Skip to content

DOCSP-41989: Security landing page #149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Sep 25, 2024
Merged

DOCSP-41989: Security landing page #149

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
113ea65
DOCSP-41989: Security landing page
norareidy Sep 24, 2024
91ac79c
more info
norareidy Sep 24, 2024
abdc95e
edits
norareidy Sep 24, 2024
63b03e1
snooty.toml
norareidy Sep 24, 2024
518b1f8
edits
norareidy Sep 24, 2024
e030a77
RR feedback
norareidy Sep 24, 2024
6101f20
JM feedback
norareidy Sep 25, 2024
4567967
Merge remote-tracking branch 'upstream/php-standardization' into DOCS…
norareidy Sep 25, 2024
b60ce61
Merge remote-tracking branch 'upstream/php-standardization' into DOCS…
norareidy Sep 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions snooty.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ toc_landing_pages = [
"/databases-collections",
"/write",
"/indexes",
"/security"
"/data-formats"
]

Expand Down
35 changes: 27 additions & 8 deletions source/includes/authentication.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@
];

$client = new MongoDB\Client(
'mongodb://<hostname>:<port>',
$uriOptions,
'mongodb://<hostname>:<port>',
$uriOptions,
);
// end-scram-sha-256-client

Expand All @@ -21,6 +21,25 @@
$client = new MongoDB\Client($uri);
// end-scram-sha-256-uri

// start-scram-sha-1-client
$uriOptions = [
'username' => '<username>',
'password' => '<password>',
'authSource' => '<authentication database>',
'authMechanism' => 'SCRAM-SHA-1',
];

$client = new MongoDB\Client(
'mongodb://<hostname>:<port>',
$uriOptions,
);
// end-scram-sha-1-client

// start-scram-sha-1-uri
$uri = 'mongodb://<username>:<password>@<hostname>:<port>/?authSource=admin&authMechanism=SCRAM-SHA-1';
$client = new MongoDB\Client($uri);
// end-scram-sha-1-uri

// start-mongodb-X509-client
$uriOptions = [
'tls' => true,
Expand All @@ -29,8 +48,8 @@
];

$client = new MongoDB\Client(
'mongodb://<hostname>:<port>',
$uriOptions,
'mongodb://<hostname>:<port>',
$uriOptions,
);
// end-mongodb-X509-client

Expand All @@ -47,8 +66,8 @@
];

$client = new MongoDB\Client(
'mongodb://<hostname>:<port>',
$uriOptions,
'mongodb://<hostname>:<port>',
$uriOptions,
);
// end-mongodb-aws-client

Expand All @@ -59,8 +78,8 @@

// start-mongodb-aws-env-client
$client = new MongoDB\Client(
'mongodb://<hostname>:<port>',
['authMechanism' => 'MONGODB-AWS']
'mongodb://<hostname>:<port>',
['authMechanism' => 'MONGODB-AWS']
);
// end-mongodb-aws-env-client

Expand Down
14 changes: 14 additions & 0 deletions source/includes/usage-examples/connect-sample-app.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
<?php

require __DIR__ . '/../vendor/autoload.php';

// Start example code here

// End example code here

try {
$client->test->command(['ping' => 1]);
echo 'Successfully pinged the MongoDB server.', PHP_EOL;
} catch (MongoDB\Driver\Exception\RuntimeException $e) {
printf("Failed to ping the MongoDB server: %s\n", $e->getMessage());
}
208 changes: 208 additions & 0 deletions source/security.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,217 @@
Secure Your Data
================

.. contents:: On this page
:local:
:backlinks: none
:depth: 2
:class: singlecol

.. facet::
:name: genre
:values: reference

.. meta::
:keywords: ldap, authorize, ecs, aws, authenticate
:description: Learn how to use the PHP library to secure your data.

.. toctree::
:titlesonly:
:maxdepth: 1

/security/authentication
/security/in-use-encryption

Overview
--------

MongoDB supports multiple mechanisms that you can use to authenticate your application.
This page contains code examples that demonstrate each of these mechanisms.

.. tip::

To learn more about any of the mechanisms shown on this page, see the link
provided in each section.

To use an authentication example from this page, copy the code example into the
:ref:`sample application <php-auth-sample>` or your own application.
Make sure to replace all placeholders in the code examples, such as ``<hostname>``, with
the relevant values for your MongoDB deployment.

