Documentation Request Summary:

Usernames are capped at 10k bytes when used with logical sessions.

Wired tiger indexes already imposed a 1024 byte limit for internally auth'd users, this limit applies to externally auth'd users (ldap, x509, etc)

Scope of changes:

• source/core/kerberos.txt
• source/core/security-ldap.txt
• source/core/security-x.509.txt
• source/includes/apiargs-dbcommand-createUser-field.yaml since added to db.createUser
• source/includes/extracts-create-users-base.yaml
• source/includes/steps-configure-ldap-mongodb.yaml
• source/includes/steps-control-access-to-mongodb-windows-with-kerberos-authentication.yaml
• source/includes/steps-control-access-to-mongodb-with-kerberos-authentication.yaml
• source/reference/command/createUser.txt
• source/reference/method/db.createUser.txt
• source/tutorial/configure-x509-client-authentication.txt
• source/tutorial/create-users.txt since added to extracts-create-users-base
• source/reference/server-sessions.txt
• source/reference/limits.txt

+ backport

Impact to other docs outside of this product:

none

MVP:

Resources:

Engineering Ticket Description:

The batches created by the LogicalSessionCache can exceed the 16mb bson size limit for bson on the wire. This will cause the refresh step to fail, preventing logical sessions from ever being synced to the global collection.

This happens because we don't explicitly size our batches (we were relying on the write_cmd item batch limit, rather than a byte limit). Previously the write_cmd batch limit had been 1000 items, which allowed for 16k per record. The new limit is 100k, which gives a 160 byte budget we can exceed with very large user names (as we sync the lsid + the user@db name).

By forcing a new 10k limit on username sizes used with logical sessions we can then ensure that a lower 1k limit will always be safe.