From 3e467ec94475162df0f76f90973e09a6c2cf0f9f Mon Sep 17 00:00:00 2001 From: rustagir Date: Thu, 12 Sep 2024 15:02:42 -0400 Subject: [PATCH 1/9] DOCSP-43473: oidc --- snooty.toml | 1 + source/fundamentals/enterprise-auth.txt | 304 +++++++++++++++++- .../authentication/auth-properties-commas.rst | 5 + .../authentication/azure-imds-client.go | 28 ++ .../authentication/eks-custom-callback.go | 88 +++++ .../authentication/gcp-imds-client.go | 27 ++ .../includes/authentication/gke-callback.go | 45 +++ 7 files changed, 497 insertions(+), 1 deletion(-) create mode 100644 source/includes/authentication/auth-properties-commas.rst create mode 100644 source/includes/authentication/azure-imds-client.go create mode 100644 source/includes/authentication/eks-custom-callback.go create mode 100644 source/includes/authentication/gcp-imds-client.go create mode 100644 source/includes/authentication/gke-callback.go diff --git a/snooty.toml b/snooty.toml index f4c174d8..c204c53c 100644 --- a/snooty.toml +++ b/snooty.toml @@ -28,3 +28,4 @@ cmk-long = "Customer Master Key" dek-long = "Data Encryption Key" csfle-short = "CSFLE" csfle-long = "Client-side Field Level Encryption" +mdb-server = "MongoDB Server" diff --git a/source/fundamentals/enterprise-auth.txt b/source/fundamentals/enterprise-auth.txt index 9e95964d..1c17a99c 100644 --- a/source/fundamentals/enterprise-auth.txt +++ b/source/fundamentals/enterprise-auth.txt @@ -197,6 +197,304 @@ address of your MongoDB server: authenticates using the PLAIN Simple Authentication and Security Layer (SASL) defined in `RFC-4616 `__. +.. _golang-mongodb-oidc: + +MONGODB-OIDC +------------ + +.. important:: + + The MONGODB-OIDC authentication mechanism requires {+mdb-server+} + v7.0 or later running on a Linux platform. + +The {+driver-short+} supports OpenID Connect (**OIDC**) authentication for **workload +identities**. A workload identity is an identity you assign to a +software workload, such as an application, service, script, or +container, to authenticate and access other services and resources. + +The following sections describe how to use the MONGODB-OIDC +authentication mechanism to authenticate to various platforms. + +To learn more about the MONGODB-OIDC authentication mechanism, see +:manual:`OpenID Connect Authentication ` and +:manual:`MongoDB Server Parameters ` +in the {+mdb-server+} manual. + +.. _golang-mongodb-oidc-azure-imds: + +Azure IMDS +~~~~~~~~~~ + +If your application runs on an Azure VM, or otherwise uses the +`Azure Instance Metadata Service `__ +(IMDS), you can authenticate to MongoDB by using the {+driver-short+}'s +built-in Azure support. + +You can configure OIDC for Azure IMDS in the following ways: + +- By creating a ``Credential`` struct and passing it to the + ``SetAuth()`` method when creating a client +- By setting parameters in your connection string + +.. include:: /includes/authentication/auth-properties-commas.rst + +.. tabs:: + + .. tab:: Credential + :tabid: credential struct + + First, create a map to store your authentication + mechanism properties, as shown in the following example. Replace + the ```` placeholder with the value of the ``audience`` + parameter configured on your MongoDB deployment. + + .. code-block:: go + + props := map[string]string{ + "ENVIRONMENT": "azure", + "TOKEN_RESOURCE": "", + } + + Then, set the following ``Credential`` struct fields: + + - ``Username``: If you're using an Azure managed identity, set this to the client ID + of the managed identity. If you're using a service principal to represent an + enterprise application, set this to the application ID of the service principal. + - ``AuthMechanism``: Set to ``"MONGODB-OIDC"``. + - ``AuthMechanismProperties``: Set to the ``props`` map that you + previously created. + + The following code example shows how to set