.. _php-auth-sample:

.. include:: /includes/usage-examples/sample-app-intro.rst

.. literalinclude:: /includes/usage-examples/connect-sample-app.php
:language: php
:copyable: true
:linenos:
:emphasize-lines: 5-7

SCRAM-SHA-256
-------------

The following code shows how to authenticate by using the ``SCRAM-SHA-256``
authentication mechanism:

.. tabs::

.. tab:: MongoDB\\Client
:tabid: Client

.. literalinclude:: /includes/authentication.php
:language: php
:dedent:
:start-after: start-scram-sha-256-client
:end-before: end-scram-sha-256-client

.. tab:: Connection URI
:tabid: connectionstring

.. literalinclude:: /includes/authentication.php
:language: php
:dedent:
:start-after: start-scram-sha-256-uri
:end-before: end-scram-sha-256-uri

To learn more about SCRAM-SHA-256 authentication, see :ref:`php-scram-sha-256` in
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to reviewer: all of these section links will be broken until #139 is merged

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the purpose of this page? Many of the sections look redundant in light of what exists in #139. The descriptions here just seem to be abridged.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a quick reference page where users can quickly find code examples (with a brief description) and a sample app to paste them into. Agreed that it's pretty redundant in this case, but still worth having as a reference

the Authentication guide.

SCRAM-SHA-1
-----------

The following code shows how to authenticate by using the ``SCRAM-SHA-1``
authentication mechanism:

.. tabs::

.. tab:: MongoDB\\Client
:tabid: Client

.. literalinclude:: /includes/authentication.php
:language: php
:dedent:
:start-after: start-scram-sha-1-client
:end-before: end-scram-sha-1-client

.. tab:: Connection URI
:tabid: connectionstring

.. literalinclude:: /includes/authentication.php
:language: php
:dedent:
:start-after: start-scram-sha-1-uri
:end-before: end-scram-sha-1-uri

To learn more about SCRAM-SHA-1 authentication, see :ref:`php-scram-sha-1` in
the Authentication guide.

MONGODB X.509
-------------

The following code shows how to create a connection URI to authenticate by using
the ``X.509`` authentication mechanism:

.. tabs::

.. tab:: MongoDB\\Client
:tabid: Client

.. literalinclude:: /includes/authentication.php
:language: php
:dedent:
:start-after: start-mongodb-X509-client
:end-before: end-mongodb-X509-client

.. tab:: Connection URI
:tabid: connectionstring

.. literalinclude:: /includes/authentication.php
:language: php
:dedent:
:start-after: start-mongodb-X509-uri
:end-before: end-mongodb-X509-uri

To learn more about X.509 authentication, see :ref:`php-x509` in
the Authentication guide.

MONGODB-AWS
-----------

The following sections show how to connect to MongoDB by using the ``MONGODB-AWS``
authentication mechanism. When you use the ``MONGODB-AWS`` mechanism, the {+php-library+}
attempts to retrieve your AWS credentials from the following sources, in the order listed:

1. Options passed to the ``MongoDB\Client`` constructor, either as part of the connection
string or the ``$uriOptions`` array parameter
#. Environment variables
#. AWS EKS ``AssumeRoleWithWebIdentity`` request
#. ECS container metadata
#. EC2 instance metadata

Each section shows how to authenticate with ``MONGODB-AWS`` when retrieving your
AWS credentials from options passed to your client or the alternative external sources.

To learn more about authenticating with AWS, see :ref:`php-mongo-aws` in the
Authentication guide.

MongoDB\\Client Credentials
~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following code shows how to pass AWS credentials to the ``MongoDB\Client`` constructor
to authenticate with ``MONGODB-AWS``:

.. tabs::

.. tab:: MongoDB\\Client
:tabid: Client

.. literalinclude:: /includes/authentication.php
:language: php
:dedent:
:start-after: start-mongodb-aws-client
:end-before: end-mongodb-aws-client

.. tab:: Connection URI
:tabid: connectionstring

.. literalinclude:: /includes/authentication.php
:language: php
:dedent:
:start-after: start-mongodb-aws-uri
:end-before: end-mongodb-aws-uri

External Credentials
~~~~~~~~~~~~~~~~~~~~

The following code shows how to authenticate with ``MONGODB-AWS`` when
obtaining credentials from environment variables, an ``AssumeRoleWithWebIdentity``
request, ECS metadata, or EC2 instance metadata:

.. tabs::

.. tab:: MongoDB\\Client
:tabid: Client

.. literalinclude:: /includes/authentication.php
:language: php
:dedent:
:start-after: start-mongodb-aws-env-client
:end-before: end-mongodb-aws-env-client

.. tab:: Connection URI
:tabid: connectionstring

.. literalinclude:: /includes/authentication.php
:language: php
:dedent:
:start-after: start-mongodb-aws-env-uri
:end-before: end-mongodb-aws-env-uri

To learn more about authenticating with AWS by obtaining external
credentials, see the following sections in the Authentication guide:

- :ref:`php-mongo-aws-environment`
- :ref:`php-mongo-aws-assume-role`
- :ref:`php-mongo-aws-ecs`
- :ref:`php-mongo-aws-ec2`
Loading