Navigation

    Manage Database Users

    Important

    Atlas Open Service Broker is deprecated. Use the MongoDB Atlas Operator instead.

    You can create and delete Atlas database users through the Atlas Open Service Broker.

    Before managing database users, you must deploy a replica set.

    To create a database user, you first define a ServiceBinding resource in Kubernetes. Then, the Atlas Open Service Broker creates a corresponding database user in Atlas.

    1
    1. Copy the following resource definition example.

      This is a YAML file that you can modify to meet your desired configuration.

      apiVersion: servicecatalog.k8s.io/v1beta1
      kind: ServiceBinding
      metadata:
      name: <USER_NAME>
      namespace: <NAMESPACE>
      spec:
      instanceRef:
      name: <CLUSTER_NAME>
    2. Open your preferred text editor and paste the resource definition into a new text file.
    2

    The highlighted settings are required to create a database user:

    Key
    Description
    Example
    metadata.name
    The name of the service binding resource in Kubernetes.
    atlas-user-1
    metadata.namespace
    The Kubernetes namespace where the service binding resource is created.
    atlas
    spec.intanceRef.name
    The name of the ServiceInstance resource in Kubernetes that corresponds to your Atlas cluster.
    my-atlas-cluster

    When you create a database user, the Atlas Open Service Broker randomly generates an Atlas username and password for the user. The Service Catalog automatically stores the users's Atlas username, password, and connection URI in a Kubernetes secret.

    If you do not specify additional settings, the database user is created with the following default attributes:

    • SCRAM-SHA authentication on the admin database
    • readWriteAnyDatabase permissions on the admin database
    3

    You can configure additional settings for the user under the spec.parameters.user key. These settings correspond to the request body parameters of the Create a Database User Public API method.

    Important

    The following API parameters are overwritten by the required Atlas Open Service Broker settings from the previous step and should not be specified:

    • databaseName
    • groupId
    • password
    • username
    Example

    This example resource definition creates:

    1. a Kubernetes resource called atlas-user-1 in the atlas namespace and
    2. an Atlas database user with the following configuration:

      • SCRAM-SHA authentication on the admin database with randomly generated username and password
      • readWrite permissions to the listingsAndReviews collection on the sample_airbnb database
      • dbAdmin permissions to the sample_geospatial database
    apiVersion: servicecatalog.k8s.io/v1beta1
    kind: ServiceBinding
    metadata:
    name: atlas-user-1
    namespace: atlas
    spec:
    instanceRef:
    name: my-atlas-cluster
    parameters:
    user:
    roles:
    - databaseName: sample_airbnb
    collectionName: listingsAndReviews
    roleName: readWrite
    - databaseName: sample_geospatial
    roleName: dbAdmin
    4
    5

    Invoke the following Kubernetes command to create your database user:

    kubectl apply -f atlas-user-1.yaml
    6

    To view the status of the new user within the Kubernetes cluster, pass the metadata.name from replica-set.yaml into the following command:

    svcat describe instance <METADATA.NAME> -n <METADATA.NAMESPACE>

    The status of the user appears under Bindings.

    Example
    Bindings:
    NAME STATUS
    +---------------+--------+
    atlas-user-1 Ready

    To see a detailed view of the user, pass the metadata.name from atlas-user-1.yaml into the following command:

    svcat describe binding <METADATA.NAME> -n <METADATA.NAMESPACE>

    The command returns the details of the user.

    Example
    Name: atlas-user-1
    Namespace: atlas
    Status: Ready - Injected bind result @ 2019-08-24 20:57:43 +0000 UTC
    Secret: atlas-user-1
    Instance: my-replica-set
    Parameters:
    user:
    roles:
    - collectionName: listingsAndReviews
    databaseName: sample_airbnb
    roleName: readWrite
    - databaseName: sample_geospatial
    roleName: dbAdmin
    Secret Data:
    password 44 bytes
    uri 58 bytes
    username 36 bytes
    7

    The connection details for the user are stored in a secret that has the same name and namespace as the ServiceBinding resource. The secret is base64-encoded by Kubernetes and contains the Atlas username, password, and URI of the user.

    1. Pass metadata.name and metadata.namespace from atlas-user-1.yaml into the following command to retrieve the Kubernetes secret for the user:

      kubectl get secret <METADATA.NAME> -n <METADATA.NAMESPACE> -o yaml

      The command returns the base64-encoded Atlas password, URI, and username of the user:

      Example
      apiVersion: v1
      data:
      password: MlFhTnB4NzNoaEYwZWFKFMCjRUlNU2Iwbk5OMnJPT0JGZnZOeldKMS16Zz0=
      uri: bW9uZ29kYitzcnY6Ly8wMTY5YjA5My1jNTEyLTExZTktOGQyMC1kbjZyNy5tb25nb2RiLXFhLm5ldA==
      username: NTJjMzVlNjctYzdhMy0xMWKR7ThkMjAtMDI0MmFjMTEwMDA3
      kind: Secret
      metadata:
      creationTimestamp: "2019-08-26T01:46:30Z"
      name: atlas-user-1
      namespace: atlas
      ownerReferences:
      - apiVersion: servicecatalog.k8s.io/v1beta1
      blockOwnerDeletion: true
      controller: true
      kind: ServiceBinding
      name: atlas-user-1
      uid: 52c35ea1-c7a3-11e9-8d20-0242ac113457
      resourceVersion: "79692"
      selfLink: /api/v1/namespaces/atlas/secrets/atlas-user-1
      uid: 14829566-4859-4b47-97f6-d0a2f7425906
      type: Opaque
    2. Pass data.username from the secret into the following command to decode the user's Atlas username:

      echo '<DATA.USERNAME>' | base64 --decode

      The command returns the decoded Atlas username:

      Example
      52c35e67-c7a3-11e9-8d20-0374ac110007

      Repeat the command with data.password and data.uri to decode the user's Atlas password and URI.

      echo '<DATA.PASSWORD>' | base64 --decode
      echo '<DATA.URI>' | base64 --decode
    Tip
    Connecting to your Atlas cluster

    To connect to your deployment, pass the decoded Atlas URI and username into the following command:

    mongo <DECODED_URI> --username <DECODED_USERNAME>

    When you are prompted for the password, enter the user's decoded Atlas password.

    To delete a database user, pass the metadata.name from the ServiceBinding resource to one of the following commands:

    kubectl delete servicebindings <METADATA.NAME> \
    -n <METADATA.NAMESPACE>

    To confirm that the user has been deleted, pass the metadata.name from the cluster resource into the following command:

    svcat describe instance <METADATA.NAME> -n <METADATA.NAMESPACE>

    The command returns No bindings defined under Bindings.

    Give Feedback