these options when creating a + ``MongoClient``: + + .. literalinclude:: /includes/authentication/azure-imds-client.go + :language: go + :copyable: true + :start-after: start-azure-imds-client + :end-before: end-azure-imds-client + :emphasize-lines: 9-11 + + .. tab:: Connection String + :tabid: connectionstring + + Include the following connection options in your connection string: + + - ``username``: If you're using an Azure managed identity, set this to the client ID + of the managed identity. If you're using a service principal to represent an + enterprise application, set this to the application ID of the service principal. + - ``authMechanism``: Set to ``MONGODB-OIDC``. + - ``authMechanismProperties``: Set to + ``ENVIRONMENT:azure,TOKEN_RESOURCE:``. + Replace the ```` placeholder with the + value of the ``audience`` parameter configured on your MongoDB deployment. + + The following code example shows how to set these options in + your connection string: + + .. code-block:: go + + uri := "mongodb://:/?" + + "username=" + + "&authMechanism=MONGODB-OIDC" + + "&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:" + + client, err := mongo.Connect(options.Client().ApplyURI(uri)) + if err != nil { + panic(err) + } + +.. tip:: + + If your application is running on an Azure VM, and only one managed identity is + associated with the VM, you can omit the ``username`` connection option. + +.. _golang-mongodb-oidc-gcp-imds: + +GCP IMDS +~~~~~~~~ + +If your application runs on a Google Compute Engine VM, or otherwise uses the +`GCP Instance Metadata Service `__, +you can authenticate to MongoDB by using the {+driver-short+}'s built-in GCP +support. + +You can configure OIDC for GCP IMDS in the following ways: + +- By creating a ``Credential`` struct and passing it to the + ``SetAuth()`` method when creating a client +- By setting parameters in your connection string + +.. include:: /includes/authentication/auth-properties-commas.rst + +.. tabs:: + + .. tab:: Credential + :tabid: credential struct + + First, create a map to store your authentication + mechanism properties, as shown in the following example. Replace + the ```` placeholder with the value of the ``audience`` + parameter configured on your MongoDB deployment. + + .. code-block:: go + + props := map[string]string{ + "ENVIRONMENT": "gcp", + "TOKEN_RESOURCE": "", + } + + Then, set the following ``Credential`` struct fields: + + - ``AuthMechanism``: Set to ``"MONGODB-OIDC"``. + - ``AuthMechanismProperties``: Set to the ``props`` map that you + previously created. + + The following code example shows how to set these options when creating a + ``MongoClient``: + + .. literalinclude:: /includes/authentication/gcp-imds-client.go + :language: go + :copyable: true + :start-after: start-gcp-imds-client + :end-before: end-gcp-imds-client + :emphasize-lines: 9-10 + + .. tab:: Connection String + :tabid: connectionstring + + Include the following connection options in your connection string: + + - ``authMechanism``: Set to ``MONGODB-OIDC``. + - ``authMechanismProperties``: Set to + ``ENVIRONMENT:gcp,TOKEN_RESOURCE:``. + Replace the ```` placeholder with the + value of the ``audience`` parameter configured on your MongoDB deployment. + + The following code example shows how to set these options in your connection string: + + .. code-block:: go + + uri := "mongodb://:/?" + + "&authMechanism=MONGODB-OIDC" + + "&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:" + + client, err := mongo.Connect(options.Client().ApplyURI(uri)) + if err != nil { + panic(err) + } + +.. _golang-mongodb-oidc-custom-callback: + +Custom Callback +~~~~~~~~~~~~~~~ + +The {+driver-short+} doesn't offer built-in support for all platforms, +including the AWS Elastic Kubernetes Service (EKS). To authenticate +against unsupported platforms, you