DOCS-2671: Deploy a replica set with authentication

source/includes/access-create-user.rst

@@ -5,3 +5,7 @@ database.
 You must have the :authaction:`grantRole` :ref:`action
 <security-user-actions>` on a role's database to grant the role to another
 user.
+
+If you have the :authrole:`userAdmin` or :authrole:`userAdminAnyDatabase`
+role, or if you are authenticated using the :ref:`localhost exception
+<localhost-exception>`, you have those actions.

source/includes/considerations-deploying-replica-set.rst

@@ -0,0 +1,34 @@
+In a production, deploy each member of the replica set to its own machine
+and if possible bind to the standard MongoDB port of ``27017``. Use the
+:setting:`bind_ip` option to ensure that MongoDB listen for connections
+from applications on the configured address.
+
+Each member of a replica set must be accessible by way of resolvable DNS
+or hostnames. You should either configure your DNS names appropriately or
+set up your systems' ``/etc/hosts`` file to reflect this configuration.
+
+For a geographically distributed replica set, ensure that one system
+resides in each secondary site, while the remaining systems are in the
+primary site.
+
+Ensure that network traffic can pass between all members in the network
+securely and efficiently. Consider the following:
+
+- Establish a virtual private network. Ensure that your network topology
+  routes all traffic between members within a single site over the local
+  area network.
+
+- Configure authentication so that only servers and processes with
+  authentication can connect to the replica set.
+
+- Configure networking and firewall rules so that incoming and outgoing
+  packets are permitted only on the default MongoDB port and only from
+  within your deployment.
+
+Specify the run time configuration on each system in a :doc:`configuration
+file </reference/configuration-options>` stored in ``/etc/mongodb.conf``
+or a related location. Create the directory where MongoDB stores data
+files before deploying MongoDB.
+
+For more information about the run time options used above and other
+configuration options, see :doc:`/reference/configuration-options`.

source/includes/steps-add-admin-user.yaml

@@ -1,14 +1,14 @@
 stepnum: 1
 source:
-  file: steps-change-user-privileges.yaml
-  ref: connect-with-appropriate-privileges
+  file: steps-connect-with-admin-privileges.yaml
+  ref: connect
 pre: |
   Connect to the :program:`mongod` or :program:`mongos` as a user with the
   privileges required in the :ref:`add-admin-prereq` section.
 ---
 stepnum: 2
 source:
-  file: steps-change-user-privileges.yaml
+  file: steps-connect-with-admin-privileges.yaml
   ref: verify-privileges
 ---
 title: Create the administrative user.

source/includes/steps-add-user-administrator.yaml

@@ -1,14 +1,14 @@
 stepnum: 1
 source:
-  file: steps-change-user-privileges.yaml
-  ref: connect-with-appropriate-privileges
+  file: steps-connect-with-admin-privileges.yaml
+  ref: connect
 pre: |
   Connect to the :program:`mongod` or :program:`mongos` as a user with the
   privileges required in the :ref:`add-user-admin-prereq` section.
 ---
 stepnum: 2
 source:
-  file: steps-change-user-privileges.yaml
+  file: steps-connect-with-admin-privileges.yaml
   ref: verify-privileges
 ---
 title: Create the user administrator.

source/includes/steps-add-user-to-database.yaml

@@ -1,14 +1,14 @@
 stepnum: 1
 source:
-  file: steps-change-user-privileges.yaml
-  ref: connect-with-appropriate-privileges
+  file: steps-connect-with-admin-privileges.yaml
+  ref: connect
 pre: |
   Connect to the :program:`mongod` or :program:`mongos` with the privileges
   required in the :ref:`add-user-prereq` section.
 ---
 stepnum: 2
 source:
-  file: steps-change-user-privileges.yaml
+  file: steps-connect-with-admin-privileges.yaml
   ref: verify-privileges
 ---
 title: Create the new user.

source/includes/steps-change-user-password.yaml

@@ -1,14 +1,14 @@
 stepnum: 1
 source:
-  file: steps-change-user-privileges.yaml
-  ref: connect-with-appropriate-privileges
+  file: steps-connect-with-admin-privileges.yaml
+  ref: connect
 pre: |
   Connect to the :program:`mongod` or :program:`mongos` with the privileges
   required in the :ref:`change-password-prereq` section.
 ---
 stepnum: 2
 source:
-  file: steps-change-user-privileges.yaml
+  file: steps-connect-with-admin-privileges.yaml
   ref: verify-privileges
 ---
 title: Change the password.

source/includes/steps-change-user-privileges.yaml

@@ -1,36 +1,12 @@
-title: Connect to MongoDB with the appropriate privileges.
 stepnum: 1
-ref: connect-with-appropriate-privileges
-pre: |
-  Connect to the :program:`mongod` or :program:`mongos` either through the
-  :ref:`localhost exception <localhost-exception>` or as a user with the
-  privileges required in the :ref:`change-user-privileges-prereq` section.
-action:
-  pre: |
-    The following example operation connects to MongoDB as an authenticated
-    user named ``manager``:
-  language: javascript
-  code: |
-    mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
+source:
+  file: steps-connect-with-admin-privileges.yaml
+  ref: connect
 ---
-title: Verify your privileges.
 stepnum: 2
-ref: verify-privileges
-pre: |
-  Use the :dbcommand:`usersInfo` command with the ``showPrivileges`` option.
-action:
-  pre: |
-    The following example operation checks privileges for a user connected as ``manager``:
-  language: javascript
-  code: |
-    db.runCommand(
-      {
-        usersInfo:"manager",
-        showPrivileges:true
-      }
-    )
-post: |
-  The resulting ``users`` document displays the privileges granted to ``manager``.
+source:
+  file: steps-connect-with-admin-privileges.yaml
+  ref: verify-privileges
 ---
 title: Identify the user's roles and privileges.
 stepnum: 3

source/includes/steps-connect-with-admin-privileges.yaml

@@ -0,0 +1,36 @@
+# These two steps are borrowed by other tutorials but do *not* have a home tutorial.
+# 
+title: Connect to MongoDB with the appropriate privileges.
+stepnum: 1
+ref: connect
+pre: |
+  Connect to the :program:`mongod` or :program:`mongos` either through the
+  :ref:`localhost exception <localhost-exception>` or as a user with the
+  privileges required in the :ref:`change-user-privileges-prereq` section.
+action:
+  pre: |
+    The following example operation connects to MongoDB as an authenticated
+    user named ``manager``:
+  language: javascript
+  code: |
+    mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
+---
+title: Verify your privileges.
+stepnum: 2
+ref: verify-privileges
+pre: |
+  Use the :dbcommand:`usersInfo` command with the ``showPrivileges`` option.
+action:
+  pre: |
+    The following example operation checks privileges for a user connected as ``manager``:
+  language: javascript
+  code: |
+    db.runCommand(
+      {
+        usersInfo:"manager",
+        showPrivileges:true
+      }
+    )
+post: |
+  The resulting ``users`` document displays the privileges granted to ``manager``.
+...

source/includes/steps-define-roles.yaml

@@ -1,14 +1,14 @@
 stepnum: 1
 source:
-  file: steps-change-user-privileges.yaml
-  ref: connect-with-appropriate-privileges
+  file: steps-connect-with-admin-privileges.yaml
+  ref: connect
 pre: |
   Connect to the :program:`mongod` or :program:`mongos` with the privileges
   required in the :ref:`define-roles-prereq` section.
 ---
 stepnum: 2
 source:
-  file: steps-change-user-privileges.yaml
+  file: steps-connect-with-admin-privileges.yaml
   ref: verify-privileges
 ---
 title: Define the privileges to grant to the role.