Navigation

Manage Database Users

You can create and delete Atlas database users through the Atlas Open Service Broker.

Prerequisites

Before managing database users, you must deploy a replica set.

Add a Database User

To create a database user, you first define a ServiceBinding resource in Kubernetes. Then, the Atlas Open Service Broker creates a corresponding database user in Atlas.

1

Create the service binding that corresponds to the Atlas user.

  1. Copy the following resource definition example.

    This is a YAML file that you can modify to meet your desired configuration.

    apiVersion: servicecatalog.k8s.io/v1beta1
    kind: ServiceBinding
    metadata:
      name: <USER_NAME>
      namespace: <NAMESPACE>
    spec:
      instanceRef:
        name: <CLUSTER_NAME>
    
  2. Open your preferred text editor and paste the resource definition into a new text file.

2

Configure the required settings.

The highlighted settings are required to create a database user:

Key Description Example
metadata.name The name of the service binding resource in Kubernetes. atlas-user-1
metadata.namespace The Kubernetes namespace where the service binding resource is created. atlas
spec.intanceRef.name The name of the ServiceInstance resource in Kubernetes that corresponds to your Atlas cluster. my-atlas-cluster

When you create a database user, the Atlas Open Service Broker randomly generates an Atlas username and password for the user. The Service Catalog automatically stores the users’s Atlas username, password, and connection URI in a Kubernetes secret.

If you do not specify additional settings, the database user is created with the following default attributes:

  • SCRAM-SHA authentication on the admin database
  • readWriteAnyDatabase permissions on the admin database
3

Add any additional settings for the user.

You can configure additional settings for the user under the spec.parameters.user key. These settings correspond to the request body parameters of the Create a Database User Public API method.

Important

The following API parameters are overwritten by the required Atlas Open Service Broker settings from the previous step and should not be specified:

  • databaseName
  • groupId
  • password
  • username

Example

This example resource definition creates:

  1. a Kubernetes resource called atlas-user-1 in the atlas namespace and
  2. an Atlas database user with the following configuration:
    • SCRAM-SHA authentication on the admin database with randomly generated username and password
    • readWrite permissions to the listingsAndReviews collection on the sample_airbnb database
    • dbAdmin permissions to the sample_geospatial database
apiVersion: servicecatalog.k8s.io/v1beta1
kind: ServiceBinding
metadata:
  name: atlas-user-1
  namespace: atlas
spec:
  instanceRef:
    name: my-atlas-cluster
  parameters:
    user:
      roles:
      - databaseName: sample_airbnb
        collectionName: listingsAndReviews
        roleName: readWrite
      - databaseName: sample_geospatial
        roleName: dbAdmin
4

Save this file as atlas-user-1.yaml.

5

Create the user.

Invoke the following Kubernetes command to create your database user:

kubectl apply -f atlas-user-1.yaml
6

View the status of the new user.

To view the status of the new user within the Kubernetes cluster, pass the metadata.name from replica-set.yaml into the following command:

svcat describe instance <METADATA.NAME> -n <METADATA.NAMESPACE>

The status of the user appears under Bindings.

Example

Bindings:
      NAME        STATUS
+---------------+--------+
  atlas-user-1     Ready

To see a detailed view of the user, pass the metadata.name from atlas-user-1.yaml into the following command:

svcat describe binding <METADATA.NAME> -n <METADATA.NAMESPACE>

The command returns the details of the user.

Example

Name:        atlas-user-1
Namespace:   atlas
Status:      Ready - Injected bind result @ 2019-08-24 20:57:43 +0000 UTC
Secret:      atlas-user-1
Instance:    my-replica-set

Parameters:
  user:
    roles:
    - collectionName: listingsAndReviews
      databaseName: sample_airbnb
      roleName: readWrite
    - databaseName: sample_geospatial
      roleName: dbAdmin

Secret Data:
  password   44 bytes
  uri        58 bytes
  username   36 bytes
7

Retrieve the Atlas connection details of the new user.

The connection details for the user are stored in a secret that has the same name and namespace as the ServiceBinding resource. The secret is base64-encoded by Kubernetes and contains the Atlas username, password, and URI of the user.

  1. Pass metadata.name and metadata.namespace from atlas-user-1.yaml into the following command to retrieve the Kubernetes secret for the user:

    kubectl get secret <METADATA.NAME> -n <METADATA.NAMESPACE> -o yaml
    

    The command returns the base64-encoded Atlas password, URI, and username of the user:

    Example

    apiVersion: v1
    data:
      password: MlFhTnB4NzNoaEYwZWFKFMCjRUlNU2Iwbk5OMnJPT0JGZnZOeldKMS16Zz0=
      uri: bW9uZ29kYitzcnY6Ly8wMTY5YjA5My1jNTEyLTExZTktOGQyMC1kbjZyNy5tb25nb2RiLXFhLm5ldA==
      username: NTJjMzVlNjctYzdhMy0xMWKR7ThkMjAtMDI0MmFjMTEwMDA3
    kind: Secret
    metadata:
      creationTimestamp: "2019-08-26T01:46:30Z"
      name: atlas-user-1
      namespace: atlas
      ownerReferences:
      - apiVersion: servicecatalog.k8s.io/v1beta1
        blockOwnerDeletion: true
        controller: true
        kind: ServiceBinding
        name: atlas-user-1
        uid: 52c35ea1-c7a3-11e9-8d20-0242ac113457
      resourceVersion: "79692"
      selfLink: /api/v1/namespaces/atlas/secrets/atlas-user-1
      uid: 14829566-4859-4b47-97f6-d0a2f7425906
    type: Opaque
    
  2. Pass data.username from the secret into the following command to decode the user’s Atlas username:

    echo '<DATA.USERNAME>' | base64 --decode
    

    The command returns the decoded Atlas username:

    Example

    52c35e67-c7a3-11e9-8d20-0374ac110007
    

    Repeat the command with data.password and data.uri to decode the user’s Atlas password and URI.

    echo '<DATA.PASSWORD>' | base64 --decode
    
    echo '<DATA.URI>' | base64 --decode
    

Connecting to your Atlas cluster

To connect to your deployment, pass the decoded Atlas URI and username into the following command:

mongo <DECODED_URI>  --username <DECODED_USERNAME>

When you are prompted for the password, enter the user’s decoded Atlas password.

Delete a Database User

To delete a database user, pass the metadata.name from the ServiceBinding resource to one of the following commands:

kubectl delete servicebindings <METADATA.NAME> -n <METADATA.NAMESPACE>

To confirm that the user has been deleted, pass the metadata.name from the cluster resource into the following command:

svcat describe instance <METADATA.NAME> -n <METADATA.NAMESPACE>

The command returns No bindings defined under Bindings.