must define a custom callback +function to use OIDC to authenticate. In the driver, you can define an +``options.OIDCCallback`` function and set it as the value of the +``OIDCMachineCallback`` struct field in your ``Credential`` struct. + +The following example defines a custom callback for an EKS +cluster with a configured IAM OIDC provider. The access token is +read from a path set in the ``AWS_WEB_IDENTITY_TOKEN_FILE`` +environment variable: + +.. literalinclude:: /includes/authentication/eks-custom-callback.go + :language: go + :copyable: true + :start-after: start-custom-callback + :end-before: end-custom-callback + +Next, create a map to store your authentication +mechanism properties, as shown in the following example. Replace +the ```` placeholder with the value of the ``audience`` +parameter configured on your MongoDB deployment. + +.. code-block:: go + + props := map[string]string{ + "TOKEN_RESOURCE": "", + } + +Then, you can create a ``Credential`` struct that uses the properties +map and the EKS callback function: + +.. literalinclude:: /includes/authentication/eks-custom-callback.go + :language: go + :copyable: true + :start-after: start-credential-callback + :end-before: end-credential-callback + :emphasize-lines: 10 + +.. _golang-mongodb-oidc-azure-envs: + +Other Azure Environments +~~~~~~~~~~~~~~~~~~~~~~~~ + +If your application runs on Azure Functions, App Service Environment (ASE), or Azure +Kubernetes Service (AKS), you can use the `azidentity +`__ +module to fetch authentication credentials. + +First, install the ``azidentity`` module by running the +following command: + +.. code-block:: sh + + go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity + +Your ``OIDCCallback`` function should return the ``AccessToken`` +generated from the ``azidentity`` package. See the preceding +:ref:`golang-mongodb-oidc-custom-callback` section for an example that +implements a custom callback. + +.. _golang-mongodb-oidc-gcp-gke: + +GCP GKE +~~~~~~~ + +If your application runs on a GCP Google Kubernetes Engine (GKE) cluster with a +`configured service account +`__, +you can read the OIDC token from the standard service-account token-file location. + +First, define the ``OIDCCallback`` function. This function reads the +OIDC token and returns an ``OIDCCredential`` instance. + +The following example defines a callback function named ``gkeCallback``. +The function retrieves an OIDC token from a file in the standard +service-account token-file location: + +.. literalinclude:: /includes/authentication/gke-callback.go + :language: go + :copyable: true + :start-after: start-callback + :end-before: end-callback + :emphasize-lines: 10 + +Next, create a map to store your authentication +mechanism properties, as shown in the following example. Replace +the ```` placeholder with the value of the ``audience`` +parameter configured on your MongoDB deployment. + +.. code-block:: go + + props := map[string]string{ + "ENVIRONMENT": "gcp", + "TOKEN_RESOURCE": "", + } + +Then, you can create a ``Credential`` struct that uses the properties +map and the GKE callback function: + +.. literalinclude:: /includes/authentication/gke-callback.go + :language: go + :copyable: true + :start-after: start-credential-callback + :end-before: end-credential-callback + :emphasize-lines: 10 + Additional Information ---------------------- @@ -204,9 +502,13 @@ To learn more about the concepts in this guide, see the following documentation: - :manual:`MongoDB Server Support for Kerberos Authentication ` - :manual:`MongoDB Server Support for LDAP Proxy Authentication ` +- :atlas:`Authentication and Authorization with OIDC/OAuth 2.0 ` API Documentation ~~~~~~~~~~~~~~~~~ - `Credential <{+api+}/mongo/options#Credential>`__ type -- `SetAuth() <{+api+}/mongo/options#ClientOptions.SetAuth>`__ method \ No newline at end of file +- `SetAuth() <{+api+}/mongo/options#ClientOptions.SetAuth>`__ method + +.. TODO - `OIDCCredential <{+api+}/...