DOCS-2671: new tutorial: deploy replica set and configure authentication...

config/htaccess-next.yaml

@@ -1263,6 +1263,22 @@ redirect-path: '/tutorial/perform-maintence-on-replica-set-members'
 url-base: '/administration/replica-set-maintenance'
 type: 'redirect'
 code: 303
+outputs:
+  - 'manual'
+  - 'before-v2.4'
+---
+redirect-path: '/administration/security-deployment'
+url-base: '/'
+type: 'redirect'
+code: 303
+outputs:
+  - 'manual'
+  - 'before-v2.4'
+---
+redirect-path: '/tutorial/deploy-replica-set-with-auth'
+url-base: '/tutorial/deploy-replica-set'
+type: 'redirect'
+code: 303
 outputs:
   - 'manual'
   - 'before-v2.4'

source/administration/replica-set-deployment.txt

@@ -6,6 +6,9 @@ Replica Set Deployment Tutorials
 
 The following tutorials provide information in deploying replica sets.
 
+.. seealso:: :doc:`/administration/security-deployment` for additional
+   related tutorials.
+
 .. include:: /includes/toc/dfn-list-replica-set-deployment.rst
 
 .. include:: /includes/toc/replica-set-deployment.rst

source/administration/security-deployment.txt

@@ -0,0 +1,12 @@
+=============================
+Security Deployment Tutorials
+=============================
+
+.. default-domain:: mongodb
+
+The following tutorials provide information in deploying MongoDB using
+authentication and authorization.
+
+.. include:: /includes/toc/dfn-list-security-tutorials-deployment.rst
+
+.. include:: /includes/toc/security-tutorials-deployment.rst

source/core/replica-set-architectures.txt

@@ -16,8 +16,6 @@ three-member replica set. These sets provide redundancy and fault
 tolerance. Avoid complexity when possible, but let your application
 requirements dictate the architecture.
 
-.. include:: /includes/important-unique-replica-set-names.rst
-
 Strategies
 ----------
 
@@ -155,6 +153,11 @@ shutdowns, including power failures and unexpected reboots.
 All 64-bit versions of MongoDB after version 2.0 have journaling
 enabled by default.
 
+Replica Set Naming
+------------------
+
+.. include:: /includes/fact-unique-replica-set-names.rst
+
 Deployment Patterns
 -------------------
 

source/includes/access-create-user.rst

@@ -5,3 +5,7 @@ database.
 You must have the :authaction:`grantRole` :ref:`action
 <security-user-actions>` on a role's database to grant the role to another
 user.
+
+If you have the :authrole:`userAdmin` or :authrole:`userAdminAnyDatabase`
+role, or if you are authenticated using the :ref:`localhost exception
+<localhost-exception>`, you have those actions.

source/includes/considerations-deploying-replica-set.rst

@@ -0,0 +1,47 @@
+Architecture
+~~~~~~~~~~~~
+
+In a production, deploy each member of the replica set to its own machine
+and if possible bind to the standard MongoDB port of ``27017``. Use the
+:setting:`bind_ip` option to ensure that MongoDB listens for connections
+from applications on configured addresses.
+
+For a geographically distributed replica sets, ensure that the
+majority of the set's :program:`mongod` instances reside in the
+primary site.
+
+See :doc:`/core/replica-set-architectures` for more information.
+
+Connectivity
+~~~~~~~~~~~~
+
+Ensure that network traffic can pass between all members of the set
+and all clients in the network securely and efficiently. Consider the
+following:
+
+- Establish a virtual private network. Ensure that your network topology
+  routes all traffic between members within a single site over the local
+  area network.
+
+- Configure access control to prevent connections from unknown clients
+  to the replica set.
+
+- Configure networking and firewall rules so that incoming and outgoing
+  packets are permitted only on the default MongoDB port and only from
+  within your deployment.
+
+Finally ensure that each member of a replica set is accessible by
+way of resolvable DNS or hostnames. You should either configure your
+DNS names appropriately or set up your systems' ``/etc/hosts`` file to
+reflect this configuration.
+
+Configuration
+~~~~~~~~~~~~~
+
+Specify the run time configuration on each system in a :doc:`configuration
+file </reference/configuration-options>` stored in ``/etc/mongodb.conf``
+or a related location. Create the directory where MongoDB stores data
+files before deploying MongoDB.
+
+For more information about the run time options used above and other
+configuration options, see :doc:`/reference/configuration-options`.

source/includes/fact-unique-replica-set-names.rst

@@ -0,0 +1,3 @@
+If your application connects to more than one replica set, each set
+should have a distinct name. Some drivers group replica set
+connections by replica set name.

source/includes/options-mongod.yaml

@@ -746,7 +746,7 @@ description: |
   Configures replication. Specify a replica set name as an argument to
   this set. All hosts in the replica set must have the same set name.
 
