From 5ec21272704dba88260e97f0f1379c1c928c88e6 Mon Sep 17 00:00:00 2001
From: alisonjhuh <alison.huh@mongodb.com>
Date: Thu, 22 Jul 2021 10:48:36 -0400
Subject: [PATCH] DOCS-14389 swap deprecated whitelist language for allowlist

---
 source/administration/security-checklist.txt |  4 +-
 source/reference/configuration-options.txt   | 48 ++++++++++++++++++--
 source/reference/program/mongod.txt          | 35 +++++++++++++-
 3 files changed, 80 insertions(+), 7 deletions(-)

diff --git a/source/administration/security-checklist.txt b/source/administration/security-checklist.txt
index ca80a61a474..63665f4e737 100644
--- a/source/administration/security-checklist.txt
+++ b/source/administration/security-checklist.txt
@@ -123,13 +123,13 @@ Pre-production Checklist/Considerations
 
   - the :setting:`net.bindIp` configuration setting
      
-  - the :setting:`security.clusterIpSourceWhitelist` configuration
+  - the :setting:`security.clusterIpSourceAllowlist` configuration
     setting
 
   - the :ref:`authenticationRestrictions
     <db-createUser-authenticationRestrictions>` field to the
     :method:`db.createUser()` command to specify a per-user IP
-    whitelist.
+    allow list.
 
 
 |arrow| Audit System Activity
diff --git a/source/reference/configuration-options.txt b/source/reference/configuration-options.txt
index 1281edf6e7c..4b6e6032ee2 100644
--- a/source/reference/configuration-options.txt
+++ b/source/reference/configuration-options.txt
@@ -2215,7 +2215,7 @@ Core Options
       transitionToAuth: <boolean>
       javascriptEnabled:  <boolean>
       redactClientLogData: <boolean>
-      clusterIpSourceWhitelist:
+      clusterIpSourceAllowlist:
         - <string>
       sasl:
          hostName: <string>
@@ -2433,13 +2433,55 @@ Core Options
    :parameter:`redactClientLogData` parameter to configure this setting.
 
 
-.. setting:: security.clusterIpSourceWhitelist
+.. setting:: security.clusterIpSourceAllowlist
 
    *Type*: list
+   
+   .. versionadded:: 5.0
+
+   A list of IP addresses/CIDR (`Classless Inter-Domain Routing
+   <https://tools.ietf.org/html/rfc4632>`__) ranges against which the
+   :binary:`~bin.mongod` validates authentication requests from other 
+   members of the replica set and, if part of a sharded cluster, the 
+   :binary:`~bin.mongos` instances. The :binary:`~bin.mongod` verifies 
+   that the originating IP is either explicitly in the list or belongs 
+   to a CIDR range in the list. If the IP address is not present, the 
+   server does not authenticate the :binary:`~bin.mongod` or 
+   :binary:`~bin.mongos`.
+   
+   :setting:`security.clusterIpSourceAllowlist` has no effect on a 
+   :binary:`~bin.mongod` started without
+   :ref:`authentication <authentication>`.
 
    
-   .. versionadded:: 3.6
+   :setting:`security.clusterIpSourceAllowlist` requires specifying each 
+   IPv4/6 address or Classless Inter-Domain Routing 
+   (`CIDR <https://tools.ietf.org/html/rfc4632>`_) range as a YAML list:
+   
+   .. code-block:: yaml
+      
+      security:
+        clusterIpSourceAllowlist:
+          - 192.0.2.0/24
+          - 127.0.0.1
+          - ::1
+
+   
+   .. important::
+   
+      Ensure :setting:`security.clusterIpSourceAllowlist` includes the 
+      IP address *or* CIDR ranges that include the IP address of each 
+      replica set member or :binary:`~bin.mongos` in the deployment to 
+      ensure healthy communication between cluster components.
+
+
+.. setting:: security.clusterIpSourceWhitelist
+
+   *Type*: list
    
+   *Deprecated in version 5.0:* Use 
+   :setting:`security.clusterIpSourceAllowlist` instead.
+
    A list of IP addresses/CIDR (`Classless Inter-Domain Routing
    <https://tools.ietf.org/html/rfc4632>`__) ranges against which the
    :binary:`~bin.mongod` validates authentication requests from other members of
diff --git a/source/reference/program/mongod.txt b/source/reference/program/mongod.txt
index e0560f1d0af..77cab8bad4c 100644
--- a/source/reference/program/mongod.txt
+++ b/source/reference/program/mongod.txt
@@ -267,13 +267,44 @@ Core Options
    
       ``--bind_ip`` and ``--bind_ip_all`` are mutually exclusive. That
       is, you can specify one or the other, but not both.
+      
+
+.. option:: --clusterIpSourceAllowlist <string>
+
+   .. versionadded:: 5.0
+      
+   A list of IP addresses/CIDR (`Classless Inter-Domain Routing
+   <https://tools.ietf.org/html/rfc4632>`__) ranges against which the
+   :binary:`~bin.mongod` validates authentication requests from other members of
+   the replica set and, if part of a sharded cluster, the :binary:`~bin.mongos`
+   instances. The :binary:`~bin.mongod` verifies that the originating IP is
+   either explicitly in the list or belongs to a CIDR range in the list. If the
+   IP address is not present, the server does not authenticate the
+   :binary:`~bin.mongod` or :binary:`~bin.mongos`.
+      
+   :option:`--clusterIpSourceAllowlist` has no effect on a :binary:`~bin.mongod` started without
+   :ref:`authentication <authentication>`.
    
+      
+   :option:`--clusterIpSourceAllowlist` accepts multiple comma-separated IPv4/6 addresses or Classless
+   Inter-Domain Routing (`CIDR <https://tools.ietf.org/html/rfc4632>`_) ranges:
+      
+   .. code-block:: bash
+      
+      mongod --clusterIpSourceAllowlist 192.0.2.0/24,127.0.0.1,::1
+   
+      
+   .. important::
+      
+      Ensure :option:`--clusterIpSourceAllowlist` includes the IP address *or* CIDR ranges that include the
+      IP address of each replica set member or :binary:`~bin.mongos` in the
+      deployment to ensure healthy communication between cluster components.
 
 
 .. option:: --clusterIpSourceWhitelist <string>
 
-   
-   .. versionadded:: 3.6
+   *Deprecated in version 5.0:*  
+   Use :option:`--clusterIpSourceAllowlist` instead.
    
    A list of IP addresses/CIDR (`Classless Inter-Domain Routing
    <https://tools.ietf.org/html/rfc4632>`__) ranges against which the