>`__ type +.. TODO - `OIDCCallback <{+api+}/...>`__ function diff --git a/source/includes/authentication/auth-properties-commas.rst b/source/includes/authentication/auth-properties-commas.rst new file mode 100644 index 00000000..2bfeeae3 --- /dev/null +++ b/source/includes/authentication/auth-properties-commas.rst @@ -0,0 +1,5 @@ +.. note:: + + If your ``AuthMechanismProperties`` struct field values + include a comma, you must use the ``MongoClient`` constructor + to set your authentication options. diff --git a/source/includes/authentication/azure-imds-client.go b/source/includes/authentication/azure-imds-client.go new file mode 100644 index 00000000..42ad7735 --- /dev/null +++ b/source/includes/authentication/azure-imds-client.go @@ -0,0 +1,28 @@ +package main + +import ( + "go.mongodb.org/mongo-driver/mongo" + "go.mongodb.org/mongo-driver/mongo/options" +) + +func main() { + // start-azure-imds-client + uri := "mongodb://:" + props := map[string]string{ + "ENVIRONMENT": "azure", + "TOKEN_RESOURCE": "", + } + opts := options.Client().ApplyURI(uri) + opts.SetAuth( + options.Credential{ + Username: "", + AuthMechanism: "MONGODB-OIDC", + AuthMechanismProperties: props, + }, + ) + client, err := mongo.Connect(opts) + if err != nil { + panic(err) + } + // end-azure-imds-client +} diff --git a/source/includes/authentication/eks-custom-callback.go b/source/includes/authentication/eks-custom-callback.go new file mode 100644 index 00000000..9b337dd7 --- /dev/null +++ b/source/includes/authentication/eks-custom-callback.go @@ -0,0 +1,88 @@ +package main + +import ( + "context" + "os" + + "go.mongodb.org/mongo-driver/mongo" + "go.mongodb.org/mongo-driver/mongo/options" +) + +func main() { + // start-custom callback + eksCallback := func(_ context.Context, + _ *options.OIDCArgs) (*options.OIDCCredential, error) { + accessToken, err := os.ReadFile( + os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")) + if err != nil { + return nil, err + } + return &options.OIDCCredential{ + AccessToken: string(accessToken), + }, nil + } + // end-custom callback + + // start-credential-callback + uri := "mongodb://:" + props := map[string]string{ + "TOKEN_RESOURCE": "", + } + opts := options.Client().ApplyURI(uri) + opts.SetAuth( + options.Credential{ + AuthMechanism: "MONGODB-OIDC", + AuthMechanismProperties: props, + OIDCMachineCallback: eksCallback, + }, + ) + client, err := mongo.Connect(opts) + if err != nil { + panic(err) + } + // end-credential-callback +} +package main + +import ( + "context" + "os" + + "go.mongodb.org/mongo-driver/mongo" + "go.mongodb.org/mongo-driver/mongo/options" +) + +func main() { + // start-custom-callback + eksCallback := func(_ context.Context, + _ *options.OIDCArgs) (*options.OIDCCredential, error) { + accessToken, err := os.ReadFile( + os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")) + if err != nil { + return nil, err + } + return &options.OIDCCredential{ + AccessToken: string(accessToken), + }, nil + } + // end-custom-callback + + // start-credential-callback + uri := "mongodb://:" + props := map[string]string{ + "TOKEN_RESOURCE": "", + } + opts := options.Client().ApplyURI(uri) + opts.SetAuth( + options.Credential{ + AuthMechanism: "MONGODB-OIDC", + AuthMechanismProperties: props, + OIDCMachineCallback: eksCallback, + }, + ) + client, err := mongo.Connect(opts) + if err != nil { + panic(err) + } + // end-credential-callback +} diff --git a/source/includes/authentication/gcp-imds-client.go b/source/includes/authentication/gcp-imds-client.go new file mode 100644 index 00000000..f415f084 --- /dev/null +++ b/source/includes/authentication/gcp-imds-client.go @@ -0,0 +1,27 @@ +package