-  .. include:: /includes/important-unique-replica-set-names.rst
+  .. include:: /includes/fact-unique-replica-set-names.rst
 optional: true
 ---
 program: mongod

source/includes/steps-add-admin-user.yaml

@@ -1,14 +1,14 @@
 stepnum: 1
 source:
-  file: steps-change-user-privileges.yaml
-  ref: connect-with-appropriate-privileges
+  file: steps-connect-with-admin-privileges.yaml
+  ref: connect
 pre: |
   Connect to the :program:`mongod` or :program:`mongos` as a user with the
   privileges required in the :ref:`add-admin-prereq` section.
 ---
 stepnum: 2
 source:
-  file: steps-change-user-privileges.yaml
+  file: steps-connect-with-admin-privileges.yaml
   ref: verify-privileges
 ---
 title: Create the administrative user.

source/includes/steps-add-user-administrator.yaml

@@ -1,28 +1,57 @@
 stepnum: 1
 source:
-  file: steps-change-user-privileges.yaml
-  ref: connect-with-appropriate-privileges
+  file: steps-connect-with-admin-privileges.yaml
+  ref: connect
 pre: |
   Connect to the :program:`mongod` or :program:`mongos` as a user with the
   privileges required in the :ref:`add-user-admin-prereq` section.
 ---
 stepnum: 2
 source:
-  file: steps-change-user-privileges.yaml
+  file: steps-connect-with-admin-privileges.yaml
   ref: verify-privileges
 ---
-title: Create the user administrator.
+title: Create the system user administrator.
 stepnum: 3
-ref: create-user-admin
+ref: create-site-user-admin
 pre: |
-  Add the user and assign the :authrole:`userAdmin` role or
-  :authrole:`userAdminAnyDatabase` role, and only that role.
+  Add the user with the :authrole:`userAdminAnyDatabase` role, and
+  only that role.
+action:
+  pre: |
+    The following example creates the user ``siteUserAdmin`` user on the
+    ``admin`` database:
+  language: javascript
+  code: |
+    use admin
+    db.createUser(
+      {
+        user: "siteUserAdmin",
+        pwd: "password",
+        roles:
+        [
+          {
+            role: "userAdminAnyDatabase",
+            db: "admin"
+          }
+        ]
+      }
+    )
+---
+title: Create a user administrator for a single database.
+stepnum: 4
+ref: create-db-user-admin
+pre: |
+  Optionally, you may want to create user administrators that only
+  have access to administer users in a specific database by way of the
+  :authrole:`userAdmin` role.
 action:
   pre: |
     The following example creates the user ``recordsUserAdmin`` on the
     ``records`` database:
   language: javascript
   code: |
+    use products
     db.createUser(
       {
         user: "recordsUserAdmin",

source/includes/steps-add-user-to-database.yaml

@@ -1,14 +1,14 @@
 stepnum: 1
 source:
-  file: steps-change-user-privileges.yaml
-  ref: connect-with-appropriate-privileges
+  file: steps-connect-with-admin-privileges.yaml
+  ref: connect
 pre: |
   Connect to the :program:`mongod` or :program:`mongos` with the privileges
   required in the :ref:`add-user-prereq` section.
 ---
 stepnum: 2
 source:
-  file: steps-change-user-privileges.yaml
+  file: steps-connect-with-admin-privileges.yaml
   ref: verify-privileges
 ---
 title: Create the new user.

source/includes/steps-change-user-password.yaml

@@ -1,14 +1,14 @@
 stepnum: 1
 source:
-  file: steps-change-user-privileges.yaml
-  ref: connect-with-appropriate-privileges
+  file: steps-connect-with-admin-privileges.yaml
+  ref: connect
 pre: |
   Connect to the :program:`mongod` or :program:`mongos` with the privileges
   required in the :ref:`change-password-prereq` section.
 ---
 stepnum: 2
 source:
-  file: steps-change-user-privileges.yaml
+  file: steps-connect-with-admin-privileges.yaml
   ref: verify-privileges
 ---
 title: Change the password.

source/includes/steps-change-user-privileges.yaml

@@ -1,36 +1,12 @@
-title: Connect to MongoDB with the appropriate privileges.
 stepnum: 1
-ref: connect-with-appropriate-privileges
-pre: |
-  Connect to the :program:`mongod` or :program:`mongos` either through the
-  :ref:`localhost exception <localhost-exception>` or as a user with the
-  privileges required in the :ref:`change-user-privileges-prereq` section.
-action:
-  pre: |
-    The following example operation connects to MongoDB as an authenticated
-    user named ``manager``:
-  language: javascript
-  code: |
-    mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
+source:
+  file: steps-connect-with-admin-privileges.yaml
+  ref: connect
 ---
-title: Verify your privileges.
 stepnum: 2
-ref: verify-privileges
-pre: |
-  Use the :dbcommand:`usersInfo` command with the ``showPrivileges`` option.
-action:
-  pre: |
-    The following example operation checks privileges for a user connected as ``manager``:
-  language: javascript
-  code: |
-    db.runCommand(
-      {
-        usersInfo:"manager",
-        showPrivileges:true
-      }
-    )
-post: |
-  The resulting ``users`` document displays the privileges granted to ``manager``.
+source:
+  file: steps-connect-with-admin-privileges.yaml
+  ref: verify-privileges
 ---
 title: Identify the user's roles and privileges.
 stepnum: 3