "storeName" : "httpStore",
+                    "allowInsecure" : false,
                     "urls": [
                       "https://www.datacenter-metrics.com/data.json"
                     ],
@@ -426,8 +430,9 @@ The {+data-lake-short+} configuration has the following format:
              {
                "name" : "<string>",
                "provider": "<string>",
-               "urls": ["<string>"],
-               "defaultFormat" : "<string>"
+               "defaultFormat" : "<string>",
+               "allowInsecure": <boolean>,
+               "urls": ["<string>"]
              }
            ],
              "databases" : [
@@ -439,6 +444,7 @@ The {+data-lake-short+} configuration has the following format:
                      "dataSources" : [
                        {
                          "storeName" : "<string>",
+                         "allowInsecure" : <boolean>,
                          "urls" : ["<string>"],
                          "defaultFormat" : "<string>"
                        }
@@ -515,6 +521,7 @@ The {+data-lake-short+} configuration has the following format:
            {
              "name" : "<string>",
              "provider" : "<string>",
+             "allowInsecure" " <boolean>,
              "urls" : ["<string>"],
              "defaultFormat" : "<string>"
            }
@@ -659,6 +666,10 @@ The {+data-lake-short+} configuration has the following format:
    .. tab:: HTTP  
       :tabid: http
 
+      .. datalakeconf:: stores.[n].allowInsecure 
+
+         .. include:: /includes/extracts/param-allow-insecure.rst
+
       .. datalakeconf:: stores.[n].urls
 
          *Optional.* Comma-separated list of publicly accessible 
@@ -755,6 +766,7 @@ The {+data-lake-short+} configuration has the following format:
                  "dataSources" : [
                    {
                      "storeName" : "<string>",
+                     "allowInsecure" : <boolean>,
                      "urls" : ["<string>"],
                      "defaultFormat" : "<string>"
                    }
@@ -905,6 +917,10 @@ The {+data-lake-short+} configuration has the following format:
    .. tab:: HTTP  
       :tabid: http 
 
+      .. datalakeconf:: databases.[n].collections.[n].dataSources.[n].allowInsecure 
+
+         .. include:: /includes/extracts/param-allow-insecure.rst
+
       .. datalakeconf:: databases.[n].collections.[n].dataSources.[n].urls 
 
          *Optional*. Comma-separated list of publicly accessible |url|\s