main + +import ( + "go.mongodb.org/mongo-driver/mongo" + "go.mongodb.org/mongo-driver/mongo/options" +) + +func main() { + // start-gcp-imds-client + uri := "mongodb://:" + props := map[string]string{ + "ENVIRONMENT": "gcp", + "TOKEN_RESOURCE": "", + } + opts := options.Client().ApplyURI(uri) + opts.SetAuth( + options.Credential{ + AuthMechanism: "MONGODB-OIDC", + AuthMechanismProperties: props, + }, + ) + client, err := mongo.Connect(opts) + if err != nil { + panic(err) + } + // end-gcp-imds-client +} diff --git a/source/includes/authentication/gke-callback.go b/source/includes/authentication/gke-callback.go new file mode 100644 index 00000000..2080ddbe --- /dev/null +++ b/source/includes/authentication/gke-callback.go @@ -0,0 +1,45 @@ +package main + +import ( + "context" + "os" + + "go.mongodb.org/mongo-driver/mongo" + "go.mongodb.org/mongo-driver/mongo/options" +) + +func main() { + // start-callback + gkeCallback := func(_ context.Context, + _ *options.OIDCArgs) (*options.OIDCCredential, error) { + accessToken, err := os.ReadFile( + "/var/run/secrets/kubernetes.io/serviceaccount/token") + if err != nil { + return nil, err + } + return &options.OIDCCredential{ + AccessToken: string(accessToken), + }, nil + } + // end-callback + + // start-credential-callback + uri := "mongodb://:" + props := map[string]string{ + "ENVIRONMENT": "gcp", + "TOKEN_RESOURCE": "", + } + opts := options.Client().ApplyURI(uri) + opts.SetAuth( + options.Credential{ + AuthMechanism: "MONGODB-OIDC", + AuthMechanismProperties: props, + OIDCMachineCallback: gkeCallback, + }, + ) + client, err := mongo.Connect(opts) + if err != nil { + panic(err) + } + // end-credential-callback +} From b6fd6ee313baa2f909c94ce709a3e0b1b986a8d8 Mon Sep 17 00:00:00 2001 From: rustagir Date: Thu, 12 Sep 2024 15:09:51 -0400 Subject: [PATCH 2/9] vale --- source/fundamentals/enterprise-auth.txt | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/source/fundamentals/enterprise-auth.txt b/source/fundamentals/enterprise-auth.txt index 1c17a99c..1e3dfb52 100644 --- a/source/fundamentals/enterprise-auth.txt +++ b/source/fundamentals/enterprise-auth.txt @@ -444,10 +444,11 @@ following command: go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity -Your ``OIDCCallback`` function should return the ``AccessToken`` -generated from the ``azidentity`` package. See the preceding -:ref:`golang-mongodb-oidc-custom-callback` section for an example that -implements a custom callback. +Your ``OIDCCallback`` function must return an ``OIDCCredential`` +instance that uses the ``AccessToken`` generated from the ``azidentity`` +package. See the preceding :ref:`golang-mongodb-oidc-custom-callback` +section for an example that implements a custom callback to retrieve an +access token and then creates a ``Credential``. .. _golang-mongodb-oidc-gcp-gke: From ff7969118c81d971f45c923ae6608bf73f86b720 Mon Sep 17 00:00:00 2001 From: rustagir Date: Thu, 12 Sep 2024 15:10:47 -0400 Subject: [PATCH 3/9] fix --- .../authentication/eks-custom-callback.go | 44 ------------------- 1 file changed, 44 deletions(-) diff --git a/source/includes/authentication/eks-custom-callback.go b/source/includes/authentication/eks-custom-callback.go index 9b337dd7..08f3c0ea 100644 --- a/source/includes/authentication/eks-custom-callback.go +++ b/source/includes/authentication/eks-custom-callback.go @@ -42,47 +42,3 @@ func main() { } // end-credential-callback } -package main - -import ( - "context" - "os" - - "go.mongodb.org/mongo-driver/mongo" - "go.mongodb.org/mongo-driver/mongo/options" -) - -func main() { - // start-custom-callback - eksCallback := func(_ context.Context, - _ *options.OIDCArgs) (*options.OIDCCredential, error) { - accessToken, err := os.ReadFile( - os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")) - if err != nil { - return