diff --git a/source/core/authentication.txt b/source/core/authentication.txt index e3d51be2fa8..ed6151a47f6 100644 --- a/source/core/authentication.txt +++ b/source/core/authentication.txt @@ -314,7 +314,7 @@ exception allows connections from the localhost interface to create the first user on the ``admin`` database. The exception applies only when there are no users created in the MongoDB instance. -.. versionchanged:: 2.8.0 +.. versionchanged:: 3.0 The localhost exception changed so that these connections *only* have access to create the first user on the ``admin`` database. In previous versions, connections that gained access @@ -328,15 +328,15 @@ with privileges to create other users, such as a user with the :doc:`/tutorial/enable-authentication` and :doc:`/tutorial/add-user-administrator` for more information. -In the case of a sharded cluster, the localhost exception can apply to -the cluster as a whole or separately to each shard. If there are no -user information stored on the config servers *and* -clients access via :program:`mongos` instances, the localhost -exception applies to the cluster. if there is no user information -stored on the shard itself and clients connect to the shard directly, -the localhost exception applies to each shard. - -To prevent unauthorized access to a cluster's shards, you must either -create an administrator on each shard or disable the localhost exception. -To disable the localhost exception, use :setting:`setParameter` to set the -:parameter:`enableLocalhostAuthBypass` parameter to ``0`` during startup. +In the case of a sharded cluster, the localhost exception applies to each shard +individually as well as to the cluster as a whole. Once you create a sharded +cluster and add an administrator to the :program:`mongos` instance, you must +still prevent unauthorized access to the individual shards. Follow one of the +following steps for each shard in your cluster: + +- Create an administrative user, or +- Disable the localhost exception at startup. To disable the localhost + exception, use :setting:`setParameter` in your + :doc:`configuration file `, or + :option:`--setParameter` on the command line to set + the :parameter:`enableLocalhostAuthBypass` parameter to ``0``. diff --git a/source/reference/parameters.txt b/source/reference/parameters.txt index 2b37e0ef6bc..cd625eb58c0 100644 --- a/source/reference/parameters.txt +++ b/source/reference/parameters.txt @@ -8,7 +8,7 @@ Synopsis -------- MongoDB provides a number of configuration options that are accessible -via the :option:`--setParameter ` option to +via the :option:`--setParameter` option to :program:`mongod`. This document documents all of these options. For additional run time configuration options, see @@ -627,7 +627,7 @@ Parameters Available for the MMAPv1 storage engine only. - .. deprecated:: 3.0.0 + .. deprecated:: 3.0.0 MongoDB deprecates the :parameter:`newCollectionsUsePowerOf2Sizes` parameter such that diff --git a/source/tutorial/enable-authentication-in-sharded-cluster.txt b/source/tutorial/enable-authentication-in-sharded-cluster.txt index ba6e6f1089a..aae4b4fe459 100644 --- a/source/tutorial/enable-authentication-in-sharded-cluster.txt +++ b/source/tutorial/enable-authentication-in-sharded-cluster.txt @@ -10,7 +10,7 @@ Enable Authentication in a Sharded Cluster Overview -------- -When authentication is enabled on a sharded cluster every client that +When authentication is enabled on a sharded cluster, every client that accesses the cluster must provide credentials. This includes MongoDB instances that access each other within the cluster. @@ -24,12 +24,16 @@ Authentication requires an authentication mechanism and, in most cases, a :setting:`key file `. The content of the key file must be the same on all cluster members. -Consideration -------------- +Considerations +-------------- It is not possible to convert an existing sharded cluster that does not enforce access control to require authentication without taking -all components of the cluster offline for a short period of time. +all components of the cluster offline for a short period of time. + +As described in :ref:`localhost-exception`, the localhost exception will apply +to the individual shards unless you either create an administrative user or +disable the localhost exception on each shard. Procedure ---------