add new shard with authentication

What is the the recommended way to add a new shard to a cluster which is running with the --keyfile option, thus authentication?

The new shard, respective all its three replSet members, are running with the same keyfile of course.

The cluster, where I want to add the new shard, has only one custom database with one sharded collection. User tokens exist for the admin and custom database.

The question is *when* (before or after adding the new shard to the cluster) user tokens need to be added to the new shard? Or will they be copied from another shard automatically when chunks are migrated?



Nobody who can help, not even at Christmas!? ;)




I suppose it's implied in http://docs.mongodb.org/manual/tutorial/enable-authentication-in-sharded-cluster/ but not stated explicitly: you create all roles/users through mongos - they will be stored in admin DB which is on config servers, and you don't have to worry about creating anything special for a new shard as long as you are interacting with it via mongos  (but you would if maybe you want to do some maintenance when connecting to it locally)