I am attempting to write a puppet provider that uses the ruby driver to manage a mongodb single server.  In this specific use case I am trying to create a user entry w/out a pwd field. 

When I run this code...

begin
client = Mongo::Client.new(["#{Facter.value(:hostname)}:#{config['net']['port']}"],
                                             auth_mech: :mongodb_x509,
                                             ssl: true,
                                             ssl_cert: "#{config['net']['ssl']['PEMKeyFile']}",
                                             ssl_key: "#{config['net']['ssl']['PEMKeyFile']}",
                                             ssl_ca_cert: "#{config['net']['ssl']['CAFile']}",
                                             :database => '$external',
                                             :connect => 'direct')

client.use(:$external).database.users  #probably redundant
user = Mongo::Auth::User.new({ :auth_source => '$external',
                                                    :database => '$external',
                                                    :user => 'CN=mike.uber.septim,OU=Mike',
                                                    :auth_mech => :mongodb_x509,
                                                    :roles => [ Mongo::Auth::Roles::READ_WRITE_ANY_DATABASE ]})

client.database.users.create(user)
rescue => err
  puts "Security block #{err.message}"
  puts err.backtrace.join("\n")
ensure
  client.close unless client.nil?
end

I get this error...

D, 2019-12-19T22:12:11.534489 #9631 DEBUG – : MONGODB | EVENT: #<TopologyOpening topology=Unknown[]>
D, 2019-12-19T22:12:11.534747 #9631 DEBUG – : MONGODB | Topology type 'unknown' initializing.
D, 2019-12-19T22:12:11.535349 #9631 DEBUG – : MONGODB | EVENT: #<TopologyChanged prev=Unknown[] new=Single[dev16-iop1m:27017]>
D, 2019-12-19T22:12:11.535482 #9631 DEBUG – : MONGODB | Topology type 'Unknown' changed to type 'Single'.
D, 2019-12-19T22:12:11.535588 #9631 DEBUG – : MONGODB | EVENT: #<ServerOpening address=dev16-iop1m:27017 topology=Single[dev16-iop1m:27017]>
D, 2019-12-19T22:12:11.535682 #9631 DEBUG – : MONGODB | Server dev16-iop1m:27017 initializing.
D, 2019-12-19T22:12:11.634824 #9631 DEBUG – : MONGODB | EVENT: #<ServerDescriptionChanged address=dev16-iop1m:27017 topology=Single[dev16-iop1m:27017] prev=#<Mongo::Server:Description:0x14728760 config={} average_round_trip_time=> new=#<Mongo::Server:Description:0x14619760 config={"hosts"=>["dev16-iop1m.unclass.iesil:27017"], "setName"=>"rs0", "setVersion"=>1, "ismaster"=>true, "secondary"=>false, "primary"=>"dev16-iop1m.unclass.iesil:27017", "me"=>"dev16-iop1m.unclass.iesil:27017", "electionId"=>BSON::ObjectId('7fffffff000000000000001b'), "lastWrite"=>{"opTime"=>

{"ts"=>#<BSON::Timestamp:0x00000001be38f8 @seconds=1576793526, @increment=1>, "t"=>27}

, "lastWriteDate"=>2019-12-19 22:12:06 UTC, "majorityOpTime"=>{"ts"=>#<BSON::Timestamp:0x00000001be35d8 @seconds=1576793526, @increment=1>, "t"=>27}, "majorityWriteDate"=>2019-12-19 22:12:06 UTC}, "maxBsonObjectSize"=>16777216, "maxMessageSizeBytes"=>48000000, "maxWriteBatchSize"=>100000, "localTime"=>2019-12-19 22:12:11 UTC, "logicalSessionTimeoutMinutes"=>30, "minWireVersion"=>0, "maxWireVersion"=>7, "readOnly"=>false, "ok"=>1.0, "operationTime"=>#<BSON::Timestamp:0x00000001be2ea8 @seconds=1576793526, @increment=1>, "$clusterTime"=>{"clusterTime"=>#<BSON::Timestamp:0x00000001be2d90 @seconds=1576793526, @increment=1>, "signature"=>

{"hash"=><BSON::Binary:0x14620040 type=generic data=0xe5618a7f3b0be9b3...>, "keyId"=>6753688068386979841}

}} average_round_trip_time=0.097861371>>
D, 2019-12-19T22:12:11.634938 #9631 DEBUG – : MONGODB | Server description for dev16-iop1m:27017 changed from 'unknown' to 'other'.
D, 2019-12-19T22:12:11.635015 #9631 DEBUG – : MONGODB | EVENT: #<TopologyChanged prev=Single[dev16-iop1m:27017] new=Single[dev16-iop1m:27017]>
D, 2019-12-19T22:12:11.635048 #9631 DEBUG – : MONGODB | Topology type 'Single' changed to type 'Single'.
D, 2019-12-19T22:12:11.721086 #9631 DEBUG – : MONGODB | dev16-iop1m:27017 | $external.authenticate | STARTED | {}
D, 2019-12-19T22:12:11.722648 #9631 DEBUG – : MONGODB | dev16-iop1m:27017 | $external.authenticate | SUCCEEDED | 0.001s
D, 2019-12-19T22:12:11.723030 #9631 DEBUG – : MONGODB | dev16-iop1m:27017 | $external.createUser | STARTED | {}
D, 2019-12-19T22:12:11.723565 #9631 DEBUG – : MONGODB | dev16-iop1m:27017 | $external.createUser | FAILED | "pwd" had the wrong type. Expected string, found null (14) | 0.000372697s
Security block "pwd" had the wrong type. Expected string, found null (14)
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/operation/result.rb:297:in `raise_operation_failure'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/operation/result.rb:268:in `validate!'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/operation/shared/specifiable.rb:574:in `block (2 levels) in validate_result'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/operation/shared/specifiable.rb:587:in `add_error_labels'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/operation/shared/specifiable.rb:573:in `block in validate_result'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/operation/shared/unpinnable.rb:30:in `unpin_maybe'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/operation/shared/specifiable.rb:572:in `validate_result'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/operation/shared/executable.rb:35:in `block in execute'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/operation/shared/executable.rb:34:in `tap'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/operation/shared/executable.rb:34:in `execute'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/operation/shared/op_msg_or_command.rb:27:in `execute'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/auth/user/view.rb:51:in `block in create'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/cluster.rb:679:in `with_session'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/client.rb:813:in `with_session'
/opt/puppetlabs/puppet/lib/ruby/gems/2.1.0/gems/mongo-2.10.0/lib/mongo/auth/user/view.rb:46:in `create'
./mongo-provider.rb:30:in `<main>'
D, 2019-12-19T22:12:11.724289 #9631 DEBUG – : MONGODB | EVENT: #<ServerClosed address=dev16-iop1m:27017 topology=Single[dev16-iop1m:27017]>
D, 2019-12-19T22:12:11.724334 #9631 DEBUG – : MONGODB | Server dev16-iop1m:27017 connection closed.
D, 2019-12-19T22:12:11.724373 #9631 DEBUG – : MONGODB | EVENT: #<TopologyClosed topology=Single[dev16-iop1m:27017]>
D, 2019-12-19T22:12:11.724403 #9631 DEBUG – : MONGODB | Topology type 'single' closed.

I have also tried...

client.use(:$external).database.users 

client.database.users.create('CN=mike.uber.septim,OU=Mike', :roles => [ Mongo::Auth::Roles::READ_WRITE_ANY_DATABASE ])

I get the same result as before.

Is the client.database.users.create() method sending a 'pwd' field by default??