nil, err - } - return &options.OIDCCredential{ - AccessToken: string(accessToken), - }, nil - } - // end-custom-callback - - // start-credential-callback - uri := "mongodb://:" - props := map[string]string{ - "TOKEN_RESOURCE": "", - } - opts := options.Client().ApplyURI(uri) - opts.SetAuth( - options.Credential{ - AuthMechanism: "MONGODB-OIDC", - AuthMechanismProperties: props, - OIDCMachineCallback: eksCallback, - }, - ) - client, err := mongo.Connect(opts) - if err != nil { - panic(err) - } - // end-credential-callback -} From d18a4da699f9ce03f7cd952dc1c56ca46b57bff4 Mon Sep 17 00:00:00 2001 From: rustagir Date: Thu, 12 Sep 2024 15:11:33 -0400 Subject: [PATCH 4/9] wip --- source/includes/authentication/auth-properties-commas.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/includes/authentication/auth-properties-commas.rst b/source/includes/authentication/auth-properties-commas.rst index 2bfeeae3..8d1e85ae 100644 --- a/source/includes/authentication/auth-properties-commas.rst +++ b/source/includes/authentication/auth-properties-commas.rst @@ -1,5 +1,5 @@ .. note:: If your ``AuthMechanismProperties`` struct field values - include a comma, you must use the ``MongoClient`` constructor + include a comma, you must create a ``Credential`` instance to set your authentication options. From fe93d783f7b118a1c7db72f1d66237d60c260721 Mon Sep 17 00:00:00 2001 From: rustagir Date: Thu, 12 Sep 2024 15:12:24 -0400 Subject: [PATCH 5/9] log error --- source/includes/authentication/eks-custom-callback.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/includes/authentication/eks-custom-callback.go b/source/includes/authentication/eks-custom-callback.go index 08f3c0ea..f7b64756 100644 --- a/source/includes/authentication/eks-custom-callback.go +++ b/source/includes/authentication/eks-custom-callback.go @@ -9,7 +9,7 @@ import ( ) func main() { - // start-custom callback + // start-custom-callback eksCallback := func(_ context.Context, _ *options.OIDCArgs) (*options.OIDCCredential, error) { accessToken, err := os.ReadFile( @@ -21,7 +21,7 @@ func main() { AccessToken: string(accessToken), }, nil } - // end-custom callback + // end-custom-callback // start-credential-callback uri := "mongodb://:" From 817abe6d38a920d132d4388c6784957a6ea0992e Mon Sep 17 00:00:00 2001 From: rustagir Date: Thu, 12 Sep 2024 15:15:02 -0400 Subject: [PATCH 6/9] dedent --- source/fundamentals/enterprise-auth.txt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/source/fundamentals/enterprise-auth.txt b/source/fundamentals/enterprise-auth.txt index 1e3dfb52..d6ec9099 100644 --- a/source/fundamentals/enterprise-auth.txt +++ b/source/fundamentals/enterprise-auth.txt @@ -268,6 +268,7 @@ You can configure OIDC for Azure IMDS in the following ways: ``MongoClient``: .. literalinclude:: /includes/authentication/azure-imds-client.go + :dedent: :language: go :copyable: true :start-after: start-azure-imds-client @@ -354,6 +355,7 @@ You can configure OIDC for GCP IMDS in the following ways: .. literalinclude:: /includes/authentication/gcp-imds-client.go :language: go + :dedent: :copyable: true :start-after: start-gcp-imds-client :end-before: end-gcp-imds-client @@ -402,6 +404,7 @@ environment variable: .. literalinclude:: /includes/authentication/eks-custom-callback.go :language: go + :dedent: :copyable: true :start-after: start-custom-callback :end-before: end-custom-callback @@ -422,6 +425,7 @@ map and the EKS callback function: .. literalinclude:: /includes/authentication/eks-custom-callback.go :language: go + :dedent: :copyable: true :start-after: start-credential-callback :end-before: end-credential-callback @@ -470,6 +474,7 @@ service-account token-file location: .. literalinclude:: /includes/authentication/gke-callback.go :language: go :copyable: true + :dedent: :start-after: start-callback :end-before: end-callback :emphasize-lines: 10 @@ -492,6 +497,7 @@ map and the GKE callback function: .. literalinclude:: /includes/authentication/gke-callback.go :language: go :copyable: true + :dedent: :start-after: start-credential-callback :end-before: end-credential-callback :emphasize-lines: 10 From ad520ecf1d011db2d2cdae576f749d3012f29f69 Mon Sep 17 00:00:00 2001 From: rustagir Date: Thu, 12 Sep 2024 15:17:21 -0400 Subject: [PATCH 7/9] emphasis --- source/fundamentals/enterprise-auth.txt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source/fundamentals/enterprise-auth.txt b/source/fundamentals/enterprise-auth.txt index d6ec9099..d93cc5ca 100644 --- a/source/fundamentals/enterprise-auth.txt +++ b/source/fundamentals/enterprise-auth.txt @@ -477,7 +477,6 @@ service-account token-file location: :dedent: :start-after: start-callback :end-before: end-callback - :emphasize-lines: 10 Next, create a map to store your authentication mechanism properties, as shown in the following example. Replace @@ -500,7 +499,7 @@ map and the GKE callback function: :dedent: :start-after: start-credential-callback :end-before: end-credential-callback - :emphasize-lines: 10 + :emphasize-lines: 11 Additional Information ---------------------- From 217b754851247d70c30f5be3e7f8b71e9c3a9c3a Mon Sep 17 00:00:00 2001 From: rustagir Date: Thu, 12 Sep 2024 15:21:02 -0400 Subject: [PATCH 8/9] fix --- source/connection-troubleshooting.txt | 2 +- source/fundamentals/enterprise-auth.txt | 4 ++-- source/usage-examples/changestream.txt | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/source/connection-troubleshooting.txt b/source/connection-troubleshooting.txt index 71ea3a14..b57a040b 100644 --- a/source/connection-troubleshooting.txt +++ b/source/connection-troubleshooting.txt @@ -199,7 +199,7 @@ instance. For more information about configuring the firewall, see Check the Number of Connections ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Each ``MongoClient`` instance supports a maximum number of concurrent open +Each ``Client`` instance supports a maximum number of concurrent open connections in its connection pool. The configuration parameter ``maxPoolSize`` defines this value and is set to ``100`` by default. If there are already a number of open connections equal to ``maxPoolSize``, the server waits until diff --git a/source/fundamentals/enterprise-auth.txt b/source/fundamentals/enterprise-auth.txt index d93cc5ca..b25f9bbb 100644 --- a/source/fundamentals/enterprise-auth.txt +++ b/source/fundamentals/enterprise-auth.txt @@ -265,7 +265,7 @@ You can configure OIDC for Azure IMDS in the following ways: previously created. The following code example shows how to set these options when creating a - ``MongoClient``: + ``Client``: .. literalinclude:: /includes/authentication/azure-imds-client.go :dedent: @@ -351,7 +351,7 @@ You can configure OIDC for GCP IMDS in the following ways: previously created. The following code example shows how to set these options when creating a - ``MongoClient``: + ``Client``: .. literalinclude:: /includes/authentication/gcp-imds-client.go :language: go diff --git a/source/usage-examples/changestream.txt b/source/usage-examples/changestream.txt index 57d07573..7d600ae0 100644 --- a/source/usage-examples/changestream.txt +++ b/source/usage-examples/changestream.txt @@ -8,8 +8,8 @@ Monitor Data Changes .. meta:: :description: Learn by example: how to monitor data changes in MongoDB by using the {+driver-long+}. -You can open a change stream on a ``MongoCollection``, -``MongoDatabase``, or ``MongoClient`` by using the ``Watch()`` method. +You can open a change stream on a ``Collection``, +``Database``, or ``Client`` by using the ``Watch()`` method. Example ------- From 24667c25ffd2fde69168a602418e5b7a486fe68e Mon Sep 17 00:00:00 2001 From: rustagir Date: Mon, 16 Sep 2024 10:04:04 -0400 Subject: [PATCH 9/9] MD tech review 1 --- source/fundamentals/enterprise-auth.txt | 35 ++++--------------- .../authentication/eks-custom-callback.go | 8 ++--- .../includes/authentication/gke-callback.go | 9 ++--- 3 files changed, 10 insertions(+), 42 deletions(-) diff --git a/source/fundamentals/enterprise-auth.txt b/source/fundamentals/enterprise-auth.txt index b25f9bbb..d39947bd 100644 --- a/source/fundamentals/enterprise-auth.txt +++ b/source/fundamentals/enterprise-auth.txt @@ -409,19 +409,8 @@ environment variable: :start-after: start-custom-callback :end-before: end-custom-callback -Next, create a map to store your authentication -mechanism properties, as shown in the following example. Replace -the ```` placeholder with the value of the ``audience`` -parameter configured on your MongoDB deployment. - -.. code-block:: go - - props := map[string]string{ - "TOKEN_RESOURCE": "", - } - -Then, you can create a ``Credential`` struct that uses the properties -map and the EKS callback function: +Then, you can create a ``Credential`` struct that uses the EKS callback +function that you defined: .. literalinclude:: /includes/authentication/eks-custom-callback.go :language: go @@ -429,7 +418,7 @@ map and the EKS callback function: :copyable: true :start-after: start-credential-callback :end-before: end-credential-callback - :emphasize-lines: 10 + :emphasize-lines: 6 .. _golang-mongodb-oidc-azure-envs: @@ -478,20 +467,8 @@ service-account token-file location: :start-after: start-callback :end-before: end-callback -Next, create a map to store your authentication -mechanism properties, as shown in the following example. Replace -the ```` placeholder with the value of the ``audience`` -parameter configured on your MongoDB deployment. - -.. code-block:: go - - props := map[string]string{ - "ENVIRONMENT": "gcp", - "TOKEN_RESOURCE": "", - } - -Then, you can create a ``Credential`` struct that uses the properties -map and the GKE callback function: +Then, you can create a ``Credential`` struct that uses the the GKE +callback function that you defined: .. literalinclude:: /includes/authentication/gke-callback.go :language: go @@ -499,7 +476,7 @@ map and the GKE callback function: :dedent: :start-after: start-credential-callback :end-before: end-credential-callback - :emphasize-lines: 11 + :emphasize-lines: 6 Additional Information ---------------------- diff --git a/source/includes/authentication/eks-custom-callback.go b/source/includes/authentication/eks-custom-callback.go index f7b64756..8d403749 100644 --- a/source/includes/authentication/eks-custom-callback.go +++ b/source/includes/authentication/eks-custom-callback.go @@ -25,15 +25,11 @@ func main() { // start-credential-callback uri := "mongodb://:" - props := map[string]string{ - "TOKEN_RESOURCE": "", - } opts := options.Client().ApplyURI(uri) opts.SetAuth( options.Credential{ - AuthMechanism: "MONGODB-OIDC", - AuthMechanismProperties: props, - OIDCMachineCallback: eksCallback, + AuthMechanism: "MONGODB-OIDC", + OIDCMachineCallback: eksCallback, }, ) client, err := mongo.Connect(opts) diff --git a/source/includes/authentication/gke-callback.go b/source/includes/authentication/gke-callback.go index 2080ddbe..60f499c8 100644 --- a/source/includes/authentication/gke-callback.go +++ b/source/includes/authentication/gke-callback.go @@ -25,16 +25,11 @@ func main() { // start-credential-callback uri := "mongodb://:" - props := map[string]string{ - "ENVIRONMENT": "gcp", - "TOKEN_RESOURCE": "", - } opts := options.Client().ApplyURI(uri) opts.SetAuth( options.Credential{ - AuthMechanism: "MONGODB-OIDC", - AuthMechanismProperties: props, - OIDCMachineCallback: gkeCallback, + AuthMechanism: "MONGODB-OIDC", + OIDCMachineCallback: gkeCallback, }, ) client, err := mongo.Connect(opts)